Content Manager and Topology Manager security
This section describes the subsystems and services of the Content Manager and Topology Manager, the default user accounts used to access and run these subsystems, and the minimal rights, privileges and/or permissions required by an account to operate a subsystem.
The following diagram is a high-level overview of the SDL Tridion Sites system: clients of the Content Manager access the Content Manager through IIS and content is distributed from the Content Manager to Content Delivery using the Transport Service:
- Content Manager subsystems and services
The Content Manager subsystems consist of COM+ Applications, Microsoft Windows Services and the Content Manager Database. - Content Manager user accounts
The following table provides a summary of the Content Manager subsystem and services user accounts. - Modifying user accounts
You can modify the user account for Windows services. - Granting users access to encryption functionality
The Content Manager uses a .NET encryption key to ensure the encryption of sensitive configuration data such as passwords. You must grant that new user access to the encryption key. - Configuring how soon changes to security settings take effect
By default, it takes 300 seconds (5 minutes) for a change to a Content Manager user's rights, permissions or user membership to be applied. You can change this time period by editing the Content Manager configuration file, Tridion.ContentManager.config. - Setting up HTTPS access to Content Manager
HTTPS access requires you to import a certificate and run an installation script. - Setting up SAML access to Content Manager
SDL Tridion Sites offers SAML 2.0 support, supporting both an Identity Provider-initiated (IdP-initiated) and a Service Provider-initiated (SP-initiated) scenario. User provisioning and group mapping are also supported. To set up SAML, run the PowerShell installation script for SAML, which ensures that SAML is properly configured in both the general Content Manager configuration file, Tridion.ContentManager.config and the specific SAML configuration file, saml.config. - Setting up LDAP integration for Content Manager
Many organizations store information about their users and groups in directory services that support the Lightweight Directory Access Protocol (LDAP). The Content Manager provides authentication and authorization services for these users based on their group memberships. To enable these features, you must configure information about the LDAP-accessible server in the Content Manager. - Setting up single sign-on integration for Content Manager
SDL Tridion Sites enables you to integrate Content Manager with single sign-on (SSO) servers so that Content Manager users no longer need to log in separately. If you configure single sign-on integration, you cannot configure LDAP integration, and vice versa. - Content Manager database
The Content Manager uses a database for its content. The connecting users are referred to astcmdbuser. - Content Manager clients
Content Manager clients connect to the Content Manager server through the Core Service, IIS, or WebDAV to enable the creation or modification of Content Manager items. This section describes the right and privileges required by these clients. - Securing SDL Tridion Sites-based interfaces against CSRF
To guard Content Manager Explorer, Experience Manager, or any other interface that communicates with the server-side UI framework, against cross-site request forgery (CSRF), configure basic or general anti-CSRF security on the Content Manager server. - Content Manager security best practices
This topic describes the best practices concerning security for the Content Manager. - Content Manager security settings
This section describes the security settings (the rights, privileges and permissions) for the Content Manager. - References and links
For information on security in general, refer to the following resources. - Modifying the secret key used to secure user credentials used by Topology Manager
Topology Manager stores a number of credentials in its database. To prevent a person with access to the database from being able to access all your environments, these credentials are secured using a secret key. Because the default secret key is hardcoded and can become known, SDL recommends that, before setting up your implementation of Tridion Sites, you replace the default secret key with a custom secret key.