Add Restriction Profiles page (security/restriction-profiles.md) #41
Description
Context
SPE 9.0 introduces Constrained Language Mode (CLM) restriction profiles (#1426 in Console repo). A new documentation page is needed to explain this feature.
Proposed Location
security/restriction-profiles.md
Content to Cover
Overview
- What restriction profiles are and why they exist (tiered security for remoting endpoints)
- Relationship to PowerShell's
PSLanguageMode(FullLanguage, ConstrainedLanguage, RestrictedLanguage)
Built-in Profiles
| Profile | Language Mode | Command Mode | Use Case |
|---|---|---|---|
unrestricted |
FullLanguage | None | Default, full access |
read-only |
ConstrainedLanguage | Blocklist | Reporting, dashboards |
read-only-strict |
ConstrainedLanguage | Blocklist (stricter) | Untrusted consumers |
content-editor |
ConstrainedLanguage | Allowlist | Content management APIs |
Profile Features
- Command restrictions: Blocklist mode (block specific commands) vs Allowlist mode (only allow listed commands)
- Module restrictions: Control which PowerShell modules can be loaded, autoload preferences (None, All)
- Item path restrictions: Block/allow access to Sitecore content paths via prefix matching
- Audit levels: None, Violations, Standard, Full
- Enforcement modes: Enforce (block violations) vs Audit (log without blocking, dry-run)
Profile Resolution Order
- JWT scope claim (highest precedence)
- API Key item profile
- Service-level profile (from
Spe.config) - Default
unrestricted
Configuration
- How profiles are defined in
Spe.configunder<restrictionProfiles> - Setting a profile on a service:
<remoting profile="read-only" /> - XML config examples for each profile
Item-Based Overrides
- Override items at
/sitecore/system/Modules/PowerShell/Settings/Remoting/Restriction Profiles/ - Template:
Restriction Profiletemplate - Additive-only merging (most restrictive wins)
- Fields: Enabled, BaseProfile, AdditionalBlockedCommands, AdditionalAllowedCommands, AuditLevelOverride, AdditionalBlockedPaths, AdditionalAllowedPaths
Response Headers
X-SPE-Restriction- active profile nameX-SPE-BlockedCommand- which command was blocked (on 403)X-SPE-Profile- resolved profile name
Related
- Depends on Console repo feature/clm branch (#1426)
- Links to: web-services.md, api-keys.md, trusted-scripts.md