Share

LinkedIn

Limiting User Management in Sitecore

One of the great things about Sitecore is being able to have multiple sites in one instance.

Many Sitecore users will run sites for different brands owned by the company, as well as auxiliary sites such as end-user portals or B2B sites. Many of these sites will feature a way for users to log in to access saved preferences, place orders, etc. When planning the login strategies, it is often easy to differentiate the user types by using different domains in Sitecore.

Once you have these different user types defined, you can create different custom profiles in Sitecore so that customer service reps can manage users and their data in Sitecore, or sync that data to external CRM tools. But who manages the end-users accounts? What if each site needs its own customer service team and they shouldn’t be allowed to see other users in Sitecore? We certainly don’t want to give admin accounts to all customer service reps, so we could use the built-in “Sitecore Client Account Managing” role, but that role will still allow the user to see all users in the User Manager app – and we only want them to see end-user accounts, not the accounts for all content authors.

So let’s figure out a way to show only certain users types in the User Manager app. Looking at its code in Reflector, we can see that it gets its list of users from a method GetManagedUsers() in the UserDelegation class. The code for that method shows some promising options: it checks if the user is an administrator, and returns different results if not an admin. So piece one in our solution will be to not assign admin rights to our customer service reps.

Digging a little further we see that internally, Sitecore is using something they call “Managed Domains” in order to get the list of users to display. There is a setting on a user profile called “Managed Domain Names” which limits the users that can be seen by domain name – in other words, it’s exactly what we need! The second piece of our solution is to simply assign our end-user domain as a managed domain for each customer service rep’s user accounts. 

However, the Managed Domain Names setting is not exposed in the UI, so we have to set it programmatically. I use a role to indicate who should have it, then assign it during the user login pipeline. 

Example:

Let’s say we have two domains for users – “portal” and “b2b” (in addition to the “Sitecore” domain, and possibly an Active Directory integration for all the content authors).

It follows that we need two Roles for user admins – “portaladmin” and “b2badmin”.

In code, set user.Profile.ManagedDomainNames to a pipe-separated list of domain names.

using System.Linq;
using Sitecore.Diagnostics;
using Sitecore.Pipelines.LoggingIn;
using Sitecore.Security.Accounts;
 
namespace MySite.Web.Pipelines.LoggingIn
{
    public class SetManagedDomainsByRole
    {
        public void Process(LoggingInArgs args)
        {
            Assert.ArgumentNotNull(args, "args");
            var user = User.FromName(args.Username, true);
            var managedDomains = user.Profile.ManagedDomainNames.Split('|').ToList();
            if (user.IsInRole("sitecore\\b2badmin") && !managedDomains.Contains("b2b"))
            {
                managedDomains.Add("b2b");
            }
            if (user.IsInRole("sitecore\\portaladmin") && !managedDomains.Contains("portal"))
            {
                managedDomains.Add("portal");
            }
            user.Profile.ManagedDomainNames = string.Join("|", managedDomains);
            user.Profile.Save();
        }
    }
}

As usual, you should include this processor with a web.config include file:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <processors>
      <loggingin>
        <processor type="MySite.Web.Pipelines.LoggingIn.SetManagedDomainsByRole, MySite.Web" patch:after="processor[@type='Sitecore.Pipelines.LoggingIn.CheckClientUser, Sitecore.Kernel']" />
      </loggingin>
    </processors>
  </sitecore>
</configuration>

This code lets a user be in both roles and get to manage both domains. If you want a more generic solution, it should be easy to put a list of role→domain associations in your web.config file or some other easily manageable place, and replace the two if statements with a loop that iterates through your new list.

In this article we’ve explored the way the User Manager application within Sitecore gets its data, and found a way to limit that data using an undocumented feature of Sitecore. I’ve tested this in Sitecore 7.1 through current, and the “Managed Domains” feature is present, however you should always use caution when utilizing an undocumented feature. In the end achieving my goal was much easier than I was anticipating, and I hope this helps you if you ever find yourself with a similar need to limit user account management in Sitecore.

Sitecore development, Sitecore custom code

Comments

Add a Comment

*
*

Please confirm you are human by typing the text you see in this image: