Thursday, December 27, 2018

Sitecore Security for SXA Projects

Every new website requires some level of security configuration before launch. In this article we see one possible solution to applying security to sites built with the Sitecore Experience Accelerator (SXA).

Please note that the following scripts were written before the SXA module included scripts to manage security. I encourage you to evaluate those included out-of-the-box.

Role Configuration

Let's have a look at how the security will be setup for each tenant.


  • Each tenant will be organized by the company name. Companies have their own domain.
  • At least three of the six roles exist for all tenants (Admin, Editor, Developer). Each role inherits from a Base role (Sitecore Client Authoring, Sitecore Client Users) so they can login and manage content.
Tenant roles mapped to Sitecore roles
Running the script will present the user with a dialog like the following:

Dialog before security settings are applied
The dialog lists all of the available SXA tenants as well as any additional domains configured using the switching provider. This can be very helpful when using the Active Directory module because those users are not in the same domain as the tenant.

Show ribbon button using rules

Script Highlights


Let's walkthrough what changes are applied by the script.

Results output after completion
  • Site - Admin role granted access to help cleanup after users.
  • Home - Base role granted access to manage content.
  • Overlay - Admin role allowed to manage overlay content.
  • Data - Base role granted access to manage grandchildren. Prevents users from deleting global folders.
  • Media - Base role granted access to manage available media library folders.
  • Media Library - Base role granted access to manage media for this site.
  • Presentation - Developer role granted access to manage Rendering Variants, Partial Designs, etc.
  • Theme - Developer role granted access to manage media for this theme.
  • Data Templates - Developer role granted access to manage data templates.
  • Publishing Targets - Editor role granted access to publish to any target.
  • Languages - Everyone role granted access to read/write to all languages. This includes the tenant domain and additional domains selected.
  • System Settings - Developer role granted access to manage Modules, Settings, Tasks, and Workflows.
This will of course not cover the granularity that your company requires, but should provide you with a framework for crafting a tool for your own needs.

Hope this inspires you to build something great and share with the community.

The Scripts