Epifind - Access Control List



I have a few questions about epifind and access control.

While showing search results, we have to limit access to certain users / groups. In the documentation (http://find.episerver.com/Documentation/episerver-cms-integration-access-rights), there is a method "RolesWithReadAccess" to filter out users / groups.

  • what is the logic behind this method "RolesWithReadAccess" ? If I use this method like RolesWithReadAccess("Everyone") what does it mean for that group "Everyone"? and what does it mean to other groups on the website.
  • If new groups are created in AD and used by the editors to access control pages ( we are using Epinova to import AD groups into Episerver website), do we have to create a new method RolesWithReadAccess ? or is there way to automatically add newly created groups to filter like "all groups"


May 24, 2013 13:44


RolesWithReadAccess is an extension method that is automatically indexed with IContent so that Roles that have read access is indexed. This is done so that you later can filter for the different roles that the user have that is seraching at the moment.

The easiest and recommended way is to use the method FilterForVisitor when searching. This is done if you are using the UnifiedSearch which in turn is the recommended way to build search pages if that is what you are doing.


May 24, 2013 15:15

The general pattern for access rights filtering with Find as well as other search solutions is:

  1. Ensure that each document (thing in the index) has a list of who should be able to see it.
  2. When searching, add filters that excludes documents whos list of users and groups that should be able to see it doesn't contain the current user and any groups that he or she is in.

In the case of CMS content with Find step 1 is already taken care of as the return value of RolesWithReadAccess (and UsersWithReadAccess in later versions of the .NET/CMS integration) is automatically indexed. This means that all you have to do for pages is step 2. Do do that you:

  1. Figure out what groups the user is a member of.
  2. Iterate over those groups and build a filter that requires the RolesWithReadAccess field to contain at least one of those groups.
  3. Add the filter created in step 2 to a search query.

As Marcus writes there are also helper methods in later versions of the .NET API/CMS integration that can take care of the above steps for you.

May 27, 2013 9:16

In case you need to implement the filtering manually (you may for instance not be searching for CMS content), you can retrieve a list of the user's roles using:

//using EPiServer.Security;

var roles = PrincipalInfo.Current.RoleList.ToList();

If the site is utilizing virtual roles you can add them as well by first retrieving all virtual roles and the check if the current user is in each of them.

May 27, 2013 9:25


thanks for your response !! 

I'm stil not clear. What does this line of code means - " Filter(x=>x.RolesWithReadAccess().Match("Everyone"))" ? I mean the functionality of RolesWithReadAccess(). what is the return value for this method ?



May 28, 2013 11:26


That example code adds a filter to the search request. The return value is the modified search query which you can continue to build upon or execute.

The filter that that specific code adds will modify the search request so that only pages which are visible to the group "Everyone" is returned. That's often enough on a public web site while on an intranet you also add any groups that the current user is in. Again though, never versions of Find has a method called FilterForVisitor that handles that for you.

May 28, 2013 11:34

Hi, thanks for your valuable reply !!

As I mentioned in my earlier post, how groups (created in AD) can be added automatically to this filter ? 

May 28, 2013 12:01

var filter = Client.BuildFilter<PageData>();

var roles = PrincipalInfo.Current.RoleList.ToList();

foreach(var role in roles)


  filter = filter.Or(x => x.RolesWithReadAcces().Match(role));




Something like that :)

May 28, 2013 12:09

Hi, I'm just trying to do the same filter by 'RolesWithReadAcces' on 'ContentBase' type. 

var filter = Client.BuildFilter<ContentBase>();

It gives me this error: 'ContentBase' does not contain a definition for 'RolesWithReadAccess'

But ContentBase inherited types have 'RolesWithReadAccess' data in the find index. Why is this not possible?

Edited, Jul 10, 2017 12:19
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.