The Multiplexing providers in EPiServer CMS 5 allows several role and membership providers to be chained together, thus attempting to authenticate and authorize users against different providers. This is very powerful, allowing users from different sources to log in. The typical example is to enable the SqlServer and Windows membership and role providers, allowing both Windows users and users stored in a SqlServer database to log in to the site. By default, only the Windows role and membership providers are enabled, allowing local Administrator users to log in after the installation.

However - there is a catch. If you have the same name for roles (groups) in two different role providers, you might open a security hole. If you assign access to a page for a group in Role Provider A, and then someone creates the same group in Role Provider B, any users that are member of the group in Role Provider B will get access to this page. This might not be what you want.

You have to be particularly careful if you create your own providers, authenticating against other systems (other sites, back-end systems, etc.) You do not want to have two role providers with an Administrators role (unless you plan for it)!