Setting up Sitecore Roles in a Multisite Environment

Prevent yourself from maintenance hell

In case you run several websites in one Sitecore instance and need to distinguish users between those different sites here’s what we did.

What’s the requirement?

On the one hand you need to distinguish users between sites, so one user has only access to the sites he gets permission to. On the other hand you may have different types of users (different functional permissions).

Let’s say we have 4 Websites.

And you have the requirement to a certain group of users following rights:

As you also have to maintain the different users you want to work with roles and not assign rights directly to users. Also you want to keep amount of roles to a minimum.

Concept

Some calculations example:

Concept 1: Creating one role per access and functionality (combined) (8 roles total)

Example: DE Content Editor Basic; DE Content Editor Advanced, NL Content Editor Basic, NL Content Editor Advanced,...

 

Concept 2: Creating separate roles and aggregate (14 roles total)

Example: Content Editor Basic; Content Editor Advanced, DE, NL, DE Content Editor Basic; DE Content Editor Advanced, NL Content Editor Basic, NL Content Editor Advanced,...

Concept 3: Creating one role per access and one role per functionality (separated) (6 roles)

Example: Content Editor Basic; Content Editor Advanced, DE, NL, ...

Role Amount Multisite

 

So we decided for Concept 3, having a separate role for access and functionality. This is the easiest Management and also acceptable to assign 2 roles to a user. The mentioned disadvantage can be solved with having 2 users.

 

How to setup those roles

Environment: I’m showing this within a clean Sitecore 8.1 update 3 instance with Powershell module and SXA installed. Basically all I show can be done also in lower Sitecore versions (e.g. 7.2) and SXA and powershell module are not really used, but you will see that I organized the Sites in a Tenant. But you don’t have to use tenant.

 

I will create 3 users as example:

Following Steps are explained in below chapters:

  1. Creating a tenant using SXA
  2. Creating Sites using SXA
  3. Creation of users
  4. Creation of access role
  5. Creation of functional roles
  6. Assign Access and Functional Role to user
  7. Setting up language version restriction roles
  8. Setting up Access Roles in Security Editor
  9. Media Library Access
  10. Marketing Center Access Issues
  11. Review of user rights
  12. SXA Roles

 

1. Creating Tenant

1.1 Create Tenant using insert options from Content Item in Content Editor.

 01-01 Creating Tenant

 

1.2 Giving the Tenant an Name. As they group my local MyBusiness Sites I call it “MyBusiness” ;-)

01-02 Creating Tenant

 

1.3 after Pessing the "OK" Button a script is creating all the necessary items. This may take a few minutes. If yu see below screen all is done successfully.

 

01-03 Creating Tenant

 

2. Creation of Sites (using SXA)

2.1 Create a site using the insert options from the tenant item.

02-00 Create Sites

 

2.2 Fill in your Site name (How the Site Item will be named), the Host (how you want to call the site later through browser), virtual folder, and Language. if the needed language is not available, create one first through the control panel. Note: When using SXA Theme this can cause issues. This bug is promised to be fixed in SXA Version 1.6

 

 02-01 Create Sites

 

 Just to know, on features tab, you could select features that will be available or will not be available on your site. Default is all available.

 

02-03 Create Sites

 On the Theme Tab you can directly create a new theme that you will later use to change styling on the site. I recommend to direclty create a theme here. Otherwise only the default themes are available. Wireframe Theme will be preselected. In any case, this is not important for the roles ;-) Note: When using SXA themes don't use dashes in the theme name. Switching the theme in experience editor is not working up to SXA version 1.5. It is promised by Sitecore to have that fixed in SXA version 1.6.

02-04 Create Sites

 On the Grid Tab, you can choose the css library providing the grid. I chose "Bootstrap", but his is also not relevant for the roles creation.

02-05 Create Sites

 

2.3 Repeat the site creation steps for all the sites you need.

 

3. Creation of Users

I will create a dutch Test User upfront so I can test my Role directly. If you remember I wanted to create a couple of users for several test cases.

I will now create only Ruud as a dutch user. The other users can be created in the same way.

