The default permissions set up in the Security app demonstrate how to assign roles, ACLs and web access in a typical scenario. These permissions are complemented by configured app access

The Permissions app allows you to view a comprehensive list of permissions assigned to any user or group in the Security app at any point in time. 

The tables below show default permissions, role and group assignments, and configured access permissions. 

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DAMRead onlySub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
TagsRead onlySelected and sub nodes/
WebsiteDeny accessSub nodes/

Web access

PermissionPath
Deny*
Deny/.magnolia*

anonymous (role, public instance)

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DamRead onlySelected and sub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
TagsRead onlySelected and sub nodes/
WebsiteRead onlySub nodes/

Web access

PermissionPath
Get & Post*
Deny/.magnolia*
Deny/.magnolia/*
Deny/.rest*

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
ConfigRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
Dms*Read/WriteSub nodes/
ForumRead/WriteSub nodes/
GoogleSitemapsRead/WriteSub nodes/
ImagingRead/WriteSub nodes/
MessagesRead/WriteSub nodes/
ProfilesRead/WriteSub nodes/
ResourcesRead/WriteSub nodes/
RssRead/WriteSub nodes/
ScriptsRead/WriteSub nodes/
SegmentsRead/WriteSub nodes/
TagsRead/WriteSub nodes/
TasksRead/WriteSub nodes/
TemplatesRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UsergroupsRead/WriteSub nodes/
UserrolesRead/WriteSub nodes/
UsersRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/
Workflow (EE)Read/WriteSub nodes/

Web access

PermissionPath
Get & Post*

Configured access

Applies toNamePath
AppActivation/modules/activation/apps/activation/permissions/roles

Configuration/modules/ui-admincentral/apps/configuration/permissions/roles

Security/modules/security-app/apps/security/permissions/roles

Security/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName

Mail tools/modules/mail/apps/mail/permissions/roles

Dev tools/modules/tools/apps/tools/permissions/roles

Backup/modules/backup/apps/backup/permissions/roles
App launcherDev group/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

Tools group/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles
PulseAbort action
/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

Archive action/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
Category

Read only

Read only

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead onlySub nodes/
ToursRead onlySub nodes/

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

PermissionPath
Get & Post*

travel-demo-editor

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
DamRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets
/modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher

Access control lists

WorkspacePermissionScopePath
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets
/modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor

Access control lists

WorkspacePermissionScopePath
Category

Read/Write

Read/Write

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead/WriteSub nodes/
ToursRead/WriteSub nodes/

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher

Installed by the workflow module (EE). Allows publishing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySub nodes/
ContactsRead onlySub nodes/
WebsiteRead onlySub nodes/
WorkflowRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base

Base role allowing users to use the workflow workspace (EE).

Access control lists

WorkspacePermissionScopePath
WorkflowRead/WriteSub nodes/

contact-base

Access control lists

WorkspacePermissionScopePath
ContactRead onlySub nodes/

imaging-base

Access control lists

WorkspacePermissionScopePath
ImagingRead onlySub nodes/

resources-base

Access control lists

WorkspacePermissionScopePath
Config

Read only

Selected and sub nodes

/modules/resources

ResourcesRead/WriteSub nodes/

rest

Web access

PermissionPath
Deny/.rest*
Deny/.rest/commands*
Deny/.rest/nodes*
Get & Post/.rest/nodes/v1/website*
Deny/.rest/properties*
Get & Post/.rest/properties/v1/website*
Get & Post/.rest/cache/v1*
Get & Post/.rest/api-docs*

Configured access

Applies toNamePath
CommandsDelete/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

Activate
/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rss-aggregator-base

Access control lists

WorkspacePermissionScopePath
RssRead-onlySub nodes/

scripter

Access control lists

WorkspacePermissionScopePath
ScriptsRead/WriteSub nodes/

Web access

PermissionPath
Get & Post*

Configured access

Applies toAppPath
AppGroovy/modules/groovy/apps/groovy/permissions/roles

security-base

Web access

PermissionPath
Deny/.magnolia/pages/jcrUtils*
Deny/.magnolia/log4j
Deny/.magnolia/pages/configuration*
Deny/.magnolia/pages/logViewer*
Deny/.magnolia/pages/users*
Deny/.magnolia/pages/import*
Deny/.magnolia/pages/export*
Deny/.magnolia/pages/permission*
Deny/.magnolia/pages/developmentUtils*
Deny/.rest*

templater-base

Access control lists

WorkspacePermissionScopePath
ConfigRead-onlySelected and sub nodes/modules/inplace-templating
TemplatesRead/WriteSub nodes/

Configured access

Applies toAppPath
AppTemplates/modules/inplace-templating/apps/inplace-templating/permissions/roles

forum_ALL-user

Role that allows posting in all forums.

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

forum_ALL-admin

Role which gives administration permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

Configured access

Applies toAppNamePath
AppForum
/modules/forum/apps/forum/permissions/roles
ActionsForumAdd forum/modules/forum/apps/forum/subApps/browser/actions/addForum/availability/access/roles


Edit forum/modules/forum/apps/forum/subApps/browser/actions/editForum/availability/access/roles


Delete forum/modules/forum/apps/forum/subApps/browser/actions/deleteForum/availability/access/roles


Confirm delete/modules/forum/apps/forum/subApps/browser/actions/confirmDeleteForum/availability/access/roles

forum_ALL-moderator

Role which gives moderation permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

Configured access

Applies toAppPath
AppForum
/modules/forum/apps/forum/permissions/roles

forum-pagecomments-user

Role which gives commenting permissions.

WorkspacePermissionScopePath
ForumRead/WriteSelected and sub nodes/pagecomments

Groups

Group permissions are the same on author and public instances.

travel-demo-editors

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral

travel-demo-editor

travel-demo-tour-editor

imaging-base

security-base

resources-base

workflow-base

travel-demo-publishers

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral

travel-demo-publisher

travel-demo-tour-editor

security-base

workflow-base

travel-demo-tour-editors

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral

travel-demo-base

travel-demo-tour-editor

security-base

workflow-base

editors

Assigned groupsAssigned roles
(none)editor

workflow-base

publishers

Assigned groupsAssigned roles
(none)publisher

workflow-base

Users

eric

User eric is an example editor.

Assigned groupsAssigned roles
travel-demo-editors(none)

eric-de

User eric-de is an example German editor.

Assigned groupsAssigned roles
travel-demo-editors(none)

peter

User peter is an example publisher.

Assigned groupsAssigned roles
travel-demo-publisher(none)

tina

User tina is an example tour editor.

Assigned groupsAssigned roles
travel-demo-tour-editors(none)

System users

anonymous (system user)

User anonymous represents a Web visitor.

(warning) The anonymous role has different permissions on author and public.

Assigned groupsAssigned roles
(none)anonymous

categorization-base

contact-base

forum-pagecomments-user

imaging-base

travel-demo-base

superuser (system user)

User superuser represents an administrator who has full access to the system.

Assigned groupsAssigned roles
publishers (EE)superuser

rest

forum_ALL_admin
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))

To comment, create an account and log in.

© Copyright $action.dateFormatter.formatGivenString("yyyy", $content.currentDate) Magnolia