HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityDoc feedbackLog In

Permissions to functions

Describes how to assign users and roles to a permission in the administrative interface

Optimizely Content Management System (CMS) has a built-in system for assigning permissions to individual functions. You can assign users and roles to a permission in the administrative interface under Config > Permissions to functions. Built-in permissions include the ability to access web services and viewing detailed exception messages.

Use permissions to functions

The API for querying whether a user is permitted to perform a function is available via EPiServer.Security.PermissionService or via PrincipalInfo as a simplified API.

//Alt 1
bool hasPermission = ServiceLocator.Current.GetInstance<PermissionService>().IsPermitted(HttpContext.Current.User, SystemPermissions.DetailedErrorMessage);
    
//Alt 2
bool hasPermission = PrincipalInfo.Current.IsPermitted(SystemPermissions.DetailedErrorMessage);

Define permissions to functions in code

You can define custom permissions to functions by defining a class as shown in the following example. Classes with the PermissionTypes attribute are automatically picked up by Optimizely and appear in the administrative interface. Permission names must be unique within a group, so pick a group name that is unique to your solution. You also can register permission types via EPiServer.DataAbstraction.PermissionTypeRepository to support dynamic creation of permissions.

[PermissionTypes]
public static class MyCustomPermissions
{
    public const string GroupName = "MyCustomPermissions";
    
    static MyCustomPermissions()
    {
        EditSettings = new PermissionType(GroupName, "EditSettings");
        ViewSettings = new PermissionType(GroupName, "ViewSettings");
    }
    
    public static PermissionType EditSettings { get; private set; }
    public static PermissionType ViewSettings { get; private set; }
}

You can define readable descriptions for the group and the permissions that are shown in the user interface by adding an entry to a language resource file. Under <groups>, name the GroupName (such as <MyCustomPermissions>) in which you place a <description> and node permission names (such as <EditSettings> and <ViewSettings>) as shown in the following example:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<languages>
  <language name="English" id="en">
    <admin>
      <permissiontype>
        <groups>
          <MyCustomPermissions>
            <description>Custom settings fuctions</description>
            <permissions>
              <EditSettings>Allows users to access edit settings</EditSettings>
              <ViewSettings>Allows users to access view settings</ViewSettings>
            </permissions>
          </MyCustomPermissions>
        </groups>
      </permissiontype>
    </admin>
  </language>
</languages>

Protect a controller via a permission

Use the AuthorizePermission attribute to authorize an MVC controller via permissions to functions:

[AuthorizePermission("MyCustomPermissions", "EditSettings")]
public class EditSettingsController : Controller
{
    public ActionResult Index()
    {
      return View();
    }
}

Expose permissions to other systems with virtual roles

Some systems cannot validate permissions but can validate roles. In these cases, you can expose a permission as a role:

[InitializableModule]
[ModuleDependency((typeof(EPiServer.Web.InitializationModule)))]
public class VirtualRoleInitializer : IInitializableModule
{
    public void Initialize(InitializationEngine context)
    {
        var virtualRoleRepository = context.Locate.Advanced.GetInstance<IVirtualRoleRepository>();
    
        virtualRoleRepository.Register("EditSettingsVirtualRole", new PermissionRole
        {
            Permission = MyCustomPermissions.EditSettings
        });
    }
    
    public void Uninitialize(InitializationEngine context) { }
    public void Preload(string[] parameters) { }
}

What’s Next