CMS for administrators > Access rights

Access rights

This topic is intended for administrators and developers with administration access rights in Episerver.

You can control the content that a visitor sees and the content that users can edit on your website by setting access rightscontrols what a visitor can view and what an editor can do to content on a website; access rights include Read, Create, Change, Delete, Publish and Administer. on content such as pages, blocks, media, and folders. A user or group has access rights on a per-content basis. For example, you may give members of the Marketing department access to edit the main website marketing material that other company users should not edit. Or you may want to give a visitor group from a local 10-mile radius access to an advertizement page.

You can watch the following demonstration video, Managing access rights. Click the title of the video to open it in a new browser window. (6:39 minutes)

The following table shows the types of access you can grant or deny to users and groups.

Access right Description
Read The user or group can access the content as a reader; otherwise the content is invisible.
Create The user or group can create content under the content item on which this right is set.
Change The user or group can access the content to modify it. Typically, Create and Change are set together but there may be cases where you want someone to modify created content (but not create their own content), or vice versa.
Delete The user or group can delete the content.
Publish The user or group can publish the content.
Administer The user or group can set access rights and language properties on individual content items from edit view for content given this access.

Note: This does not provide access to admin view (for this you need to be a member of the WebAdmins group).

You can define specific access rights from the "Root" level and all the way down, including the Recycle bin (Trash) and For All Sites that stores blocks and media.

Blocks and media share the same folder structure. If you want to automatically publish media that are uploaded to the website, editors who upload must have Publish access rights in the folder (under For All Sites) to which the media are uploaded. Also, editors must have Create access rights in the root level of the website to create blocks.

You can set access rights to content for a single user. For example, you can make it so only Ann (and system administrators) can edit the Book a Demo page. You can add Ann to any number of pages and content, and set Ann's access rights to each content item the same (or differently) for each page.

If you have a number of users that should have common access to content, managing access rights on a user-by-user basis can become complex. You should create user groups that have similar access needs, add the users to each user group, and then use the user group to set access rights to content. This lets you manage access rights more easily. You can add a user to one or more groups.

For example, add Ann, Bob, and Cam to a Marketing user group and give access rights to any number of pages and content to the Marketing group instead of each individual. To add Dan to all of the Marketing content, (or remove Ann), you modify the Marketing user group. You do not have to visit each page or content item to update each individual user's access rights.

Built-in user groups

A standard installation of Episerver has built-in user groups that align with user roles. You can extend predefined groups and roles; see Managing users and user groups

When your website is set up during development, configure the membership and role providers available for your website to use the built-in groups and roles in Episerver.

Group Description
Administrators Comes from Windows and is defined when the website is created, an administrator can access all parts of the system, and can edit all website content. Often, administrators are developers setting up or maintaining the website.
WebAdmins Comes with Episerver and can access both admin and edit views and the administration interfaces for add-ons and visitor groups. To use it, you must add this group name through CMS > Admin view > Admin tab > Administer Groups > Add > WebAdmins.

Note: Membership in WebAdmins does not provide editing access in the content structure by default. In most cases, only a few system administrators or “super users” belong to this group.


Comes with Episerver and can access the editing view. To use it, you must add this group name through CMS > Admin view > Admin tab > Administer Groups > Add > WebEditors.

Add users to this group who need access to the edit view. Then add the users to other groups to give them specific edit rights to content. On large websites, editors are often organized in groups according to content structure or languages.

Everyone Comes from Windows and provides “anonymous” visitors with read access to website content. All unregistered visitors to a public website are anonymous, meaning that they cannot be identified by the system. Removing access rights for the Everyone group, requires login to access content even if it is published.

Setting access rights

  1. Go to CMS > Admin > Admin tab > Set Access Rights. The Set Access view appears with a content tree structure of the website.
  2. Click on a node in the content tree (for example, Marketing). Typically, a content item shows Administrators (with all access rights) and Everyone (with Read only access rights). You can change these rights or add new users or groups.
    • If the users or groups are inactive (grayed out) for a content item, then the content item inherits the access rights of its parent content item. To set access rights for this content item, clear the Inherit settings from parent item check box. You can modify the access right for existing users or groups or add new ones.
    • To add settings to all subitems without affecting their existing settings, select the Apply settings for all subitems; see example.
  3. Click Add Users/Groups. A dialog box appears.
  4. Select the type you want: Users, Groups, or Visitor Groups.
  5. Leave the Name field blank and click search to display all items of the type you selected. You can also type one or more characters in the Name field to filter and display a subset of items. (You also can select a user by E-mail address.) For example, add the Marketing Group group and user Ann to the Marketing content item's access rights.
  6. Double click a user or group in the Existing box to move it to the Add box and click OK.
  7. Modify the access rights settings as you want them and click OK. The users or groups appear in the Set Access Rights view for the select content tree item.

You manage access rights from the administration view in Episerver CMS, but you also can let editors manage access rights for a single page in edit view.

