Overview of User Security

User security authenticates users when they log into a ColdFusion application, and then assigns privileges based on group membership or other criteria that you determine. For example, suppose you use ColdFusion to build and host your company's intranet. The Human Resources department maintains a page on the intranet on which all employees can access timely information about the company, such as the latest company policies, upcoming events, and job postings. You want everyone to be able to read the information, but you want only certain authorized Human Resources employees to be able to add, update, or delete information.

In addition, you might want to let employees view customized information about their salaries, job levels, and performance reviews. You certainly would not want one employee to view sensitive information about another employee, but you would want managers to be able to see, and possibly update, information about their direct reports. User security authenticates and authorizes users each time that they try to access or work with sensitive data.

User security is made up of two components:

Security contexts, configured on the Advanced Security page of the ColdFusion Administrator. A security context provides the framework against which to authenticate and authorize users.
Code you write in your application pages that checks against a security context to see whether a user is allowed to access a particular resource and then takes appropriate action.

Before you can implement user security in your applications, you must make sure that your ColdFusion administrator installed Advanced Security on the server and configured the appropriate security framework for your application. After the security framework is in place, you can code security features into your ColdFusion applications. For detailed information about installing Advanced Security and setting up a security framework, see Advanced ColdFusion Administration.

Developing ColdFusion Applications
Application Security