Web roles

Permissions are granted to the users using web role records. The Web Role entity allows an administrator to control user access to portal content and Common Data Service data. Web Role entity has a number of related records that define permissions and permission assignments.

Web Role relationships by category

To define permissions, a web role can be associated with the following records:

  • Website Access Permissions - Define what front-side editing permissions a web role should have.
  • Web Page Access Control Rules - Identify the pages accessible by a web role and what actions can be taken.
  • Publishing State Transition Rules - Control permissions for the page publishing lifecycle.
  • Ideas , Blogs, Forums Permissions - Define what user is allowed to do in those publication types.
  • Entity Permissions - Governs access to Common Data Service data.

Role assignment

A portal contact can be assigned one or more web role at a time. Access rules and permissions of individual roles are combined to calculate the resulting permissions set.

An account can be assigned one or more web role. All contacts under that account will inherit the role assignments of the parent contact. That makes it easy to maintain consistent role assignments for a group of contacts from the same company, or department.

Invitations can be associated with a parent account and a set of web roles. When a contact accepts that invitation, they will be assigned the account and the web roles. This makes it easy to maintain consistent role assignment when mass-inviting the existing contacts to join the portal.

Special roles

One of the web roles in the portal can be marked as Anonymous Users Role and another one as Authenticated Users Role. These roles allow you to apply permissions and access rules to all portal users based on whether they access the site anonymously or if they are signed in.

Only one web role can be defined as anonymous, and one as authenticated. This can be the same role but that would rarely be useful.

Contacts do not have to have the Authenticated Users Role assigned. This role and associated permissions are assigned implicitly when a user signs in.


The Anonymous Users Role is used only to govern access to Common Data Service data. It will not respect any other rules or permissions.

Now that you understand the concept of the web roles, let's see how they can be used to shape permissions for our portal.