CRUD operations with permissions

To manage permissions, you use the manager of the type that you manage permissions for. For example, to manage permissions for blogs, you use the blogs manager. For more information, see For developers: Permissions API.

All objects in Sitefinity CMS that implement the ISecuredObject interface can be secured with permissions. All content managers use data providers that implement ISecuredObject. All content items, if not explicitly secured, inherit their permissions from the data provider until the inheritance is broken.

Sitefinity CMS allows you to secure specific content items (for example, a specific blog item) or all items from given type (for example, all blogs). To secure all content items from given type, you create permissions for the content data provider. To get the security root for the provider, you use the GetSecurityRoot method of the manager class.

The examples below describe how to manage permissions for all blogs using the blogs data provider security root ID. You can use the same code to manage permissions for a specific item by using its ID.

Creating permissions

The next example creates a permission associated with the blogs data provider and the specified user with no actions granted or denied. For more information, see For developers: Grant and deny permissions

To create the permission, you use the CreatePermission method of the blogs manager. In the parameters you specify the permission set, the ISecuredObject item ID and the principal ID that the new permission is associated with. To add the new permission to the security root, you use the Permissions property of the ISecuredObject item. Finally, you save the changes.


Querying permissions

The next example queries for a permission associated with the blogs data provider and the specified user. 

To get the permission, you use the GetPermission method of the blogs manager. In the parameters you specify the permission set, the ISecuredObject item ID and the principal ID that the permission is associated with.


Deleting permissions

The next example deletes a permission associated with the blogs data provider and the specified user. 

First, you get the permission using the GetPermission method of the blogs manager. Then, to delete the permission, you remove it from the security root and use DeletePermission. Finally, you save the changes.


Revoking permissions

Revoking permission is resetting its Grant and Deny values to 0 (no actions granted and no actions denied) without deleting the permission from the secured object.

The next example revokes a permission associated with the blogs data provider and the specified user. 

First, you get the permission using the GetPermission method of the blogs manager. Then, to revoke the permission, you set the Grant and Deny properties to 0. Finally, you save the changes


Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?