Sitecore security

Current version: 10.3

The Sitecore security model enables you to grant or deny access to almost every aspect of a website. To do this, you use security accounts and security domains to control the access that users have to the items and content on their website as well as the access they have to Sitecore functionality.

Security accounts

A security account is a role or a user:

  • A role is a collection of users or a collection of users and other roles. You can use roles to assign access rights to groups of Sitecore users by making them a member of a role.

    Sitecore contains a set of predefined security roles that you can use, or you can create new roles and give them the relevant access rights.


    In Sitecore, there are also global roles that all users across domains can see. These roles are listed in the /App_Config/Security/GlobalRoles.config file.

  • A user account in Sitecore contains details about the user name, domain, email, and password. You can assign access rights directly to a user account.


In Sitecore, a security account is identified by its name (domain name\account name, for example, sitecore\Developer or sitecore\ECM advanced users) and therefore, two security accounts cannot have the same name.

Security domains

A security domain is a collection of security accounts (users and roles) that you can administer as a unit with common rules and procedures. A domain is used to collect security accounts that have some logical relationship, for example, all the accounts that have access to use the Sitecore clients could be stored in the Sitecore domain, whereas all the accounts with access to the published website could be stored in the Extranet domain.

The security engine

Sitecore uses the .NET security engine, which offers several advantages:

  • A variety of plug-and-play features provided directly by Microsoft.

  • An abstraction from the real data source.

  • The option to replace or extend the default configuration with custom providers.

  • The performance speed of a pure ASP.NET solution.

  • The possibility of keeping the accounts in identifiable storage areas by using several providers simultaneously.

Do you have some feedback for us?

If you have suggestions for improving this article,