Understanding security requirements is the first step to set up the security model in Sitecore Content Hub. Security requirements are a set of governance rules that define the permissions structure of your organization. Each department or division can have its own user group membership and corresponding policies with refined access roles.

This section provides best practices and generic steps for you to best define your security model.


For more detailed procedures, refer to the user groups and policies documentation.

Access roles

Common access roles are content readers, content creators, and content approvers.

Readers should have the following permissions:

  • Read and Download rights to the Assets search page.
  • Access to their user Profile page.
  • Read access to the Collections page.
  • ViewNotWatermarked rights to view renditions without watermarking.

Creators should have the following permissions:

  • Create and Submit rights on assets to upload and submit assets for review.
  • Update rights to their own assets that are yet unapproved.

Content approvers should have the following permissions:

  • Approve rights on assets under review (the Approve permission includes Reject rights).
  • Read and CreateAnnotations rights on assets.

These roles are typically refined based on the metadata, such as brand, product, and campaign linked to the assets (or products). For more information about permissions, refer to Permissions

Define user groups

The following process is a best practice to define your user groups.

To define user groups:

  1. Define the roles you need as described in the previous section.
  2. Create a new user group per role.
  3. Assign the modules relevant to this user group.
  4. Define the pages that each user group needs to access.
  5. Define access for Asset and File definitions:
    • Create one rule for Asset and File when the definitions share identical permissions.
    • Set conditions to limit the assets available for this user group, according to your domain model design.
  6. Define user group permissions to other entity definitions.
    • Define which definitions the users need to access, update, or delete:
      • Review the taxonomy definitions.
      • Review any custom entity definition.
    • Define which permissions the users need for these definitions.

For more information about permissions, refer to Permissions

SSO configuration

  • Disable register by default.

  • Always enable reCAPTCHA, as described on Enabling reCAPTCHA.

  • Do not give the Everyone user group any meaningful permissions.

  • Enable auto-lockout to increase the security.

More best practices

When translating the security requirements to user groups and policies, keep the following highlights in mind:

  • Keep the number of user groups small. Having hundreds of user groups requires maintenance effort with every change in the domain model.

  • You should not assign a user to more than ten user groups. Security checks are performed before loading certain operations or when running background processes. Setting more than ten user groups per user has a performance impact. Consider grouping user groups to avoid it.

  • Do not define duplicate rules and permissions. When you assign several user groups to one user, identical permissions might be granted by more than one user group. Review how the user groups share the permissions on certain entities. You can use Security Diagnostics to detect duplicated policies that grant the same permission on the same entity.

Can we improve this article ? Provide feedback