Blog post Sitecore, Technical, Custom Development

Evaluating inherited security roles with Sitecore conditional rendering rules

The Sitecore Rules Engine is a great piece of software. It applies logic defined in actions when specific conditions evaluate to true. Besides being heavily used internally it allows business users to personalize rendering components with conditional rendering rules and developers to define more granular insert options for Sitecore items. And this is just an example of the broad variety of capabilities it offers.

Through its browser-based interface it is very easy to set up the conditions and their actions.

John West wrote a great blog post in the past about the Sitecore Rules Engine and I highly recommend reading it.

There are also tons of blog posts that explain the process of creating custom conditions and actions that can be used with the Rules Engine. In this blog post I’m going to share my experience with creating a custom condition that evaluates the visitor’s security roles, taking inheritance into account. Out-of-the-box Sitecore ships with a conditional rendering rule named User Role. This role is defined as:

where the current user is a member of the [value,UserRoles,,specific] role

and its implementation can be found in the Sitecore.Rules.Conditions.SecurityConditions.UserRoleCondition,Sitecore.Kernel class.

This rule does not need any further explanation but what’s important to know is that it’s as simple as its definition. It evaluates only the direct security roles of the user. Inherited security roles are not evaluated. One thing that Sitecore developers learn in the early stages is that inheritance is essential so it’s very common that security roles inherit other security roles. A great benefit when it comes to managing security within Sitecore.

For our custom condition we can simply duplicate the existing rule definition found at /sitecore/system/Settings/Rules/Definitions/Elements/Security/User Role and rename it so something suitable, e.g. User Role with inheritance. Then we need to update its definition in the Text field.

where the current user is a member of the [value,UserRoles,,specific] role, either directly or through inheritance

In the Type field we’re going to specify the implemented class.

The final step is actually writing some code.

namespace EXLRT.SharedSource.Rules.WhenConditions
    using Sitecore;
    using Sitecore.Diagnostics;
    using Sitecore.Rules;
    using Sitecore.Rules.Conditions;
    using Sitecore.Security.Accounts;
    using System;
    public class ExtendedUserRoleCondition<T> : WhenCondition<T> where T : RuleContext
        protected override bool Execute(T ruleContext)
            Assert.ArgumentNotNull(ruleContext, nameof(ruleContext));
            string configuredRoles = this.Value;
            if (configuredRoles != null)
                foreach (string configuredRole in configuredRoles.Split(new string[] { "|" }, StringSplitOptions.RemoveEmptyEntries))
                    Role role = Role.FromName(configuredRole);
                    if (RolesInRolesManager.IsUserInRole(Context.User, role, includeIndirectMembership: true))
                        return true;
            return false;
        public string Value { get; set; }
Contact us to discuss your project.
We're ready to work with you.
Let's talk