Adding & Removing Users on Sitefinity | OpsBlu Docs

Adding & Removing Users on Sitefinity

Adding & Removing Users on Sitefinity — setup, configuration, and best practices for Sitefinity.

Sitefinity manages users through its built-in ASP.NET membership system, accessible via the backend Administration panel. Users can be sourced from Sitefinity's internal database, Active Directory, LDAP, or external identity providers via OpenID Connect and WS-Federation.

How Sitefinity User Management Works

Sitefinity organizes identity into three layers:

  • Users -- Individual accounts that log in to the backend or frontend
  • Roles -- Named permission sets (e.g., Administrators, BackendUsers, Editors)
  • Membership Providers -- Sources of user data (Default, Active Directory, LDAP)

Backend users (content authors, admins) belong to the BackendUsers role by default. Frontend users (site members, subscribers) exist in the default membership provider without backend roles.

Adding Users via Backend

  1. Log in to Sitefinity backend at https://your-site.com/Sitefinity
  2. Navigate to Administration > Users
  3. Click Create a user
  4. Fill in the required fields:
    • First Name and Last Name
    • Email (also used as login by default)
    • Username (auto-populated from email, can customize)
    • Password (must meet password policy: minimum 7 characters, 1 non-alphanumeric)
  5. Under Roles, check the roles to assign:
    • Administrators -- Full system access
    • BackendUsers -- Access to the Sitefinity backend
    • Editors -- Content editing permissions
    • Authors -- Content creation without publishing
    • Designers -- Template and widget management
  6. Click Create this user

Assigning Users to Specific Sites (Multisite)

In Sitefinity Multisite environments:

  1. After creating the user, click their name to edit
  2. Scroll to Site access
  3. Check the sites this user should have access to
  4. Each site can have different role assignments
  5. Click Save changes

Adding Users via Sitefinity Web Services API

Sitefinity provides OData-based REST APIs for user management:

# Create a new user via Sitefinity Web Services
curl -X POST "https://your-site.com/api/default/users" \
  -H "Authorization: Bearer $SF_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "FirstName": "Jane",
    "LastName": "Developer",
    "Email": "jane@company.com",
    "UserName": "jane@company.com",
    "Password": "SecurePass123!",
    "IsBackendUser": true
  }'

Assign a role to a user:

# Get the role ID first
curl "https://your-site.com/api/default/roles?\$filter=Name eq 'Editors'" \
  -H "Authorization: Bearer $SF_ACCESS_TOKEN"

# Assign the role
curl -X POST "https://your-site.com/api/default/users({userId})/roles/\$ref" \
  -H "Authorization: Bearer $SF_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "@odata.id": "https://your-site.com/api/default/roles({roleId})"
  }'

Creating Users via .NET API (Server-Side)

using Telerik.Sitefinity.Security;
using Telerik.Sitefinity.Security.Model;

// Create a new backend user programmatically
UserManager userManager = UserManager.GetManager();
RoleManager roleManager = RoleManager.GetManager();

// Create the user
MembershipCreateStatus status;
User newUser = userManager.CreateUser(
    "jane@company.com",    // username
    "SecurePass123!",      // password
    "jane@company.com",    // email
    "Security question",   // password question
    "Answer",             // password answer
    true,                 // isApproved
    null,                 // providerUserKey
    out status            // creation status
);

if (status == MembershipCreateStatus.Success)
{
    // Set profile data
    SitefinityProfile profile = UserProfileManager.GetManager()
        .CreateProfile(newUser, typeof(SitefinityProfile).FullName) as SitefinityProfile;
    profile.FirstName = "Jane";
    profile.LastName = "Developer";

    // Assign to BackendUsers and Editors roles
    roleManager.AddUserToRole(newUser, "BackendUsers");
    roleManager.AddUserToRole(newUser, "Editors");

    userManager.SaveChanges();
    roleManager.SaveChanges();
    UserProfileManager.GetManager().SaveChanges();
}

Bulk User Management

CSV Import via Admin Panel

Sitefinity does not have a built-in CSV import in the UI. Use the .NET API for bulk operations:

// Bulk user import from a list
using Telerik.Sitefinity.Security;

var usersToCreate = new[]
{
    new { Email = "editor1@company.com", First = "Editor", Last = "One", Role = "Editors" },
    new { Email = "editor2@company.com", First = "Editor", Last = "Two", Role = "Editors" },
    new { Email = "author1@company.com", First = "Author", Last = "One", Role = "Authors" },
};

