November Happy Hour will be moved to Thursday December 5th.
November Happy Hour will be moved to Thursday December 5th.
This document describes the authentication and authorization model in EPiServer CMS. The authentication and authorization system uses the default membership and role system as introduced in ASP.NET. For more details on the provider model, see the “Introduction to Membership” section at Microsoft MSDN.
Authentication and authorization is used by the system to identify users and user groups, and determining what they are allowed to do. These are some common terms used in this context:
The ASP.NET membership and role provider model used for authentication and authorization in EPiServer CMS has the following advantages:
Configuration of membership and role providers is done in web.config. If you change providers, you may have to revise the security settings (ACLs) for your entire site, since it is highly likely that user names and role names changes when you switch providers. When installing EPiServer CMS, the Windows Role and Membership provider will be default.
This is an example of the role and membership configuration section in web.config:
<roleManager enabled="true" defaultProvider="WindowsRoleProvider">
<providers>
<clear />
<add name="MultiplexingRoleProvider"
type="EPiServer.Security.MultiplexingRoleProvider, EPiServer"
provider1="SqlServerRoleProvider"
provider2="WindowsRoleProvider"
providerMap1="SqlServermembershipProvider"
providerMap2="WindowsMembershipProvider" />
<add name="WindowsRoleProvider"
applicationName="EPiServerSample"
type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
<add name="SqlServerRoleProvider"
connectionStringName="EPiServerDB"
applicationName="EPiServerSample"
type="System.Web.Security.SqlRoleProvider, System.Web,
Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="WindowsMembershipProvider"
userIsOnlineTimeWindow="10">
<providers>
<clear />
<add name="MultiplexingMembershipProvider"
type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer"
provider1="SqlServerMembershipProvider"
provider2="WindowsMembershipProvider" />
<add name="WindowsMembershipProvider"
type="EPiServer.Security.WindowsMembershipProvider, EPiServer"
deletePrefix="BUILTIN\" />
<add name="SqlServerMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="EPiServerDB"
requiresQuestionAndAnswer="false"
applicationName="EPiServerSample"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
</providers>
</membership>
The <membership> section controls the membership provider to use. Note that even though there are three providers listed in the <providers> section, only one is active at this time, the WindowsMembershipProvider (controlled by the defaultProvider attribute of the <membership> tag). For example, the <add ...> lines for MultiplexingMembershipProvider and SqlServerMembershipProvider could be removed without affecting the functionality. There is one exception to this statement - if you have selected the MultiplexingMembershipProvider as the default provider, it will make use of additional providers as defined by the provider<n> attributes.
Similarily the <roleManager> section controls the role provider to use. The same basic principles of defaultProvider / Multiplexing provider as for membership applies here as well.
When you select the provider to use you are deciding which user database that EPiServer authenticates its users against. As previously stated it is possible to change the provider at any time but this may cause problems, forcing you to revise the security settings in EPiServer CMS.
Also note that the membership and role providers are configured separately, but a specific membership provider may require a certain role provider and vice versa. For the current set of providers you must have matching role and membership providers, for example, if you decide to use WindowsMembershipProvider you must use the WindowsRoleProvider.
When you administer access rights to pages in EPiServer you will use some distinct components that are tied very loosely together. This will cause the UI to show information that may appear confusing. The components are as follows:
An ACL is simply a list of SecurityEntities and an access level. The security entity is a name and information stating if the name represents a role or a user. Once you have a security entity in an ACL, it will not be affected by changes in the membership or role provider. One aspect of this is that when you delete a role and then look at an ACL that had an access entry for this role, the role will still be displayed in the ACL.
Membership providers have APIs for creating, editing and deleting users, but not all providers support updates of the user database. The SQL membership provider allows you to modify the user database, but the Windows membership provider does not. This will be reflected in the UI when you browse users.
The following access rights settings are recommended for users who are editing in the system:
If you are running in an Enterprise configuration with multiple-site definitions, there are some security-related issues you should be aware of.
The membership and role provider definitions cannot be configured on a per-site basis. If you must have separate provider definitions for each site, you cannot share the web.config file. This is a restriction in the Microsoft implementation of ASP.NET and not in EPiServer CMS.
If you are using the SQL Server membership / role provider and want to use the same set of users / roles for all sites using the same web.config files (probably the most common scenario), you need to use a separate database for the user / role information.
Last updated: Mar 25, 2013