Sitecore uses a domain-based security model where users and roles belong to security domains, and permissions are assigned at the item level throughout the content tree. The permission system is exceptionally granular -- you can set read, write, create, delete, rename, and administer rights on individual content items, with inheritance flowing down the content tree. Combined with Sitecore's built-in analytics platform (xDB/Experience Analytics), the access control system covers both content management and analytics data.
Permission model
Sitecore's security operates across four layers:
- Security Domains -- logical namespaces for users and roles (e.g.,
sitecore\admin,extranet\customer). Thesitecoredomain is for CMS users;extranetis for website visitors. Custom domains can be created. - Roles -- named permission groups within a domain. Roles can contain other roles (role inheritance). A user's effective permissions are the union of all roles they hold.
- Item-level security -- every item in the content tree has an access control list. Rights include:
field:read,field:write,item:read,item:write,item:create,item:delete,item:rename,item:admin,language:read,language:write,workflowState:write,workflowCommand:execute. - Access Right states -- each right can be explicitly Allow, explicitly Deny, or Not Set (inherit from parent). Deny overrides Allow when both are present.
Built-in roles
| Role | Domain | Access |
|---|---|---|
| sitecore\Admin | sitecore | Superuser, bypasses all security checks |
| sitecore\Sitecore Client Users | sitecore | Base role for Content Editor and Experience Editor access |
| sitecore\Sitecore Client Authoring | sitecore | Content authoring in Experience Editor |
| sitecore\Sitecore Client Publishing | sitecore | Publish content items |
| sitecore\Sitecore Client Developing | sitecore | Template and layout development |
| sitecore\Sitecore Client Maintaining | sitecore | System maintenance, recycle bin, cache |
| sitecore\Sitecore Client Account Managing | sitecore | Manage users and roles in User Manager |
| sitecore\Sitecore Client Configuring | sitecore | Edit system configuration items |
| sitecore\Analytics Maintaining | sitecore | Manage xDB contacts, segments, and analytics settings |
| sitecore\Analytics Reporting | sitecore | View Experience Analytics reports and dashboards |
| sitecore\Analytics Testing | sitecore | Create and manage content tests (A/B, multivariate) |
| sitecore\EXM Advanced Users | sitecore | Email Experience Manager campaign management |
Custom roles are created in the Role Manager and assigned item-level security via the Access Viewer or Security Editor.
Admin UI paths
| Task | Location |
|---|---|
| User Manager | Sitecore Desktop > Security Tools > User Manager (or /sitecore/admin/users) |
| Role Manager | Security Tools > Role Manager |
| Security Editor | Security Tools > Security Editor (bulk permission editing) |
| Access Viewer | Security Tools > Access Viewer (see effective permissions per item) |
| Domain Manager | Security Tools > Domain Manager |
| Item security | Content Editor > [Item] > Security tab (ribbon) |
| Experience Analytics | Sitecore Launchpad > Experience Analytics |
| xDB settings | Control Panel > Indexing and Analytics |
API access management
Sitecore REST APIs:
- Item Service API at
/sitecore/api/ssc/-- CRUD operations on content items, respects item-level security - Authentication via SSC API key (created in
/sitecore/system/Settings/Services/API Keys) or cookie-based session - Each API key item has
AllowedControllers,CORS Origins, andImpersonation Userfields
Sitecore Identity Server:
- Central SSO service for all Sitecore applications
- OAuth2/OpenID Connect based
- Manages authentication for Content Management, xConnect, and custom applications
- Client credentials configured in Identity Server's
Sitecore.IdentityServer.Host.xml
xConnect API:
- Service layer for xDB analytics data
- Client certificate authentication between Sitecore CM/CD and xConnect
- Operations: read/write contacts, interactions, facets
- Access scoped by certificate -- no per-user permissions within xConnect itself
GraphQL API (Sitecore XM Cloud / Headless):
- Edge API for headless content delivery
- API key authentication
- Respects published content security settings
Analytics-specific permissions
Sitecore has deeply integrated analytics with dedicated permission controls:
- Experience Analytics dashboards -- the Launchpad > Experience Analytics app shows traffic, engagement, and conversion data. Access requires the
sitecore\Analytics Reportingrole. - Experience Profile -- individual visitor profiles showing journey data. Requires
sitecore\Analytics Reportingand item-level read access to/sitecore/system/Marketing Control Panel. - Content Testing -- A/B and multivariate testing at the component level. Creating tests requires
sitecore\Analytics Testing. Viewing test results requiresAnalytics Reporting. - Path Analyzer -- visual path analysis tool. Requires
Analytics Reportingrole. - Marketing Automation -- campaign plans and automation. Requires
sitecore\Analytics Maintainingplus appropriate item security on/sitecore/system/Marketing Control Panel/Automation Plans. - xDB data access -- contact data and interaction history are stored in xDB (MongoDB or SQL). xConnect client certificates control service-level access. Application code uses
XConnectClientto query -- no per-CMS-user scoping at the xConnect layer. - Custom analytics dashboards -- build SPEAK or headless dashboards that query xConnect or aggregated data. Permission to view is controlled by item security on the dashboard items in the content tree.
To create an analytics-only user:
- Create a user in
sitecoredomain via User Manager - Assign roles:
Sitecore Client Users(base CMS access) +Analytics Reporting(dashboards and reports) - Set item-level Deny on
/sitecore/contentwrite access to prevent content editing - Optionally add
Analytics Testingfor A/B test management