Sitecore: Assigning Security to items from code

When Sitecore 6 came out, Sitecore changed the Security model dramatically. Sitecore now uses the .net security model, and on top of this they have built a set of classes to help with the assigning of roles and members.

UPDATE 2017-11-24: This article applies to Sitecore 6, Sitecore 7, Sitecore 8.

You will find the helper classes in the Sitecore.Security namespace:

using Sitecore.Security.Accounts;
using Sitecore.Security.AccessControl;

Access rights to items can be added programatically to any item using the AccessRuleCollection class. The following example demonstates how to apply read access to a role (group) using the AccessRuleCollection:

public void SetAccess(Item item)
  Role myRole = Role.FromName("sitecore\\myRole");

  // Get the current accessrules
  AccessRuleCollection accessRules = item.Security.GetAccessRules();

  // Apply read access for the "myRole" to the current item
  // and all it's children

  // Write the rules back to the item

As you already know, the Item in the function’s parameter must come from the “master” database.

The AddAccessPermission is pretty straight forward. In my example I grant access to a role, but the function will also take a user. Please also note that when retrieving a role or user from the user database, you must prefix the user or role name with the domain name.

The AccessRight class defines which right to apply to the item. If you need to grant more than one right, you will need to add them one by one. Like in this example:

PropagationType pt = PropagationType.Any;
AccessPermission ap = AccessPermission.Allow;
accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemRead, pt, ap);
accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemWrite, pt, ap);
accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemRename, pt, ap);
accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemCreate, pt, ap);
accessRules.Helper.AddAccessPermission(myRole, AccessRight.ItemDelete, pt, ap);
accessRules.Helper.AddAccessPermission(myRole, AccessRight.WorkflowStateDelete, pt, ap);
accessRules.Helper.AddAccessPermission(myRole, AccessRight.WorkflowStateWrite, pt, ap);
accessRules.Helper.AddAccessPermission(myRole, AccessRight.WorkflowCommandExecute, pt, ap);

The PropagationType enumeration determines which items will be granted the access right. Any means the item and all items inheriting. Descendants applies rights to inheriting children only, and Entity applies right to the item only.

Finally, the AccessPermission enumeration determines whether to grant (allow) or deny the access right.

If you wish to know more about the Sitecore security model, you should read the Sitecore Security API Cookbook (available for members of the Sitecore Developer Network only).

About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in Sitecore 6, Sitecore 7, Sitecore 8 and tagged , , , , . Bookmark the permalink.

5 Responses to Sitecore: Assigning Security to items from code

  1. Mark says:

    Thanks for this post! This is exactly what I needed. For those on the SDN, this forum post has a few more details also, including setting inheritance:

  2. Hakeem Missa says:

    Thanks. Dynamically activating/de-activating inheritance permission on a content node was what I needed, which is well covered in the suggested link.

  3. Pingback: Sitecore Users and C# | Brian Pedersen's Sitecore and .NET Blog

  4. Pingback: Sitecore check access and roles programatically | Brian Pedersen's Sitecore and .NET Blog

  5. Pingback: Which of my old Sitecore posts are still valid in Sitecore 9? | Brian Pedersen's Sitecore and .NET Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.