Securing Sitecore with sublayouts and the DMS
By: Solution Architect Grant Bartlett
Sitecore allows you to provide access to components to users who need it, and an opportunity to limit them for those who do not. Learn how to secure Sitecore sublayouts both with and without the DMS.
In an intranet environment, securing a component to a specific group of users is a common requirement. There are a couple of easy ways to secure content, depending on whether or not you are leveraging DMS.
Security without using the DMS
You can secure the component (i.e. the underlying sublayout) directly to the role requiring access. This certainly accomplishes securing the content, however, it also restricts your ability to re-use this component for other roles. You can get around this issue by creating multiple sublayout items in Sitecore, to represent a secured vs non-secured version of the component for example, but this approach can get messy if the same component needs to be secured to different roles in different situations. This solution is best when dealing with a small number of these types of scenarios.
One word of caution on this scenario: We’ve discovered that although sublayout securing does indeed work, Sitecore does create a log entry every time a user lacking permissions attempts to load the sublayout. We’ve not yet followed up with Sitecore on this.
Another scenario would be to secure the datasource being used by your component and subsequently ensuring your code fails gracefully if a datasource item is not found. This scenario is slightly more flexible than securing the sublayouts, but in the end, it again works well in simple scenarios, but does not scale well when you start adding complexity.
Security using the DMS
Employing the DMS can help avoid the limitations associated with scaling the above scenarios.
If DMS is available, you can use the rules engine to secure an individual usage of a component rather than the underlying sublayout. The screenshot below shows a sample condition for securing your content to a role:
Notice how the Default option hides the component, while the condition in the Secure to Managers option secures the content to the Managers role.
With DMS, other rules can also be applied to the same condition, and suddenly you can have a very complex, powerful, and personalized experience.
