Permissions and UI elements
Permissions for the whole system can be managed in one place in the Administration interface. They are role based – you cannot assign specific permissions to a user directly, you always need to assign the user to a role and then give the role certain permission(s). There are two types of permissions:
- Functional (permissions) - permission check is done after the user performs an action. If the action is not permitted, an error message is shown in the interface.
- Visual (UI elements) - permission check is done during the page rendering. If a certain action is not available, the corresponding action button/link is not rendered and the user doesn't see it in the interface.
There are two standard permissions – read and modify (manage). Also, many modules have their own specific set of permissions for better granularity or for better handling of special scenarios. For example, the Users module has the special permission “Manage user roles” which allows a given role to add or remove a user from/to a role.
To allow roles to modify documents and other parts of the system, you need to assign them both the read and manage permissions.
If you assign only the manage permission to a role, then this role will not be allowed to view the specified pages.
There are also modules, for example the Forum module, where you can specify a special set of permissions directly in the module’s configuration and even from the live site. It is assumed that these modules will be managed directly by Authenticated users who don’t have access to the Administration interface (CMS Desk).
Be careful when assigning permissions, as some permissions can have other security implications. For example, you should assign the Manage user roles permission (from the Users module) only to a role with properly instructed users.
Each user can belong to any number of roles, their relationship is N:M. The roles are related N:1 to sites, every role belongs to a certain site.
You can learn how to manage roles in the Role management topic.
Memberships group existing roles together, forming another security layer. Memberships are intended to be used mainly in the E-commerce module.
You can learn how to manage memberships in the Managing memberships topic.
Access control lists (ACL)
Every document (page) created in Kentico CMS has its own access control list (ACL). In this list you can specify which roles are permitted to read, modify, create, delete or destroy (delete permanently) the current document or its child documents.
You can learn how to work with ACLs in the Document-level permissions topic.
The special permissions include Edit ASCX code, Edit SQL code and Edit SQL queries and their settings can influence the possibility of privilege elevation attack. Find more information in the Special permissions topic.