Roles and Views - Optimizely CMS 12

Exam Area: Area 1 – Product Knowledge (15%) Reference: https://docs.developers.optimizely.com/content-management-system/docs/default-roles-and-groups

---

1. Built-in Roles

CMS 12 ships with the following default roles/groups:

---

2. CMS Views

---

3. Access Levels

Access to content is controlled by Access Control Lists (ACLs) per content item:

// Check access in code
bool canEdit = _contentAccessEvaluator.HasAccess(
    content: page,
    principal: PrincipalInfo.CurrentPrincipal,
    access: AccessLevel.Edit);

---

4. Role-Based vs. Content-Based Security

Role-based:
  WebEditors → Can access Edit View
  WebAdmins  → Can access Admin View

Content-based (ACL):
  /StartPage/News/ → WebEditors: Read, Create, Edit
                  → NewsEditors: Read, Create, Edit, Publish
                  → WebAdmins: FullAccess

---

5. IContentAccessEvaluator

public class SecurityService
{
    private readonly IContentAccessEvaluator _accessEvaluator;

    public SecurityService(IContentAccessEvaluator accessEvaluator)
    {
        _accessEvaluator = accessEvaluator;
    }

    public bool CanPublish(IContent content)
    {
        return _accessEvaluator.HasAccess(
            content,
            PrincipalInfo.CurrentPrincipal,
            AccessLevel.Publish);
    }
}

---

6. Setting ACL Programmatically

// IContentSecurityRepository manages ACLs
public class AclService
{
    private readonly IContentSecurityRepository _securityRepo;

    public AclService(IContentSecurityRepository securityRepo)
    {
        _securityRepo = securityRepo;
    }

    public void GrantEditorAccess(ContentReference content, string roleName)
    {
        var descriptor = (IContentSecurityDescriptor)
            _securityRepo.Get(content).CreateWritableClone();

        descriptor.AddEntry(new AccessControlEntry(
            name:        roleName,
            access:      AccessLevel.Read | AccessLevel.Create | AccessLevel.Edit,
            entityType:  SecurityEntityType.Role));

        _securityRepo.Save(content, descriptor, SecuritySaveType.ReplaceChildPermissions);
    }
}

---

7. Content Approval Roles

When Content Approvals are enabled, these additional roles/states exist:

• Approver — can approve or reject submitted drafts
• Submitter — can submit for approval (usually WebEditors)
• Draft states: Draft → AwaitingApproval → Approved (Published) / Rejected

---

8. Virtual Roles

CMS 12 supports Virtual Roles — custom roles defined in configuration that evaluate based on request context:

{
  "EPiServer": {
    "CMS": {
      "VirtualRoles": {
        "Administrators": { "MappedRoles": ["WebAdmins"] },
        "Creator": {
          "RoleType": "EPiServer.Security.CreatorRole, EPiServer.CMS.Core"
        }
      }
    }
  }
}

The Creator virtual role matches only the original author of a content item.

---

Review Questions

1. Which role gives full access to the Admin UI? (WebAdmins)
2. What are the 6 content access levels? (Read, Create, Edit, Delete, Publish, Administer)
3. Which interface checks whether a principal has a specific access level to a content item? (IContentAccessEvaluator)
4. Which interface manages Access Control Lists (ACLs) on content? (IContentSecurityRepository)
5. What is a Virtual Role? (A custom role that evaluates dynamically based on context — e.g. Creator matches the original content author)