Kentico 101: Roles and Permissions

By Chris Hamm On April 09, 2020

Kentico 101: Roles and Permissions
Setting up user roles and permissions is one of those things that almost every site needs but almost no one likes doing.  It can be tricky and a little hard to test to make sure that everyone can see and do only what they are responsible for. I won’t claim to have all the answers but I tried to write the guide I wish I had when I was starting out with these.

So…What Are Roles and Permissions?

Since this is a 101 post let’s start at the beginning and make sure we’re all on the same page. For some reason the first time I worked with these things I had a hard time understanding the difference between roles and permissions. I mean, everyone always says them together so they’re basically the same thing, right? Well, no, not really.

The way I think of it is this: roles are something a person has and permissions are what that person is allowed to do. Simple, right? I’m a dad of 3 little girls so the family scenario is an easy example for me.  In our house we have 5 people; my girls plus my wife and me. My wife and I have the role of parent and the kids have the role of… well… kid. All by itself, it doesn’t really mean much, it’s really just a label, but it is what you can attach to that label that is interesting.

As a parent, I have certain permissions my kids do not. I can stay up as late as I want (which would be about 9:30 if I could), I can choose to do or not do my chores around the house, I can say things to my wife that they would never be able to say to their mom. Kids have permissions like being able to have their own room (I have to share with my wife), act immature, and have a lot more free time. Some permissions we share. We take turns doing dishes, emptying litter boxes, scaring away the neighbor cat that always freaks out our cats, etc. 

A website is really not any different. A Content Writer might be able to create pages but not publish them to production. A Content Editor can also create pages but is allowed to publish them. Global Admins can do anything there is to do.

Okay, so Now What?

The definitions are pretty simple once you break them down but we came here to learn how to set them up, right? Not so fast. The first thing you need to do in setting up roles and permissions is to talk to your team and decide what the rules need to be. Going in with a game plan already written will make your life much easier.
Just like creating a chore chart for our family, I like to start with a list of everything that needs to be done on the site. It might look something like this:
  • Create blog posts
  • Create press releases
  • Publish content
  • Delete content
  • Send content for translation
  • Edit user permissions
  • ...
Now let’s figure what roles we need to have. This one can be a little trickier depending on how many things you have that need to be controlled.  Sometimes as you go along you’ll find that you need to add a role you didn’t anticipate to cover, say, a situation where an outside contractor is coming in to write content for a specific part of your site. That’s fine just don’t overthink it. I’ve seen clients go overboard with roles and it can quickly get very confusing to know who can do what and which person should have which role. Generally 4-5 roles will cover even large sites, probably fewer. 

For our example here let’s just concentrate on 3 roles:
  • Content Contributor
  • Content Editor
  • Content Admin
Great, now we divvy up those tasks that need permissions set on them.  Remember, permissions can be shared.

Content Contributor
  • Can create content
Content Editor
  • Can create content
  • Can delete content
  • Can publish content
Content Admin
  • Can create content
  • Can delete content
  • Can publish content
  • Can edit role permissions
  • Can assign user roles
It is pretty typical to see a tiered ranking of roles like the above with each successive role gaining more and more permissions.

Awesome, now we can jump into Kentico with a plan that serves as a checklist of exactly what each role should be able to see/do with the system.

Enough Chat, Let’s Build

First things first, let’s set up our roles. Head over to the (this will be a shock) Roles Application.

screen capture of roles application

This screen is very straightforward. It’s going to look pretty empty for now but hit the “New Role” button and let’s go. Now you’re presented with a very easy form to fill out.  The only field that absolutely needs to be completed is the Role Display Name field. I would recommend that you write a short description especially if you’re going to have a lot of roles on your site.

screen capture of "new role"

When you hit save you’ll be brought to the full management screen for your newly created role.  There are a lot of things here that you can control and customize but let’s focus on just our main two for now; Users and Permissions.

We’ll skip straight to the Permissions tab and start locking down what this role will be allowed to do. Actually, a better description would be that we need to open up the options of what this role can do. If you were to stop here and assign this role to someone you’d see there is very little they can access.

screen capture of "Permissions tab"

Just like a kid without a chore, our Content Contributor doesn’t have a job or, rather, the permission to do their job (don’t pick at my metaphor too hard). Over in the Permissions tab, we’ll go to the Content module and turn on the things we want them to be able to do.

screen capture of "Content Contributor"

Kentico will take care of enabling all the menu items for that role so if we look again we can see that the Content Contributor has access to a lot more now.

Screen Capture of "Pages Application"

The Pages application is the place where this person will likely spend the majority of their time so let’s head over there and see how it is different from what you may be used to as an Admin. For the most part, things will look pretty much the same. 

Everyone in the family has the choice to do or not do their chores but, if you don’t, there are consequences, people's feelings get hurt, and things start to get sticky… like, literally sticky. Lucky for us, Kentico is able to catch actions that aren’t allowed by a certain role before any of that. Let’s say our Content Contributor tries to delete a page.

Access Denied example

That’s it, mister, go to your room...

At this point, you are pretty much done with the Content Contributor role.  All there is left to do is to assign the role to someone. You can either do this from the Roles Application or the Users application.

Screen Capture of "Roles Application"screen capture of "Users application"

Voila! You now have a Content Contributor that you don’t have to worry about accidentally touching something they shouldn’t.

A few more notes

Privilege Level

One thing that got me early on was not realizing that, in additions to roles and permissions, Users have a Privilege Level. The Privilege Level works in a similar way to a predefined set of permissions but the important thing to note here is that Privilege Level supersedes any role the User might have.

That means if I assign the Content Contributor role to someone with a Privilege Level of Global Administrator then that limited role means nothing and that person still has full power. Generally, you will want to keep these kinds of roles set to Editor.

Impersonation Feature

The last little pro-tip I didn’t mention was the impersonation feature. It can be difficult to test what role has access to what things inside Kentico but, lucky for us, they already thought of that. At the top right of your screen, there is a user icon, if you click on that icon you can select “Impersonate” and then select any user you want (provided they do not have Administrator or Global Administrator privileges). The UI will reload and you will only be able to see and do what that User can do. It’s great for quick checks when you don’t want to or cannot fully log in as another user. When you see what you needed to see just click on that user icon again and select “Cancel Impersonation”.

screen capture of "Impersonation Feature"

Wrapping Up

From this point, you would just repeat the process for as many roles as you need. There are many more features we didn’t cover in this article that let you get even more specific.  Want a role to only be able to access blogs but no other content on the site? Sure, we can do that! Want to customize their UI or create a custom dashboard for them? No problem! It is a great feature that can be as simple or as complex as you need it to be.  
Interested in learning more about Roles and Permissions? Want to read other Kentico 101 articles to help get you up to snuff? Head over to the BizStream blog and check out what other content we have to offer.

Happy contenting!
Click here to read more Kentico posts
Start a Project with Us
Photo of the author, Chris Hamm

About the author

Chris got his degree in music education in 2006. Over the years he has directed musicals, taught voice lessons, and managed $10 million in sales for an artisan bread company. After becoming disenchanted with jobs that were personally unfulfilling and taking him away from his family, he decided to turn his programming hobby into a career. Becoming a developer means the opportunity to integrate his creative roots with his technological passions. He thinks BizStream is the perfect place to do that.

View other posts by Chris

Subscribe to Updates

Stay up to date on what BizStream is doing and keep in the loop on the latest with Kentico.