How to minimize the number of security roles in Sitecore

Often the sample workflow provided with Sitecore can be all you need, but often times the client wants much more flexibility, especially when dealing with multi-regional or multi-departmental organizations. In our case these were the workflow states and commands that were required:

Workflow States and Commands

Workflow States and Commands

This is quite self-explanatory. To function, the workflow above requires the creation of 4 roles: an Editor role, an Approver role, a Proofreader role and a Publisher role.

What complicated things was that the client wanted a separate set of roles for each of their regions. In other words, with a naive implementation, we would have needed to create a quite large number of roles:

total number of roles needed = 4 x num of site regions

A post by Rick Cabral inspired the following implementation, which ensures that each of our security roles addresses one and only one of the following concerns:

  • Rights to Items (which section of the content tree a role has access to)
  • Rights to Workflow States / Commands
  • Rights to Sitecore features

Using this approach we need only:

  • (num of regions) roles to handle content
  • 4 roles to handle workflow

So these are the roles that we have create to handle the workflow:

Security Roles to handle Workflows

Security Roles to handle Workflows

Let’s take a look in particular at the Content Editor settings in the Security Editor, to see how to set correctly access levels:

Content Editor access levels

Content Editor access levels

This allows the editor to work only with items that are in Draft state and it gives the editor access to be able to Submit for Approval.

Content wise, here are the security settings for the Access to Region 1 security role:

Security settings for Access to Region 1 security role

Security settings for Access to Region 1 security role

Then, if we want to create a user that is a content editor just for region 1, all we have to do is to make the user member of both the Content Editor role and the Access to Region 1 role:

User Settings for Content Editor for Region 1

User Settings for Content Editor for Region 1