2019-11-18 05:58:33 +01:00
---
title: Access Control
summary: Restrict CMS access to specific groups of users
icon: user-lock
---
2011-02-07 07:48:44 +01:00
# Access Control and Page Security
There is a fairly comprehensive security mechanism in place for SilverStripe. If you want to add premium content to your
site you have to figure this stuff out, and it's not entirely obvious.
## Ways to restrict access
There are a number of ways to restrict access in SilverStripe. In the security tab in the CMS you can create groups
2016-01-14 11:59:53 +01:00
that have access to certain parts. The options can be found on the [permissions ](/developer_guides/security/permissions ) documentation.
2011-02-07 07:48:44 +01:00
2014-11-26 21:25:43 +01:00
Once you have groups, you can set access for each page for a particular group. This can be:
2013-12-05 21:20:49 +01:00
* anyone;
* any person who is logged in;
* a specific group.
2011-02-07 07:48:44 +01:00
It is unclear how this works for data-objects that are not pages.
## The Security Groups in SilverStripe
In the security tab you can make groups for security. The way this was intended was as follows (this may be a counter
intuitive):
2011-03-08 22:05:51 +01:00
2013-12-05 21:20:49 +01:00
* employees
* marketing
* marketing executive
2011-03-08 22:05:51 +01:00
2011-02-07 07:48:44 +01:00
Thus, the further up the hierarchy you go the MORE privileges you can get. Similarly, you could have:
2011-03-08 22:05:51 +01:00
2013-12-05 21:20:49 +01:00
* members
* coordinators
* admins
2011-03-08 22:05:51 +01:00
2011-02-07 07:48:44 +01:00
Where members have some privileges, coordinators slightly more and administrators the most; having each group inheriting
privileges from its parent group.
## Permission checking is at class level
2017-07-03 03:22:12 +02:00
SilverStripe provides a security mechanism via the *Permission::check* method (see [LeftAndMain ](api:SilverStripe\Admin\LeftAndMain ) for examples on how
2013-12-05 21:20:49 +01:00
the admin screens work).
2011-02-07 07:48:44 +01:00
2011-03-08 22:05:51 +01:00
(next step -- go from *Permission::checkMember* ...)
2011-02-07 07:48:44 +01:00
### Nuts and bolts -- figuring it out
Here are my notes trying to figure this stuff out. Not really useful unless you're VERY interested in how exactly SS
works.
### Loading the admin page: looking at security
2017-07-03 03:22:12 +02:00
If you go to [your site]/admin *Director.php* maps the 'admin' URL request through a [Director ](api:SilverStripe\Control\Director ) rule to the
[CMSMain ](api:SilverStripe\CMS\Controllers\CMSMain ) controller (see [CMSMain ](api:SilverStripe\CMS\Controllers\CMSMain ), with no arguments).
2011-02-07 07:48:44 +01:00
2017-07-03 03:22:12 +02:00
*CMSMain.init()* calls its parent which, of all things is called [LeftAndMain ](api:SilverStripe\Admin\LeftAndMain ). It's in [LeftAndMain ](api:SilverStripe\Admin\LeftAndMain ) that the
2011-02-07 07:48:44 +01:00
important security checks are made by calling *Permission::check* .
2017-07-03 03:22:12 +02:00
[Security::permissionFailure() ](api:SilverStripe\Security\Security::permissionFailure( )) is the next utility function you can use to redirect to the login form.
2011-02-07 07:48:44 +01:00
### Customizing Access Checks in CMS Classes
2017-07-03 03:22:12 +02:00
see [LeftAndMain ](api:SilverStripe\Admin\LeftAndMain )