 

3.1 Open User Manager from Launchpad

04-01 User Creation 

 

3.2 Hit the "New" Button in the upper left corner to create a new user

04-02 User Creation

 

3.3 Fill in the user attributes. Make sure that the email is valid as this will be also used for Forgotten Password functionality. When you are finished, hit the "Next" button.

04-03 User Creation

 

3.4 As the roles to be assigned are not yet created, click the "Close" Button.

04-04 User Creation

3.5 Repeat those steps to create the users you need.

 

4. Creation of Access Roles

As Access Roles we wanted to create one role per site. As I created 4 sites: 

I will also create 4 roles.

 

4.1 Open Roles Manager from Launchpad

03-01 Access Roles

 

4.2 Create a new Role

03-02 Access Roles

 

4.3 Create a Role Name. If you will have several tenants and Sites you might want to think about a naming convention so you role names can stay unique.

I selected the sitecore Domain (default). I'm not very used to the domain concept in Sitecore, but I think you can also create a domain per tenant and structure your roles this way. Not sure what happens to the role inheritance.

03-03 Access Roles

 

5. Creation of Functional Roles

We wanted to create two functional roles:

As the Editor Advanced should have the same rights like the Editor Basic we create Editor Basic first to inherit this Role to the Editor Advanced role.

5.1 Basic Editor (without publishing)

5.1.1 Open Role Manager from Launch Pad (see 4.1)

5.1.2 Press new button (see 4.1)

5.1.3 Type in Role Name e.g. "MyBusiness Editor Basic" and press "OK" Button.

 09-01 Basic Create Functional Role

 

5.1.4 Search and select your newly created role

 

5.1.5 Click the "Member of" button to add Sitecore standard roles to your new role.

09-02 Create Functional Role

 

5.1.6 In the "Member of" dialog click the "Add" button to select and add roles.

09-03 Create Functional Role

 

5.1.7 In the "Add an Account" dialog search for "Author" and Double Click "sitecore\Author" (Sitecore standard authoring role)

09-04 Create Functional Role

 

5.2.8 Back in the "Member of" dialog you can hit the "Close" button

You have created now the Role "MyBusiness Editor Basic" with the capabilities to login, create, update delete content and items in the media library.

 

5.2 Advanced Editor (with publishing)

5.2.1 Open Role Manager from Launch Pad (see 4.1) - if not still open

5.2.2 Press new button (see 4.1)

5.2.3 Type in Role Name e.g. "MyBusiness Editor Advanced" and press "OK" Button.

09-01 Advanced Create Functional Role

 

5.2.4 Search and select your newly created role

 

5.2.5 Click the "Member of" button to add Sitecore standard roles to your new role.

09-02 Create Functional Role

 

5.2.6 In the "Member of" dialog click the "Add" button to select and add roles.

09-03 Create Functional Role

 

5.2.7 In the "Add an Account" dialog search for "MyBusiness Editor Basic" and Double Click "sitecore\MyBusiness Editor Basic" (Newly created Basic Editor Role)

05-02-07 Create Functional Roles

5.2.8 Back in the "Member of" dialog click again the "Add" button to add a further role.

5.2.9 In the "Add an Account" dialog search for "Publish" and double click the "sitecore\Sitecore Client Publishing" role.

09-05 Create Functional Role

 

5.2.10 Back in the "Member of" dialog you can hit the "Close" button

You have created now the Role "MyBusiness Editor Advanced" with the 

 

Please Note: Why am I wrapping Sitecore standard roles into custom roles? This may look weird and in the case we are building it does not make a difference. But while time passes by there will be additional requirements for the editors to be able to do this and that, or to restrict access. This way you can easily adjust the group of people foreseen in your organisation without changing hundreds of users. 

 

6. Assign Access and Fuctional Role to user

Now that we have at least Ruud as a User and the Functional Role "MyBusiness Editor Advanced" and Access Role "MyBusinessInNetherlands NL" we can assign the role to the user so we can login to sitecore with the user Ruud in a separate anonymous browser window in parallel to check the changes we will do next in the Security editor (see Chapter 6). By the way, the changes applied in the Security Editor are immediatelly valid in the User Session of Ruud.

