Maybe you’ve been there, or maybe you overheard someone talking about it at the last Sitecore meet-up. We chalk it up to human-error when it all could have been avoided. A user who had a Design role somehow managed to Publish, and to make matters worse, they used Full Publish. Now, this resource intensive process is slowing down all of our other users, and no one is aware of the problem. If only we had used the built-in Sitecore roles, instead of giving everyone the admin flag. This is something obvious too many but surprisingly rarely followed.
It is very important to grant user permissions based on their roles. When users are given the administrator flag, there are plenty of negative consequences that can occur:
- The users bypass their set roles and permissions.
- Leads to a security hole if the list of user accounts is not reviewed
- Users have access to many area, that may negatively affect your solution
- The ability to perform Full Site Publishes will severely hamper your site’s performance as well as release content that is not ready.
This is why Sitecore recommends using the admin flag sparingly. Luckily, if you have already gone admin crazy, Sitecore comes with a nifty tool called the User Manager. This tool allows you to:
- Create and edit users
- Enable and disable users
- Delete users
- Change the passwords of users
Within this tool, you can also check if the IsAdministrator checkbox is checked or not.
The ideal recommendation is to put users in the right roles. This can be achieved with another tool build into Sitecore called the Role Manager. The Role Manager allows you to:
- Create and delete roles
- Add members to and remove them from a role
- Make a role a member of and remove it from another role.
If you want to restrict admin access but don’t have all the roles your users should belong to yet, here are some out of the box roles you can put your users in…..
- SitecoreAuthor – provides basic authoring access to appropriate content in the content tree
- SitecoreDesigner – provides read/write access to the areas of the content tree required when changing layout details for individual items and groups of items
- SitecoreDeveloper – provides access to developer specific content and functionality
- Sitecore Client Account Managing – provides access to applications used to maintain users, roles, and domains
- Sitecore Client Authoring – provides access to basic item editing features and applications
- Sitecore Client Configuring – provides access to the Content Editor features that allow a user to change the configuration details associated with items
- Sitecore Client Maintaining – provides access to the Template Manager and the features related to the maintenance of templates
- Sitecore Client Users – provides access to the Sitecore user interfaces. All users should be assigned to this role.
With the large downside, I’d recommend every company do routine checks of who has Admin access and who is doing full site publishes. Here, at Hedgehog, we perform a Wellness Scan that routinely checks who has administrator access to your site and is doing full site publishes. This helps to make sure your solution has the right security measures and fundamentals scale and grow.