Plone Security

Overview of Plone security capabilities: Plone has the best track record in security of any major CMS.

Plone SecurityPlone has a powerful and fine-grained security model. It provides a myriad of options for security at all levels so each object can have custom security for user, role or users group. Plone security is so powerful and multifaceted that it can be quite hard to debug and manage.

Plone Security: Workflow and Access Control

Plone workflow manages the security of each object in the workflow. It does this by changing the actual permissions on an object. You can see how the security settings for objects in one state can be different from the security settings of an object in another state.

Workflow controls the logic of processing content through the site. You can configure this logic through the web using graphical tools. Site administrators can make sites as complex or as simple as they'd like; for example, you can add notification tools such as sending e-mails or instant messages to users.

For every item of content in a Plone site, you can set up access control lists to decide who has access to that item and how they'll be able to interact with it. Will they be able to edit it, view it, or comment on it? All this is configurable through the web.

Web Security Issues

The normal challenge of security for web sites isn't "how secure is the underlying implementation" but "how hard is it for me to be sure that I haven't opened security holes by having to take care of this all myself?"

Of course, you can get security wrong with Zope too, but given that it's declarative, it's usually easy to note. For example, it's likely that you might forget to set it so that unpublished things are unviewable to anonymous users. But you'd see that hole on _all_ objects in the state, making it fairly easy to notice. Compare this to your having to add, on a template-by-template basis, the kind of manually-handled security checks that some other systems require.

Being a flexible, professional, standard role-based authentication system, Plone is a safe choice for organizations. Even organizations with the highest security requirements, such as Federal Bureau of Investigation (FBI) or Central Intelligence Agency (CIA), rely on Plone to ensure the best  security level of their websites.

Connect with our experts Let's talk