Sitecore 7: New Security Access Rights

This blog post describes new access rights introduced in version 7 of the Sitecore ASP.NET web Content Management System (CMS). Before reading this blog post, please read the Sitecore 7: Introduction blog post linked in the list of resources at the end of this page.

In Sitecore 7, the new /App_Config/Include/Sitecore.Buckets.config Web.config include file defines two new access rights:

  • bucket:makebucket (Create Bucket): You can use this access right to control access to the new Bucket and Sync commands in the new Buckets group on the Configure tab of the Content editor ribbon.
  • bucket:unmake (Revert Bucket): You can use this access right to control access to the new Revert command in the new Buckets group on the Configure tab of the Content Editor ribbon

In both cases, the CMS user must also have item:read access rights to the /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Item Buckets item in the Core database and its children that control access to the relevant commands on the ribbon. To see these commands in the ribbon, the CMS user must have item:read access to these command definition items; to see these commands enabled for an item, the user must have that access as well as the relevant bucket: access right (and item:read and potentially item:write) that item.

Access rights for the /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Item Buckets item in the Core database should allow these commands for the new Sitecore Client Bucket Management role in the sitecore (CMS) security domain.


  • Hi John,  Probably, not the best place to ask this but this came up during training. The new search API runs in the Security context of the user? What I mean to say, I suppose i am Sen and i try to search using a search feature available on the website.  Sen has read access to item a,b,c  but has no read access on item e, f.  The result set through search API would be a,b,c?

  • Hi Sen,  A search index is not aware of security. Searches against an index can return hits on any indexed documents, regardless of the context user.  In most cases, Sitecore invokes the indexing.filterIndex.outbound, which includes the ApplyOutboundSecurityFilter processor that applies access rights to the list of hits. You can change this behavior by passing parameters to the appropriate APIs.  One implication is that facet counts can be inaccurate unless you apply security to the facets, which can be excessively expensive. An alternative is to create additional indexes for each audience segment (role), exclude items not visible to the appropriate roles from those indexes, and search against the appropriate index depending on role.

  • Hey Jon, to allow content author to run bucket sync, I have created a role Enable_Bucket_Sync and have given it read access to /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Item Buckets and read-write access to /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Item Buckets/Sync. Then I have assigned this role to the content author. But the sync button still appears disabled for the content authors. Sync button only gets enabled when I give admin access to content author but I dont want to do that. Can you suggest (using Sitecore 9.0) ?

  • Hi Ghanendra Singh, I ran into the same issue (using Sitecore 9.0.2) trying to give users access to Bucket Sync and I've found that a user that is a member of both sitecore\Sitecore Client Bucket Management and sitecore\Developer can access this button once they've selected and checked out (by clicking Edit in the Review ribbon tab) the bucket item. Hope this helps!