When you start to dig into the Sitecore security model, it is very understandable that large multinational corporations are using Sitecore, because Sitecore allows you to create a very granular security setup.
UPDATE 2017-11-24: This article applies to Sitecore 6, Sitecore 7, Sitecore 8 and Sitecore 9.
This is a case from a very large company I am working for at the moment. They have 17 languages on 12 domains, and they need to be able to control who is editing what language.
I’m not saying that setting up security is trivial, but the basics of language based security is very easy. There are several approaces, but this is one I have used with success.
The criteria is: All editors can edit any page, but only in their own language.
First of all I create a new role called <company>Editor.
Then I create a new role for each language (I call these language roles), for example <company>Editor_da, <company>Editor_en, <company>Editor_de and so on.
All users must be members of the <company>Editor role and at least one language role. A danish editor would then be a member of <company>Editor and <company>Editor_da (and also the standard Author and Sitecore Client Users roles).
The language roles are then applied to each language in Sitecore. And this is the actual trick for applying language based security. Each language has a Language Write permission. When this permission is applied, only members of that role has write access to the language.
Security on Languages
If you do not apply any permissions to a language then all members have write access.
My users have now write access to one language only (or several languages if they a members of more than one language role). But they do not have write access to any content. This is done using trivial Sitecore security on the content. I use the <company>Editor role for setting up read/write access to the content itself:
General Sitecore Security
See how you do not need to apply each language role to the content itself. Setting security on the languages restricts the access to languages in a system-wide manner.
When a user enters an item in a language that he has no access tom he is met with the following message:
No acces to the current language
(Do you notice the cool “Language info” field? That’s a custom field where you can see which languages the item has been translated into. But that’s another story which I will tell another day).
Hi Brian,
Clear, crisp and straight to the point article.
I absolutely noticied the Language Info field type. Very cool: I absolutely love to learn one more.
One thing you forgot to mention. When you wrote:
A danish editor would then be a member of Editor and Editor_da (and also the standard Author and Sitecore Client Users roles).
In fact, the Company Editor role itself could be a member of these two sub roles. When the user is a member of company editor, they are implictly members of the two other roles.
Pingback: Is Sitecore security slowing you down? « Brian Pedersen’s Sitecore and .NET Blog
Pingback: Sitecore Users and C# | Brian Pedersen's Sitecore and .NET Blog
Hi Brian, I know the post is quite old now, but did you ever post about that Language info” field? I’d like to add something like that to my solution!
Pingback: Sitecore: Login to website and how to restrict access to content | Brian Pedersen's Sitecore and .NET Blog
Pingback: Which of my old Sitecore posts are still valid in Sitecore 9? | Brian Pedersen's Sitecore and .NET Blog