EPiServer – Security and Access Control (1/2)

EPiServer CMS is using the standard methods in ASP.NET to handle authentication and authorization. On top of this they have added a few providers to handle authentication and access control to EPiServer assets like pages and files uploaded by editors.

qual ÃÃÂÂÂ% Make sure that you read up on how the authentication, location and authorization-tags works in web.config before you try to understand security in EPiServer CMS.

Check list for ASP.NET security

Select Security PROVIDERS

Select the right providers for your site:

TIPS – IF you Can not login with your Windows Account

EPiServer

WindowsRoleProvider uses queries that only retrieve a list of groups you are a member of directly. It does not discover if you indirectly are a member of group through another group.

This is quite annoying and and AD-admin get something sad in their eyes if you suggest that you should not use groups in groups.

Workaround this by creating a local group on the web server and add the AD group that is using groups in groups. http://avlo.be/index.php?Itemid=63 trader ob WindowsRoleProvider will see that you are a direct member of the local group.

This technique can also be useful if a lot of different AD-groups should have the same access in EPiServer. The reason is that EPiServer stores one row in a table for each access control entry for each EPiServer page and directory in VPP.

It could simplify your web.config if you do not have to maintain a long list group names for edit and admin mode access. (EPiServer 6 has a new feature that takes care of this.)

Break in to an EPiServer site

Forgot the password? Only got ftp-access? Do not worry, as long as you have the right to change web.config you can always break in!

You need to comment out all “<deny users="*" />” in web.config and then it is possible to access edit and admin mode without authentication.

I suggest that you reset your password or create a new account in admin mode and turn on security as fast as possible!

Notice that you must login to be able to edit pages.

Access Rights for pages and uploaded files

image EPiServer has the following Access Rights that can be set per page. You can also set access right for files in the File Manager.

  • Read – Let’s you see the page or download the file.
  • Create – Allows you to create child pages that will inherit the same ACL as the parent, upload new files or create directories.
  • Change – Allows you to save a new version of a page and mark it ready to publish. You can also check in a new version of an existing files.
  • Delete – Allows you to move a page to the wastebasket or delete it permanently. You can delete files and directories.
  • Publish – Allows you to change and publish pages. Not applicable on files.
  • Administer – Allows you to change the ACL for this page or directory as an editor and change dynamic properties on this page (and indirectly all children)

Users with access to admin mode can always change access control lists and do not need Administer right.

imageNotice that you can only set Access Rights per directory and not on individual files.

Page Files are special. Each page can have its own page folder and files uploaded to this directory have the same availability as the page. So if the page is not publish – no one can access the files in the page folder except editors. Very convenient since scheduled publishing also affects the files!

The same happens when the page is moved to the waste basket. No one can access the files in the page folder than editors. This is a common cause for broken images and links to document when editors copy and paste pages. If you delete the original page, no one can access the images its page folder!

Tips for Access Right configuration

If you follow these guidelines it will be much easier to administer access.

  • Avoid giving users access rights directly. Always add roles (groups) and make users members of these instead.
  • Never give WebEditors group any access rights (except on small sites where you are not going to use Access Rights at all). This roles is intended as a master switch if you have access to edit mode or not.
  • Give the virtual role “Creator” the right to change and delete pages if you setup a site with writers and an editors-in-chief that publish pages. It will save a lot of maintenance work when writers makes mistakes.
  • Using role names with both location and role will simplify when you administer who is a member of what, i.e. pressrelease_writer, pressrelease_publisher, startpage_editor, article_writer, blog_admin