Break and restore permission inheritance

Permissions in Sitefinity CMS are inheritable. This enables you to make a permission assignment to a user or role once and have this permission applied to each of its child items. If you want to customize permissions of an inheriting child item, you must break the inheritance. This way, you can modify the child item's permissions. This behavior can reduce complexity and time needed for managing the security of the system. The root object at the permissions inheritance hierarchy is Security Root, which is instantiated per provider. For more information, see Overview: Permissions.

By default, permissions pass from parent to child throughout the module hierarchy. This means that every new item inherits, by default, from its parent. 
Creating an inheritance association between two secured objects, such as the parent and the inheriting child, is done by invoking the CreatePermissionInheritanceAssociation method of the provider. This method copies all the permissions from the parent object to the child object and, if applicable, to all the children of the child, recursively. It also creates a persistent InheritanceMap object, which maps the connection between the parent and the child. This way, when you add new permissions to the parent, they will also be applied to the respective inheriting children.

To modify the permissions of an item that inherits permissions from a parent item, you must first break the permissions inheritance. Breaking the inheritance is done by invoking the manager's BreakPermissionsInheritance method. This operation clones the inherited permission from the parent item to the inheriting item, which enables you to modify them locally. It sets the secured object's Boolean property InheritsPermissions to false.

NOTE: To determine if a permission in the secured object's Permissions collection is inherited, inspect the permission's ObjectId property. If it is different than the secured object's ID, it is an inherited permission and the ID of the permission is the ID of a parent object.

You can break the inheritance for any item in the inheritance chain. For example, for dynamic modules you can break inheritance for a module, a dynamic type, and a specific dynamic content item.You can do this in any order.

The following code demonstrates breaking the permissions inheritance of a dynamic module:

The following code demonstrates breaking the permissions inheritance of a dynamic content item:

To restore permissions inheritance of a secured object, after you have broken the inheritance, invoke the manager's RestorePermissionsInheritance method. It sets the secured object's Boolean property InheritsPermissions to true and ensures that the object and all its inheriting children get their permissions inherited from the parent again.

The following code demonstrates restoring the permissions inheritance of a dynamic module:

The following code demonstrates restoring the permissions inheritance of a dynamic content item: