Understanding security requirements is the first step to setting up a security model in Sitecore Content Hub. Security requirements are a set of governance rules that define the permissions structure of your organization. In Content Hub, security is determined based on user groups and policies. Each department or division can have its own user group membership and corresponding policies with refined access roles.

This section provides best practices to help you define your security model.

Specify permissions for common access roles

The following table lists common access roles and the permissions they should have.




  • Read and Download permissions for the Assets search page.

  • Access to their own user Profile page.

  • Read access to the Collections page.

  • ViewNotWatermarked permissions to view renditions without watermarking.


  • Create and Submit permissions for assets, enabling them to upload and submit assets for review.

  • Update permissions for their own assets that are not yet approved.

Content approvers

  • Approve permissions for assets under review, enabling them to approve or reject these assets.

  • Read and CreateAnnotations permissions for assets.


These roles are typically refined based on the metadata, such as brand, product, and campaign linked to the assets or products.


Don't create duplicate rules and permissions. If you assign multiple user groups to the same user, identical permissions might be granted by more than one of those groups. Review how the user groups share the permissions for the same entities. You can use the security diagnostics tool to detect duplicate policies that grant identical permissions for the same entity.

Define user groups

When you define user groups, follow this recommended workflow.

  • Sitecore periodically updates standard user groups, such as the Everyone group, to include permissions for new essential site functionality. For this reason, we recommend you use these groups to apply common permissions to most users, and only use custom groups to apply exceptional permissions to those who need them.

  • Modifying permissions for the Everyone user group is not recommended, as it might cause users to lose access to features and functions.

  • Don't remove users from the Everyone user group, because this will remove the baseline permissions required for them to access the system.

To define user groups:

  1. Define the roles you need as described in the previous section.

  2. Create a new user group per role.

  3. Assign the modules relevant to this user group.

  4. Define the pages that each user group needs to access.

  5. Define access for Asset and File definitions:

    • Create a single rule for both Asset and File when the definitions have identical permissions.

    • Set conditions to limit the assets available for each user group, according to your domain model design.

  6. Define user group permissions for other entity definitions.

    • Define which definitions the users need to access, update, or delete.

    • Review the taxonomy definitions.

    • Review custom entity definitions.

    • Define which permissions the users need for these definitions.


Keep the number of user groups small. Having hundreds of user groups requires maintenance effort with every change in the domain model. Don't assign a user to more than ten user groups. Security checks are performed before loading certain operations or when running background processes. Setting more than ten user groups per user has a performance impact. Consider consolidating user groups to avoid this.

Configure authentication

When you configure authentication, follow these recommendations.

  • Disable registration by default - doing this prevents unauthorized access to your website, ensuring that only authorized users can access its content. Enabling registration should be a deliberate action, allowing you to control who can create a user account.

  • Implement email domain whitelisting - you can strictly control access to your website by enabling WhiteListedEmailPatterns. This prevents the registration of users from other domains, and is best used in combination with EnableConfirmationMail=true.

  • Properly configure SAML authentication - configuring authentication correctly means referencing the IDP directly instead of copying IDP metadata. This ensures successful sign-ins, even when IDP metadata changes (such as certificate renewal).

  • Enable reCAPTCHA for your user registration flow - doing this adds an extra layer of security by verifying that the user is not a bot, protecting your website from automated attacks.

  • Restrict permissions for standard user groups - doing this ensures that even if unauthorized users gain access to your website, they cannot access any sensitive data. When new users are created, make sure they are not assigned to user groups that grant permissions they don't need. All users are part of the Everyone user group, so you need to ensure that this group only has permissions that you want to give to every user.

  • Enable auto-lockout - you can automatically lock out users who repeatedly enter incorrect login credentials by setting up AttemptsBeforeLockout.

  • Maintain a backup local administrator account with a strong password - doing this provides a fail-safe for your company, so you can still access Content Hub if there are issues with your identity provider or its configuration.

Do you have some feedback for us?

If you have suggestions for improving this article,