The security model consists of:
- users (shared among websites)
- roles (defined for websites or globally for all sites in the system)
- memberships (collections of roles that can be assigned to users)
- module permissions (permissions for specific features in Kentico)
- document permissions (ACLs and content and document types permissions)
- UI personalization (hiding components of the user interface)
Relationships between users, roles and permissions
The following figure shows how users are assigned to roles and how permissions for documents and applications are granted to users and roles:
Users can be members of any number of roles. Permissions for particular documents (pages) can be granted to users directly. If you want to grant module permissions to a user, you need to make the user a member of a role, and grant the permissions to the role.
Each user has a privilege level that controls access to the administration interface, and can override permission requirements (for administrator levels).
Roles in Kentico are fully customizable. You are not limited to a predefined set of roles. Instead, you can define your own roles with custom sets of permissions.
If a user is a member of multiple roles, their permissions for modules are calculated as a sum of all permissions granted to all roles.
If permissions for documents in Kentico repository are granted to both a user and their roles, document permissions are calculated as a sum of all permissions granted to the user and to all roles. If you deny a document permission for a user or one of their roles, then the result is always "denied" for the given permission, even if some of the roles are allowed to perform the action.