Security in Kentico

#Kentico development #Kentico Kontent

SHARE

 
Security is very important aspect of any web application. Often developers are more focused on the front end security: public pages vs. pages require authentication, pages those are available for particular roles, section of the page those should be hidden for public users, etc. I'd like to draw your attention to the security of Kentico admin area and available option there.  

 


Personally I love Kentico security model because I haven't met requirements that I couldn't implement with it. I found it very flexible and extremely configurable with multiple levels of granularity. For example you may grant some role with permission to edit content in general, or you may allow to modify particular page type. Moving further you may allow to manage content only within particular folder, meanwhile read only access is granted for other areas. This helps to avoid unauthorized changes to content or data as well as improves editors' user experience: if editor is allowed to manage only one page type he does not need to peek it from the long list of all available page types. This could be achieved with page scopes as well, however it is worth mentioning.
 

Permissions

Most of the security configuration could be done in Permissions application. It allows management of access to all available modules throughout the system including custom modules with any permissions implemented there. It is as easy as checking checkbox against particular role from list of available permissions. Sometimes it might not be clear what is the exact permission needed for role in order to perform some action, but playing around for a couple of minutes usually is enough to figure this out. Also it is possible to check what permission is needed with a code, I'll get back to it a bit later.

Another permissions type is permissions for page type. This is where read, create, modify, delete, browse and other permissions for a page type could be configured for some role. This is right place to setup content responsibilities, e.g.: allow news editor to manage news, event editor manage events and so on. To accomplish security setup for pages additional settings in Pages application could be configured.   
 

Roles

I'd like to encourage everyone to create many Roles, but with a least permissions. It is much better to have multiple roles assigned to a user vs. a role with multiple permissions. For example there is a user responsible for a data of particular custom table and News section. It is better to create two roles: one to allow management of custom table and another for news management and assign those roles to a user. This is more flexible approach as it allows easily remove some permission from particular user vs. changing role permissions which impacts all user in that role.
 

Impersonation

Whenever security is being implemented testing is next logical step. This is when Impersonation comes to rescue. It is extremely handy when testing permissions as it allows global admin to login as particular user and see exactly what that user will see and verify that system behaves as expected. 
 

Custom security events   

In cases when Kentico security model is not enough to implement some requirement, or you need to override default behavior Kentico suggests implementation of custom security events' handlers. Also AuthorizeResource event handler might be used to check what permission system checks when user accesses some module - just run an app in debug mode in Visual Studio, set breakpoint in handler method, system will hit this method for a couple of times. AuthorizationEventArgs will show the module system checks permissions for and actual permission name. 
 

Conclusion

Kentico provides flexible solution from security stand point. There are many security levels that allows to apply security more or less granular or override them on lower levels.

Author

Check other articles

Bitsorchestra
5 5

What our clients say

Bits Orchestra team are outstanding developers​. They listen carefully to our business needs and easily turns our business objectives into a well thought out and executed development effort. Roman is very bright and definitely the most capable developer that has worked on our site. He is not only a Kentico expert but has successfully tackled other complicated development assignments demonstrating expertise in both front and backend development. Roman takes initiative to suggest enhancements that make site maintenance easier while improving the customer experience. The team is very responsive to our work requests and has great follow up. They have also worked very business partners and this has reflected positively on our company. Roman is a true partner for us and a tremendous asset to our organization. We will continue to work with them and would highly recommend Roman and his team for your development needs. He and his team will exceed your expectations!
 Alan Lehmann
Alan Lehmann
President at In energy sector

What our clients say

The Bits Orchestra team does excellent work. They are always available and I appreciate our frequent calls and screen-shares together. Their dedication to the projects and knowledge of Kentico is outstanding. They truly care about the quality of their work, and became a part of our team easily!
Shena Lowe
Shena Lowe
Managing Partner at Consensus Interactive

What our clients say

We hired Roman for a Kentico analysis project and have been very satisfied. He is very skilled and professional. We are looking to hire him and his team again on future projects.
Sylvain Audet
Sylvain Audet
CEO at MyDevPartner.com

What our clients say

Roman and team have taken over an existing Kentico EMS site for a large US Oil Company. So far, they have handled every single request that we have thrown at them and these were diverse, challenging, often bespoke, usually urgent and almost daily, over the last 11 months. Their work is of an extremely high quality, they are capable, quick and we have great confidence in the support that we are getting.
Jon Hollis
Jon Hollis
Head of Web Development at confidential

What our clients say

Bits Orchestra team was very helpful, they had a good understanding of the brief and deep knowledge of the system. They were always keen to provide advice and recommendations that benefit the project substantially.
Ramon Lapenta
Ramon Lapenta
Senior Front End Developer at Cyber-Duck Ltd