6.1 Open User Manager From Launchpad (see 3.1)

 

6.2 Search your user e.g. "Ruud"

05-02 Assign Role to User

6.3 Double Click User to open "Edit User" Screen

05-03 Assign Role to User

 

6.4 Switch to "Member of" Tab and hit the "Edit" button 

05-04 Assign Role to User

 

6.5 Search the role you want to assign e.g. "MyBusinessInNetherlands NL" and double click the role. It should be shown on the right side as "Selected Role". Afterwards click the "OK" button. Once you are back in the "Edit User" screen Click also there the "OK" button.

05-05 Assign Role to User

 

6.6 Also assign the created functional role e.g. "MyBusiness Editor Advanced" to the user e.g. "Ruud". This is necessary as you cannot login to Sitecore without functional roles.

6.7.Repeat those steps if you have created other users and roles you want to assign.

 

7. Setting up language Specific Roles

7.1 Open Role Manager from Launchpad

7.2 Click New Button and enter Role Name e.g. "Language nl NL". I don't give the prefix of the Tenant as I can reuse this role for any tenant and any site. 

0X-02-LanguageRoles

7.3 Click "OK" to confirm.

7.4 Select your new created Language Role. If it is not shown in the Roles Window, search for it. Once selected Open the security Editor.

7.5. In the Security Editor Navigate to: "System -->Languages"

7.6 Select the "Languages" item and open the Assign Dialog

0X-06-LanguageRoles

7.7 In the "Assign Security Rights" dialog allow inhertiance for the item and deny inheritance for descendants

0X-07-LanguageRoles

7.8 Click OK to confirm. You have now denied all language versions

7.9 Navigate to "System --> Languages --> nl-NL" and open the "Assign" Dialog

7.10 In the "Assign Security Rights" dialog allow "Read" access for the item

0X-10-LanguageRoles

7.11 Click OK to confirm. You have now granted back the right to work with dutch language versions.

7.12 Add this new created role to the Site Specific role "MyBusinessInNetherlands NL".

 

 

8. Setting up the Access Roles in Security Editor

As I have created "Ruud"  the dutch user already (see Chapter 3) and assigned the Dutch Access and functional role to him (see Chapter 6)  I will login with that user in an anonymous browser window to see the results of the changes I do in the Security editor.

8.0 Basics on the Security Editor:

In Security Editor you can see and edit the rights on items for a particular role or user. It is best practice to not assign rights directly to users to keep the system maintainable and be able to pass same set of rights also to other users.

So once you select the an Account (User or Role) you can browse the item structure in content tree seeing all the access rights set.

The rights can have three states:

 

 07-01 Security Access not selected

Right is not explicitly set. Therefore default is “access denied”
 07-02 Security Access gramted explicitly

Right is explicitly granted.
 07-03 Security Access denied

Right is explicitly denied. Should be avoided.

 

Important to know. If you assign several roles to a user and those roles affect same items the security settings are summed up. A “deny” always wins against “granted” or “not selected”.

A “granted” always wins against “not selected”.

Not selected is only taken into account if it is not overwritten by other rights.

 

To assign rights you have to select an item and hit the “Assign” Button in the ribbon.

 07-04 Security

 For the selected Role on the selected item you can grant or deny rights on several levels e.g. Read, Write, Rename,…

Beside that you have to columns. Either you grant or deny rights to the item itself and/or to the descendant items.

Beside that you can break inheritance on the item or the descendants. And this is exactly what we have to do in order to grant and deny rights in a way so that they can be summed up with other roles.

So, let’s start…

 

8.1 Let's login with the account of Ruud and see what he sees at the moment (Ruud as assigned a the Role "MyBusinessinNetherlands NL" without any Rights set and the Role "MyBusiness Editor Advanced". After Login he sees the limited Launchpad.

07-04 Security

In Content Editor, Ruud sees all Tenants and all sites but cannot add pages. This we will adjust now.

07-06 Security

 

8.2 Search for your newly created Access role e.g. "MyBusinessInNetherlands NL", select it and open the security editor.

03-04 Access Roles

8.3 Security editor

After opening the Security Editor the Account you want to edit (Role: MyBusinessInNetherlands NL) should be preselected.

