HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

Permissions to functions

Describes how to assign users and roles to a permission in the administrative interface

Optimizely Content Management System (CMS) has a built-in system for assigning permissions to individual functions. You can assign users and roles to permissions in the administrative interface under Config > Permissions to functions. Built-in permissions include accessing web services and viewing detailed exception messages.

Use permissions to functions

The API for querying whether a user is permitted to perform a function is available through EPiServer.Security.PermissionService or through PrincipalInfo as a simplified API.

//Alt 1
    bool hasPermission = ServiceLocator.Current.GetInstance<PermissionService>().IsPermitted(HttpContext.Current.User, SystemPermissions.DetailedErrorMessage);
//Alt 2
    bool hasPermission = PrincipalInfo.Current.IsPermitted(SystemPermissions.DetailedErrorMessage);

Define permissions to functions in code

As shown in the following example, you can define custom permissions to functions by defining a class. Classes with the PermissionTypesCMS automatically picks up the attribute and displays in the administrative interface. Permission names must be unique within a group, so pick a group name that is unique to your solution. You also can register permission types through EPiServer.DataAbstraction.PermissionTypeRepository to support dynamic creation of permissions.

public static class MyCustomPermissions {
  const string GroupName = "MyCustomPermissions";

  static MyCustomPermissions() {
    EditSettings = new PermissionType(GroupName, "EditSettings");
    ViewSettings = new PermissionType(GroupName, "ViewSettings");

  public static PermissionType EditSettings {
    private set;

  public static PermissionType ViewSettings {
    private set;

You can define readable descriptions for the group and the permissions shown in the user interface by adding an entry to a language resource file. Under <groups> name the GroupName (such as <MyCustomPermissions>) in which you place a <description> and node permission names (such as <EditSettings> and <ViewSettings>) as shown in the following example:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
  <language name="English" id="en">
            <description>Custom settings functions</description>
              <EditSettings>Allows users to access edit settings</EditSettings>
              <ViewSettings>Allows users to access view settings</ViewSettings>

Protect a controller with a permission

Use the AuthorizePermission attribute to authorize an MVC controller with permissions to functions:

[AuthorizePermission("MyCustomPermissions", "EditSettings")]
public class EditSettingsController: Controller {
  public ActionResult Index() {
    return View();

Use virtual roles to expose permissions to other systems

Some systems cannot validate permissions but can validate roles. In these cases, you can expose a permission as a role:

[ModuleDependency((typeof (EPiServer.Web.InitializationModule)))]
public class VirtualRoleInitializer: IInitializableModule {
  public void Initialize(InitializationEngine context) {
    var virtualRoleRepository = context.Locate.Advanced.GetInstance<IVirtualRoleRepository>();

    virtualRoleRepository.Register("EditSettingsVirtualRole", new PermissionRole {
      Permission = MyCustomPermissions.EditSettings

  public void Uninitialize(InitializationEngine context) {}
  public void Preload(string[] parameters) {}