UserManager userManager = UserManager.GetManager();
RoleManager roleManager = RoleManager.GetManager();

foreach (var userData in usersToCreate)
{
    MembershipCreateStatus status;
    User user = userManager.CreateUser(
        userData.Email, "TempPass123!", userData.Email,
        null, null, true, null, out status
    );

    if (status == MembershipCreateStatus.Success)
    {
        var profile = UserProfileManager.GetManager()
            .CreateProfile(user, typeof(SitefinityProfile).FullName) as SitefinityProfile;
        profile.FirstName = userData.First;
        profile.LastName = userData.Last;

        roleManager.AddUserToRole(user, "BackendUsers");
        roleManager.AddUserToRole(user, userData.Role);
    }
}

userManager.SaveChanges();
roleManager.SaveChanges();
UserProfileManager.GetManager().SaveChanges();

Bulk Role Assignment

// Add all users with 'Authors' role to also have 'Editors' role
RoleManager roleManager = RoleManager.GetManager();
var authorsRole = roleManager.GetRole("Authors");
var usersInRole = roleManager.GetUsersInRole(authorsRole.Id);

foreach (var user in usersInRole)
{
    if (!roleManager.IsUserInRole(user.Id, "Editors"))
    {
        roleManager.AddUserToRole(user, "Editors");
    }
}
roleManager.SaveChanges();

Removing and Deactivating Users

Sitefinity supports user deactivation without deletion:

  1. Navigate to Administration > Users
  2. Find the user and click their name
  3. Uncheck Is approved (or click Deactivate if available in your version)
  4. Click Save changes

Via API:

UserManager userManager = UserManager.GetManager();
User user = userManager.GetUser("jane@company.com");
user.IsApproved = false;
userManager.SaveChanges();

Deactivated users cannot log in to the backend or frontend. All their content remains intact.

Permanent Deletion

Via Backend:

  1. Navigate to Administration > Users
  2. Select the user(s) by checking the checkbox
  3. Click Delete in the action bar
  4. Confirm the deletion

Via API:

UserManager userManager = UserManager.GetManager();
User user = userManager.GetUser("jane@company.com");
if (user != null)
{
    userManager.Delete(user);
    userManager.SaveChanges();
}

What happens to their content:

  • Content items (pages, news, blog posts, events) retain CreatedBy and LastModifiedBy as GUIDs. The display name may show as "Unknown" or the GUID after deletion.
  • Media library items uploaded by the user remain in the library
  • Workflow tasks assigned to the deleted user become orphaned -- reassign before deleting
  • Comments authored by the deleted user remain but display as anonymous
  • Form responses submitted by the deleted user are preserved
  • Version history entries retain the user GUID reference

Reassign Content Before Deletion

using Telerik.Sitefinity.Modules.Pages;

PageManager pageManager = PageManager.GetManager();
var oldUserId = UserManager.GetManager().GetUser("departing@company.com").Id;
var newUserId = UserManager.GetManager().GetUser("replacement@company.com").Id;

// Find all pages by the departing user
var pages = pageManager.GetPageDataList()
    .Where(p => p.Owner == oldUserId);

foreach (var page in pages)
{
    page.Owner = newUserId;
}
pageManager.SaveChanges();

SSO and Enterprise Authentication

Active Directory Integration

  1. Navigate to Administration > Backend Users > Membership Providers
  2. Click Add Provider
  3. Select Active Directory as the provider type
  4. Configure the connection:
    • Connection String Name: ADConnection
    • Domain: company.com
    • Container: ou=Users,dc=company,dc=com
  5. Map AD attributes to Sitefinity fields
  6. Click Save
  7. In web.config, add the AD connection string:
<connectionStrings>
  <add name="ADConnection"
       connectionString="LDAP://ldap.company.com/ou=Users,dc=company,dc=com" />
</connectionStrings>

OpenID Connect (Azure AD, Okta)

Sitefinity supports OpenID Connect for SSO:

  1. Navigate to Administration > Settings > Advanced > Authentication > OpenID Connect
  2. Configure:
    • Client ID: from your IdP application registration
    • Client Secret: from your IdP
    • Authority: https://login.microsoftonline.com/{tenant-id}/v2.0 (Azure AD)
    • Redirect URI: https://your-site.com/Sitefinity/Authenticate/OpenID/signin-oidc
  3. Enable Auto-create users for first-time SSO logins
  4. Map IdP claims to Sitefinity roles:
<!-- web.config claim-to-role mapping -->
<sitefinityConfig>
  <securityConfig>
    <claimsToRoles>
      <add claim="groups" value="cms-editors" role="Editors" />
      <add claim="groups" value="cms-admins" role="Administrators" />
    </claimsToRoles>
  </securityConfig>
</sitefinityConfig>

Access Audit Checklist

  • Review Administration > Users quarterly, sorting by last login date
  • Audit role memberships: check each role under Administration > Roles for unexpected users
  • Verify AD/LDAP sync is working by checking for recently joined employees in the user list
  • Review Administration > Users > Locked out users for potential security issues
  • Check that deactivated users have IsApproved = false and no active sessions
  • For multisite environments, audit site-level access for each user
  • Review OpenID Connect claim mappings to ensure departed employees lose access when removed from IdP groups
  • Document all user provisioning and role changes in your ITSM system
Nach oben