Now we need to make sure that a user with a certain role can only access certain things. So only content the user is meant to work on.

If I take a look on the tree the users for the dutch Site should only have access to:

But when combining a dutch and e.g. a german role, the user should have access to both.

 

8.4 MyBusiness Tenant

8.4.1 Select the Tenant Node "My Business" and click the "Assign" button in the ribbon.

07-03 Security Editor

 

8.4.2 Break the inheritance for descendants. This will control that you only see Sites below the tenant that you get granted.

07-04 Security Editor

 

8.4.3 If you have other Tenants created already Break the inheritance for the item and the descendants

07-05 Security Editor

Note: If you don't want to do that for each site access role you can also set those rights to a separate role (e.g. "MyBusiness Tenant Access") and inherit this role to the site access roles. In this example we don't do that.

If you check now what "Ruud" sees it should look like that.

07-06 Security Editor

8.6 MyBusinessInNetherlands-NL Site

Now we care about granting rights for the dutch Site.

8.6.1 Select the site "MyBusinessInNetherlands-NL" and click the "Assign" button. Enable the "Read" rights to the item and "Read", "Write", "Rename", "Create" and "Delete" rights to descendants.

07-07 Security Editor

8.7 Take away rights of things that are not necessary

 Just in case you don't to delete the "Home" item below "Content" that is created on standard installation you can deny access to that one.

8.7.1 Therefore choose in the Security Editor the "Home" node and click the "Assign" button in the ribbon and deny read access to the item. 

07-08 Security Editor

You can check now what "Ruud" sees.

07-09 Security Editor

This looks quite OK for now.

9. Media Library

So the basic things you applied for the Access Role you can also apply for the Media Library. Break inheritance and allow Access for the Media Library Folder that should be used by the editors of the website.

 

10. Marketing Center issues

The basic things you applied for the Access Role you can also apply for the Marketing Center. Break inheritance and allow Access for the Marketing Center Folder for each area (Goals etc)  that should be used by the editors of the website. Please note that the Marketing Center faces some issues when dividing it for a separated multi site approach. Some areas do not provide Folder items that you can use for separation per site. Also the usage of Webforms for Marketers that let's you create goals out of the wizard does not consider multi site support. It will create goals in the root node of the Goals.

 

11. Review of User Rights

Now if you created below users accordingly with the respective roles you can check if they work out correctly.

User Name: Moritz

Purpose: Editor Basic on MyBusinessInGermany.de

Assigned Roles:

Outcome:

Moritz

User Name: Stefan

Purpose: Editor Advanced on MyBusinessInGermany.de

Assigned Roles:

Outcome:

Stefan

 

User Name: Ruud

Purpose: Editor Advanced on MyBusinessInNetherlands.nl

Assigned Roles:

Outcome:

Ruud

User Name: Razvan

Purpose: Editor Advanced on MyBusinessInRomania.ro

Assigned Roles:

Outcome:

Razvan

User Name: Klara

Purpose: Editor Advanced on MyBusinessInGermany.de and MyBusinessInAustria.at

Assigned Roles:

Outcome:

Klara

User NamePaula

Purpose: Editor Advanced on MyBusinessInGermany.de and Editor Basic on MyBusinessInAustria.at (will fail by design ;-)   )

Assigned Roles:

Outcome:

Paula

 

12. SXA Roles

In SXA you can create also Roles per Site and Tenant using an out of the box script. It is using basically Concept 1 (see above). This is fine if you run single indepent sites. If you runs several sites with the same purpose but e.g. different geographically located than the described concept is better maintainable. That's why I described this way.

Further more SXA comes with some roles in the SXA Domain. If you want your editors use the Toolbox provided with SXA you have to assign the SXA/Author role to your Functional role. Not sure if a deviding with publishing rights is than possible.

 

 

Created: 16.12.2017

Roles Multisite SXA

Setting up Sitecore Roles in a Multisite Environment Prevent yourself from maintenance hell

more

Cleanup your Roles Time to get rid of oversized plans from the past

more