Security is always necessary in business. Whether it is locking up at night, limiting who has access to the petty cash to those who work in Accounts or have a card reader on the door, we all feel better knowing who can do what. It’s the same with websites and their administration area. Obviously, you don’t want every user to be able to log in and edit something on the site and you may want to limit certain areas of the site to members you trust. Kentico uses two settings to allow us (and you) to create specific permissions on your site.
Kentico uses a privilege level and the Roles module to manage what the user can and can’t do. There are 4 levels of privileges: None (these are your site users), Editor (users who can access the Admin area), Administrators (can do most things to a site) and Global Administrator (usually reserved for us as it has access to the Kentico instance and all the sites installed on it). A user can only ever have one privilege level associated with it, but it can belong to multiple roles on the site.
Roles use 2 other modules to restrict what the user can do, the Permissions and UI Personalisation modules.
Permissions are used on a Module level. Each module has specific permissions that you can allow (or disallow) a user to perform actions within the module. For example, the Forms Module has 9 permissions Read form, Create form, Edit form, Delete form including data, Read data, Edit data, Delete data, Destroy form, and Edit SQL Queries. One of the roles we have created only has the permission to Read a form, Create a new form, Edit an existing form and Read data collected from a form. As a side note, those who have administrator privileges or better automatically have all the permissions.
UI Personalisation allows us to fine tune exactly what our users can see in the admin panel. Not just to the scale of certain modules not being show to a user but even certain buttons can be disabled. The hierarchical system does play a part in what the user can see as if you miss out on the root element of the hierarchy, it prevents the user from even seeing the main admin screen.
An example of how we have used a mixed of Permissions and UI Personalisation to give a client the feature they require is allowing users to change the template of an existing page. To do this, the user needs to have the Design Website permission inside the Design Module. However; this will usually also allow them to edit the template from the Design tab in the Pages Module, which we do not want to give our clients access to as it will affect every page that is using that template. We therefore need to disable the specific options. We uncheck the Design option and various other boxes (see picture above). This allows the user to modify which template an existing page uses while also preventing them from modifying the template.
As part of our work to create a solid foundation for all of our Kentico sites, I have created a set of Kentico roles which we give to our clients that allow them to access specific areas of the admin panel. We have a standard role which has access to every area we normally give our clients when we use the Kentico roles that get installed with a new site. I have also created specific area roles which only allow users into certain areas of the site. The Editor role is given to those who will be managing the content of the site pages, the E-Commerce role gives the user access to all the shop modules allowing them to edit products, manage orders and create new promotions and discounts, and the User Manager role which is given to those who need to be able to manage the Roles and Permissions of users on the site. The set of roles that I have created has been added to my web template which we are using to create all our new sites. But we do not have to limit our clients to these.
All the examples that I have given so far have mainly focused on the administration side of Kentico, but these permissions and roles can also be used in areas that the public will see. You may have a members area on the site; only those who have signed up can see this. Do you want a premium section in the site? You can have a role for this, and also have a setup for a trial period where a user will have that role for a set amount of time. With the customisation and options available in Kentico, it is possible to be even more specific with the permissions that we can provide to our clients.
Roles use 2 other modules to restrict what the user can do, the Permissions and UI Personalisation modules