If you set conflicting access rights to content, selected access rights prevail over cleared access rights. For example, Ann is a member of both the Marketing and Support user groups which each have different access rights set on the same content. (Perhaps Marketing has Publish rights, but Support does not.) Ann, who is in both groups, has Publish rights to the content, but Bob, who is part of the Support group only, does not have Publish rights.

Setting inheritance for content subitems

Content inherits access rights from its closest parent item. When you set access rights for a content item, the rights apply to it and all subitems that have a selected Inherit settings from parent item option; subitems with this option cleared are not affected. For example, the following content items all have the same access rights because Alloy Meet, Alloy Plan, and Alloy Track inherit the access rights from the Alloy content item.

  Alloy Meet
  Alloy Plan
  Alloy Track
  • If you break inheritance for Alloy Meet and give access to user Ann, Bob, and Cam, the access rights become different from the parent (Alloy) and its two siblings (Alloy Plan and Alloy Meet).
  • If you then break inheritance for Alloy (parent) and add a Marketing group. Alloy Plan and Allow Track inherit the Marketing group (because inheritance is selected) but Alloy Meet does not because its inheritance is unchecked.

Subitems inherit from the closest parent only if the inheritance option is active (checked).

The following image shows the access rights for the Marketing content; no inheritance is set from the parent item or for subitems.

Product A is a subitem of Marketing. It has Inherit settings from parent item selected, so the access rights are identical to that of the Marketing content item.

Book a demo has Inherit settings from parent item cleared, so its access rights are not the same at the Marketing parent content item. (Ann does not show up, and Zach is listed in the access rights.)

Applying settings for all subitems

Apply settings for all subitems applies the access rights of the parent item to all its subitems, even if a subitem has inheritance cleared. The option adds settings to a subitem that it did not have before and does not or remove any settings that the subitem already had.

For example, the Marketing content item has Ann as a user with access rights.

When you Apply settings for all subitems, Ann is added as a user with access rights to Book a demo because Ann is part of the Marketing content item's access rights. However, Zach remained on the list of access rights, unchanged.

If a parent item has a user or group that is the same as a user or group in a non-inheriting subitem (but each item has different access rights for the user or group), when you select Apply Settings for all subitems, the parent settings are applied to the subitem. For example:

  • If the Marketing parent item has user Ann with only Read access set, while the Book a Demo subitem also has user Ann but with all access rights, then Apply Settings for all subitems resets the access rights for Ann on the Book a Demo subitem to only Read access.
  • Conversely, if Marketing has user Ann with all access rights, and the subitem has user Ann with only Read access, Apply Settings for all subitems gives user Ann all access rights on the subitem.

Removing a user or group from the access rights list

To remove a user or group from the access list, clear all of the access rights for that user or group and click Save.

Using a visitor group in an access rights list

Visitor groups are used by the personalization feature, and you need administration access rights to manage visitor groups. If you want an editor to manage visitor groupSite visitors with something in common, such as age, geographic location, and so on. Used in the personalization feature of Episerver CMS. (See Personalizing Content.)s without providing access to the entire admin view, you can make the editor a member of VisitorGroupAdmins. This group provides access only to the Visitor Groups option in the global menu. VisitorGroupAdmins comes with Episerver but you must add this group name through CMS > Admin view > Admin tab > Administer Groups > Add > VisitorGroupAdmins.

You can set specific access rights for visitor groups, letting them view specific “hidden” content that is not otherwise publicly available. For example, you may want only members of the Visitors from London visitor group to have access to a Family day at the zoo page with a discount coupon.

This feature is useful if you want to create a “customer area” for registered customers on your website. Being a member of a visitor group requires a registration and login to access the content.

  1. Go to CMS > Admin > Admin tab > Access Rights > Set Access Rights.
  2. Click Add Users/Groups. The Add Users/Groups dialog box appears.
  3. Select the Visitor groups type and select a visitor group. (Click Search while leaving the Name field blank to view available visitor groups.) 

Visitor groups can have read access only .

Access rights for add-ons

Add-ons are plug-ins for extending Episerver functionality. You need administration access rights to manage add-ons.

If you want an editor to manage add-ons without providing access to the admin view, make the editor a member of PackagingAdmins group which provides access only to the Add-ons option in the global menu.

PackagingAdmins comes with Episerver but you must add this group name through CMS > Admin view > Admin tab > Administer Groups > Add > PackagingAdmins.

Some add-ons also may have specific user groups defined to access the functionality. See the documentation for each add-on to find out more.

Access rights for languages

If your website has content in multiple languages, you can define access rights for languages so editors can create content only in languages to which they have access. Only users with access rights for a language have it available on the Sites tab, and can create and edit content in that language. See Configuring website languages.

Access rights for Commerce

If you have Episerver Commerce installed on your website, see the Commerce access rights section.

Access rights for Episerver Find

If you have added Episerver Find to your website, see the Find access rights section.

back to top

Episerver User Guide 16-8 | Released: 2016-11-14 | © Episerver 2016 | Send feedback to us