Blend Developer Guide

How can I restrict access to a single or select few properties in Optimizely CMS 12?

  • Page Owner: Not Set
  • Last Reviewed: 2025-11-06

I want to restrict access for a certain user group to only be allowed to create, edit, and publish the site-wide alerts that live on the Start Page. In the event of an emergency, I can't expect the couple WebEditors or WebAdmins to be able to log in to create the alert. I need to be able to allow more users to log into the CMS to create these alerts. However, I don't want these users to have access to any other pages or properties on the site.

Answer

Create an attribute that you can use to identify properties and roles that should be given exclusive access rights.

\Business\Attributes\

[AttributeUsage(AttributeTargets.Property, AllowMultiple = false)]
public class ExclusivePropertyAccessAttribute (string[] allowedRoles) : Attribute
{
    public string[] AllowedRoles { get; set; } = allowedRoles;
}

Next, build a MetadataExtender to define the logic for which properties should or should not be read-only based on the attributes of each property and the roles of the current user. For example, if the site-wide alerts property exists on the Start Page, you can set the property to read-only on every other content type without even evaluating attributes if the user is in the "AlertsOnly" role.

\Business\

public class AlertsOnlyMetadataExtender : IMetadataExtender
{
    public void ModifyMetadata (ExtendedMetadata metadata, IEnumerable<Attribute> attributes)
    {
        if (metadata.Model is IContent content)
        {
            if (PrincipalInfo.CurrentPrincipal.IsInRole("AlertsOnly"))
            {
                // Loop through properties of current content
                foreach (var extendedMetadata in metadata.Properties.OfType<ContentDataMetadata>())
                {
                    // If the content is not the StartPage or an AlertBlock, ALL properties should be read-only
                    if (content.ContentLink.ID != ContentReference.StartPage.ID && content is not AlertBlock)
                    {
                        extendedMetadata.IsReadOnly = true;
                    }
                    else
                    {
                        // If this is the StartPage or an AlertBlock, check whether the user has been specifically allowed to edit this property (has
                        // the "AlertsOnly" role listed in the ExclusivePropertyAccessAttribute). If the attribute does not exist, this property
                        // should be read-only!
                        var exclusivePropertyAccessAttribute = extendedMetadata.Attributes.OfType<ExclusivePropertyAccessAttribute>().FirstOrDefault();

                        if (exclusivePropertyAccessAttribute is null || !exclusivePropertyAccessAttribute.AllowedRoles.Contains("AlertsOnly"))
                        {
                            extendedMetadata.IsReadOnly = true;
                        }
                    }
                }
            }
        }
    }
}

Finally, you need to initialize your metadata extender.

\Business\Initialization\

[InitializableModule]
[ModuleDependency(typeof(EPiServer.Web.InitializationModule))]
public class AlertsOnlyInitialization : IInitializableModule
{
    public void Initialize (InitializationEngine context)
    {
        if (context.HostType == HostType.WebApplication)
        {
            var registry = context.Locate.Advanced.GetInstance<MetadataHandlerRegistry>();

            registry.RegisterMetadataHandler(typeof(ContentData), new AlertsMetadataExtender());
        }
    }

    public void Uninitialize (InitializationEngine context)
    {
    }
}

Now, just apply your attribute to the property/properties you want to give exclusive access to and include the "AlertsOnly" role.

[CultureSpecific]
[Display(
   Name = "Site-Wide Alerts",
   Description = "Site-wide alerts to be displayed",
   Order = 10,
   GroupName = TabNames.SiteSettings)]
[ExclusivePropertyAccess(["AlertsOnly"])]
[AllowedTypes(typeof(AlertBlock))]
public virtual ContentArea SiteWideAlerts { get; set; }

NOTE: In the example above, you would also need to add the ExclusivePropertyAccess attribute to the properties on the AlertBlock to make sure the user can edit the blocks in the "Side-Wide Alerts" ContentArea.

In the CMS, create a new group called "AlertsOnly" and set the Access Rights so the group only has Read access on the Root. On the Start Page, uncheck "Inherit settings from parent item" and set the "AlertsOnly" group to have Read, Create, Change, and Publish on the Start Page. Leave all the remaining pages under the Start Page with the "Inherit settings from parent item" checked. Now the "AlertsOnly" user will be able to see all properties site-wide, but will not be able to modify them in any way (including folders like "For All Sites" in the Assets Panel) except for the properties marked with the ExclusivePropertyAccess attribute with the "AlertsOnly" role added.