HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityDoc feedbackLog In
GitHubNuGetDev CommunityDoc feedback


Optimizely Content Management System (CMS) has a built-in system for assigning permissions to individual functions. You can assign users and roles to a permission in the administrative interface under **Config **>** Permissions to functions**. Built-in permissions include the ability to access web services and viewing detailed exception messages.

## Use permissions to functions

The API for querying whether a user is permitted to perform a function is available via `EPiServer.Security.PermissionService` or via `PrincipalInfo` as a simplified API.



## Define permissions to functions in code

You can define custom permissions to functions by defining a class as shown in the following example. Classes with the `PermissionTypes` attribute are automatically picked up by CMS and appear in the administrative interface. Permission names must be unique within a group, so pick a group name that is unique to your solution. You also can register permission types via `EPiServer.DataAbstraction.PermissionTypeRepository` to support dynamic creation of permissions.



You can define readable descriptions for the group and the permissions that are shown in the user interface by adding an entry to a language resource file. Under **\<groups>**, name the `GroupName` (such as **\<MyCustomPermissions>**) in which you place a **\<description>** and node permission names (such as **\<EditSettings>** and **\<ViewSettings>**) as shown in the following example:



## Protect a controller via a permission

Use the `AuthorizePermission` attribute to authorize an MVC controller via permissions to functions:



## Use virtual roles to expose permissions to other systems

Some systems cannot validate permissions but can validate roles. In these cases, you can expose a permission as a role: