Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

How is access to the Visitor Groups interface managed?


How is access to Visitor Groups handled?  After upgrading to R2, Visitor Groups does not appear in the right-click menu, and if I try to access it from the overhead menu in Edit/Admin Modes, I get prompted for credentials.

The path for Visitor Groups is:


I checked all the through the web.config, and the only access path I can see that would apply is the path to /admin.  I have the correct groups in here, and I have access to both Edit and Admin Modes, so I know this works.  Yet, Visitor Groups does not work, either in the link from Edit/Admin Mode or from the right-click menu.

Is there some other access control around Visitor Groups that I'm not aware of?

Jan 26, 2012 2:13

Have you configured the virtual roles CmsAdmin and CmsEditors in EPiServerFrameWork.config? They are used for authorization in the mvc part of EPiServer.

Jan 26, 2012 8:35

What you mean "configured the virtual roles"?  EPiServerFramework.config looks correct -- I can see the virtual roles in there:

      <add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
      <add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" />


What configuration needs to take place apart from them being in the file?

Jan 26, 2012 15:27

Are you using WebAdmins and WebEditors as groups for editors and admins? Otherwise you have to add your own roles to each virtual role in the roles attribute.

Now you're mapping WebAdmins and Administrators to the CmsAdmins roles and so on.

Also check if you have configured following paths in web.config correctly:

		<publicModules rootPath="~/modules/" autoDiscovery="Minimal"/>
		<protectedModules rootPath="~/yourUI/">
			<add name="shell"/>
			<add name="cms"/>


Jan 26, 2012 15:35

So, just to clarify --

Visitor Groups operates off the CmsEditors and CmsAdmins roles.

And the "EPiServer.Security.MappedRole" converts one role to another.  So this code...

      <add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
      <add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" /> saying that the "WebAdmins" and "Administrators" roles are both also valid for the "CmsAdmins" role.  And the "WebEditors" role is also valid for the "CmsEditors" role.

Is that correct?

Jan 26, 2012 16:02

That's correct regarding "EPiServer.Security.MappedRole". And I hope Visitor Groups is using mvc and authorization rules, just like other parts of EPiServer Framework like Online Center and My Settings. 

Jan 26, 2012 16:12

Turns out groups on this server were a little different -- users weren't in the WebAdmins and WebEditors roles that were mapped to CmsAdmins and CmsEditors.  I changed the config of those MappedRoles, and we're good now.

Thanks Johan -- I appreciate the pointer on how access works for Visitor Groups.  Wouldn't have found it otherwise.

Feb 02, 2012 18:17

I'm glad I could help :)

Feb 02, 2012 18:19

In order to control visitor group access security list we discovered that you need to add missing virtual role in episerverframework.config file:


<add name="VisitorGroupAdmins" roles="{your roles here}" type="EPiServer.Security.MappedRole, EPiServer" mode="Any"/>


Aug 23, 2012 21:44

Great to find this, and thanks Valdis, your lien of code fixed it for me. But... We had to change the assembly in the setting so it look like this:

<add name="VisitorGroupAdmins" roles="{your roles here}" type="EPiServer.Security.MappedRole, EPiServer.Framework" mode="Any"/>
Jan 20, 2015 15:08

That I guess was for v6. Too old answer to match latest version :)

Jan 20, 2015 15:53

True Valdis, I saw what section it was on just after I pressed ok on my comment ;-)

Jan 20, 2015 16:12

I'm glad everyone has fixed their issues, but I would like to add a little clarification for future reference.


"To access Visitor Groups in the global menu you must be a member of the access groups CmsAdmins or VisitorGroupAdmins, otherwise you will be prompted to a login page. If you want editors to be able to add, edit and delete visitor groups, you can provide access by adding them to VisitorGroupAdmins (CmsAdmins and CmsEditors are already defined in the configuration)."

The idea we had was that by default just admins would have access to the UI, but it could be modified by adding the VisitorGroupAdmins role.

And yes Johan, that is standrad roles, so you don't have to use the MappedRole configuration to add it. It can be managed like any role in the system.


Per Gunsarfs

Jan 20, 2015 16:35
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.