Optimizely Content Management System (CMS) has a built-in system for assigning permissions to individual functions. You can assign users and roles to a permission in the administrative interface under **Config **>** Permissions to functions**. Built-in permissions include the ability to access web services and viewing detailed exception messages.
## Use permissions to functions
The API for querying whether a user is permitted to perform a function is available via `EPiServer.Security.PermissionService
` or via `PrincipalInfo
` as a simplified API.
## Define permissions to functions in code
You can define custom permissions to functions by defining a class as shown in the following example. Classes with the `PermissionTypes
` attribute are automatically picked up by CMS and appear in the administrative interface. Permission names must be unique within a group, so pick a group name that is unique to your solution. You also can register permission types via `EPiServer.DataAbstraction.PermissionTypeRepository
` to support dynamic creation of permissions.
You can define readable descriptions for the group and the permissions that are shown in the user interface by adding an entry to a language resource file. Under **\<groups>**, name the `GroupName
` (such as **\<MyCustomPermissions>**) in which you place a **\<description>** and node permission names (such as **\<EditSettings>** and **\<ViewSettings>**) as shown in the following example:
## Protect a controller via a permission
Use the `AuthorizePermission
` attribute to authorize an MVC controller via permissions to functions:
## Use virtual roles to expose permissions to other systems
Some systems cannot validate permissions but can validate roles. In these cases, you can expose a permission as a role: