HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

Authorization and authentication

Describes the authentication and authorization model in Optimizely Customized Commerce.

The authentication in Optimizely CMS is based on the ASP.NET Core built-in framework for users and roles. Optimizely CMS uses a standard API that makes it easy to create your own provider for any type of user database, and third-party providers.

In addition, the Customized Commerce sample site has several predefined users, groups, and roles for managing content and administering Customized Commerce tasks.


The system uses authentication and authorization to identify users and user groups, and determine what they are allowed to do. Here are common terms used in this context:

  • Authentication. The process of identifying a user. Typically done via username and password.
  • Authorization. The process of determining actions a user is allowed to perform.

Administer security and access rights

When you administer access rights, use the following distinct components, which are loosely tied together. The EPiServer.CMS.UI.AspNetIdentity implements and registers the UIUserProvider, UIRoleProvider, UISignInManager and SecurityEntity provider in the container.

  • Users. Delivered by the current UIUserProvider.
  • Roles. Delivered by the current UIRoleProvider and the virtual roles.
  • Access control lists (ACLs).

An ACL is a list of SecurityEntity classes and an access level. The security entity is a name and information stating whether the name represents a role or a user. A security entity in an ACL is not affected by changes in the UIUserProvider or UIRoleProvider implementations. So if you delete a role and then look at an ACL that had an access entry for this role, it still appears in the ACL.

Customized Commerce-specific virtual roles

In addition to the default Optimizely CMS groups (WebAdmins, WebEditors, etc.), Customized Commerce has virtual roles that you can use to control access and visibility to parts of the user interface.

  • CommerceAdmins. Access to all parts of Customized Commerce except Administration and CMS admin view.
  • CommerceSettingsAdmins. Access to Settings menu for administering, for instance, dictionary values.
  • CatalogManagers. Access to the Catalogs user interface.
  • MarketingManagers. Access to the Marketing user interface.
  • CustomerServiceRepresentatives. Access to the Order management screen.

The virtual roles must be added to appsettings.json. For example, see this configuration.

"EPiServer": {
  "Cms": {
 	 "VirtualRole": {
    "Roles": {
      "CatalogManagers": {},
      "CustomerManagers": {}



MarketingManagers also have access to the CMS editor by default. To restrict this group's ability to edit content, limit access via Admin > Set Access Rights. Grant Read access to MarketingManagers.

To add a role, add a user to role, or check if a user is assigned to a role, you can use UIRoleProvider.

    _roleProvider.AddUserToRoleAsync(username, roleName);
    var userRoles = _roleProvider.GetRolesForUserAsync(userName);