Authentication and authorization of a CMS request is layered on top of IIS and ASP.NET security. To understand how to manage user access in CMS, it is necessary to understand the authentication, impersonation, and authorization mechanisms for both of these technologies. CMS authentication and authorization is performed by the CMS Authorization module. There are two different authentication mechanisms supported in CMS: Windows authentication and forms-based authentication; the former is more suitable for internal sites, while the latter is best suited for external sites. Authorization in CMS is based on the CMS rights groups that the user is a member of. Each rights group belongs to the role that defines this group's permissions; a user can be a member of more than one group; the user permissions are defined by the combination of the group's permissions.
In the next chapter, we will apply our understanding of how to manage user access to several CMS deployment scenarios, and will look into securing CMS sites.