Kentico User Management: Roles and Permissions | OpsBlu Docs

Kentico User Management: Roles and Permissions

Manage users, roles, and module permissions in Kentico Xperience. Covers the role-permission matrix, content tree ACLs, membership roles, and marketing...

Kentico Xperience (the combined CMS and digital experience platform, successor to Kentico CMS) uses a layered permission system with global roles, module-level permissions, and per-page content ACLs. The platform distinguishes between CMS users (administrators, editors) and site members (registered visitors).

Permission model overview

Kentico Xperience structures access through:

  • Users -- Accounts that can log into the administration interface and/or the live site
  • Roles -- Named permission sets assigned to users. Roles are site-scoped (assigned per-site in multi-site installations).
  • Module permissions -- Each Kentico module (Pages, Media, Forms, Email Marketing, etc.) defines its own set of permissions that can be granted per-role
  • Content tree ACLs -- Per-page permissions that control who can read, modify, create, and destroy content at specific tree locations
  • UI personalization -- Roles can be configured to show/hide specific admin UI elements independent of functional permissions

Key built-in roles

  • CMS Global Administrator -- A special flag on user accounts (not a role) that grants unrestricted access to all functionality across all sites. Bypasses all permission checks. The default administrator user has this flag.
  • CMS Basic User -- Default role for standard CMS users. Provides basic administration interface access but no specific module permissions.
  • CMS Editor -- Preconfigured role with permissions for content editing, page management, and media library access. Cannot access system configuration.
  • CMS Designer -- Access to design-related features: page templates, web parts, CSS stylesheets, and layout configuration.
  • CMS Developer -- Access to development tools: custom tables, form controls, scheduled tasks, event log, and system administration.

Additional roles are created as needed for specific team functions.

Module permissions

Each Kentico module defines granular permissions. Navigate to Users > Roles > [Role Name] > Permissions to configure. Key modules and their permissions include:

Content (Pages module):

  • Read, Modify, Create, Delete, Destroy (permanently delete), Explore tree, Manage workflow

Media Library:

  • Read, Create folders, Modify files, Delete files, Manage library

Forms:

  • Read data, Create forms, Edit forms, Delete forms

Email Marketing:

  • Read, Create campaigns, Manage subscribers, Send emails, Configure settings

Contact Management:

  • Read contacts, Modify contacts, Create activities, Manage automation

Staging:

  • Manage content staging, Manage object staging, Synchronize content, Synchronize objects

Administration:

  • Configure UI personalization, Manage scheduled tasks, Access system settings

Content tree ACLs

Beyond module permissions, individual pages in the content tree have their own access control lists:

  1. Navigate to Pages and select a page
  2. Open the Properties > Security tab
  3. Add roles or users and set their permissions: Read, Modify, Create, Delete, Destroy, Manage permissions
  4. Choose whether to inherit from the parent page or break inheritance

ACL settings on a page apply to that page and all children (unless inheritance is broken). This allows different team roles to manage different content sections.

Admin UI paths

  • Users -- Users application (/CMSModules/AdminControls/Pages/Users/User_List.aspx or via the application list)
  • Roles -- Users > Roles for role management and permission assignment
  • Module permissions -- Users > Roles > [Role] > Permissions tab for per-module permission configuration
  • Content ACLs -- Pages > [Page] > Properties > Security for per-page access control
  • UI Personalization -- Users > Roles > [Role] > UI personalization to show/hide admin interface elements
  • Authentication settings -- Settings > Security & Membership > Authentication

Managing users

Adding a user:

  1. Open the Users application
  2. Click New user
  3. Enter username, email, first/last name, and set a password
  4. Under the Roles tab, assign the user to one or more roles
  5. Under the Sites tab, assign the user to one or more sites (in multi-site setups)
  6. Set the Privilege level (None, Editor, Admin, Global Admin)
  7. Save

Privilege levels are separate from roles:

  • None -- Cannot access the administration interface
  • Editor -- Can access the administration interface but only features granted by their roles
  • Admin -- Can access administration with broader defaults
  • Global Administrator -- Full unrestricted access (equivalent to superuser)

Removing/disabling a user:

  1. Open the user's record
  2. Set Enabled to No to disable the account (preserves data and content ownership)
  3. Or delete the user -- content and activities attributed to them will reference a deleted user ID

API and integration access

  • REST API -- Kentico Xperience provides a REST API for content and object operations. Enable under Settings > Integration > REST. Authentication uses HTTP Basic Auth with a CMS user account. The API respects the user's permissions.
  • API Keys -- Not natively built in. REST API uses user credentials directly.
  • Integration Bus -- For synchronizing data with external systems. Configured under Integration > Integration bus.
  • Staging -- Content and object staging between environments uses the Staging module with its own authentication settings.

For API integrations, create a dedicated CMS user with a descriptive name, minimal role permissions, and the Editor privilege level.

Analytics and tracking permissions

Kentico Xperience has built-in analytics and marketing features:

  • Web Analytics -- Built-in page view, conversion, and campaign tracking. View data under the Web analytics application. Requires Read permission on the Web Analytics module.
  • Google Analytics / GTM -- Add tracking code via Settings > URLs and SEO > Google services (for GA tracking ID) or by editing the site's master page template. Template editing requires CMS Designer role or developer access.
  • Custom tracking scripts -- Add via the Header HTML or Footer HTML fields in Settings > HTML Head or by editing page templates. Requires access to Settings or template editing permissions.
  • Marketing Automation -- Contact tracking, lead scoring, and email campaign analytics are managed under the Marketing applications. Requires Contact Management and Email Marketing module permissions.
  • A/B Testing -- Configure content A/B tests from the Pages application. Requires Modify permission on the page and access to the A/B testing module.
  • Conversion tracking -- Define conversions under Web analytics > Conversions. Requires Create permission on the Web Analytics module.

A Content Editor can view page analytics if granted Read access on the Web Analytics module but cannot install tracking scripts. Script installation requires Settings access or CMS Designer/Developer roles.

Security and SSO

  • Windows Authentication / AD -- Kentico supports Active Directory authentication via Windows Integrated Authentication or Forms-based AD authentication
  • External authentication -- OpenID Connect, SAML, and OAuth providers can be configured under Settings > Security & Membership > External authentication
  • MFA -- Not built into core Kentico; implemented via external identity provider or custom module
  • Audit log -- The Event Log (/CMSModules/EventLog/) tracks administrative actions, errors, and security events
  • Password policy -- Configured under Settings > Security & Membership > Passwords (minimum length, complexity, expiration, lockout after failed attempts)

Further Reading

返回顶部