The Sitecore security model has not changed substantially since Sitecore 4. And yet I still find myself struggling every time I have to set up a website that require login, or where users require special access rights to parts of the content.
As always, Sitecore provides you with a platform, not the solution. This gives you the flexibility to choose the setup that’s right for you. So this article gives you the hints you might need to set up your own protected website.
SETUP: HOW TO ENFORCE LOGIN ON YOUR SITE
Enforcing login is done in the <sites> section of your Sitecore.config:
<site name="website"
rootPath="/sitecore/content/*******"
startItem="/Frontpage"
loginPage="/Login"
requireLogin="true"
...
...
</site>
The loginPage determines the path to the login page, and the requireLogin=true determines that the site is not accessible at all without login. Set requireLogin to false, but keep a path to the loginpage if only some pages are protected using a login.
REMEMBER: Your login page cannot have special rights. Everyone needs to have access to the login page.
CASE 1: EVERYONE WITH THE RIGHT LOGIN HAS ACCESS TO EVERYTHING
In this case, all you need is to set requireLogin=true, and set loginPage=[some login form], and you are all set.
This happens because Sitecore have per default given “Everyone” read access to the entire Sitecore solution. “Everyone” is a system role that describes every user.
Role Everyone Has Access to Everything
CASE 2: NOT EVERYONE HAS ACCESS TO EVERYTHING
If a section of your website require a certain role to be access, you need to:
- Tell Sitecore that “Everyone” does not have access.
- Give read access to the specific role.
In this example, I break the “Everyone” inheritance by introducing a system folder:
Special Roles Are Required Below this Folder
On the “profile” folder, I deny read access for “Everyone“, both for the folder and all descendants.
Everyone Denied on the Profile Folder
Then, for each item, I specify which roles have read access:
Roles Per Item
MORE TO READ:
- Setting up Security on Languages in Sitecore 6 (applies to Sitecore 7, 8 and 9 as well) by briancaos
- Security and administration from doc.sitecore.net
- Sitecore Users and C# by briancaos
