Versions Compared

Old Version 6

changes.mady.by.user Julie Legendre

Saved on

compared with

New Version Current

changes.mady.by.user Christoph Meier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The These are default permissions set up in Magnolia. You can manage them in the Security app demonstrate how to assign roles, ACLs and web access . The default permissions are just an example how to grant permissions in a typical scenario. These permissions are complemented by configured app access

The Security app allows you to view a comprehensive list of permissions assigned to any user or group at any point in time. If you need to revert to the default permissions for any reason, you can access them online in the demo site in the Tools tab of the Security app.

The tables below show default permissions, role and group assignments, and configured access permissions. 

Table of Contents

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

...

Web access

...

Access control lists

...

Web access

...

website. You should adapt the permissions to match your own organization. App access is configured separately in the app launcher configuration.


Table of Contents

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DAMRead onlySub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
Marketing-tagsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
WebsiteDeny access

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
AdvancedCacheRead/WriteSub nodes/
CategoryRead/WriteSub nodes/
ConfigRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
Dms*Read/WriteSub nodes/
ForumRead/WriteSub nodes/
GoogleSitemapsRead/WriteSub nodes/
ImagingRead/WriteSub nodes/
KeystoreRead/WriteSub nodes/
Marketing-tagsRead/WriteSub nodes/
MessagesRead/WriteSub nodes/
PersonasRead/WriteSub nodes/
ProfilesRead/WriteSub nodes/
ResourcesRead/WriteSub nodes/
RssRead/WriteSub nodes/
ScriptsRead/WriteSub nodes/
SegmentsRead/WriteSub nodes/
StoriesRead/WriteSub nodes/
TagsRead/WriteSub nodes/
TasksRead/WriteSub nodes/
TemplatesRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UsergroupsRead/WriteSub nodes/
UserrolesRead/WriteSub nodes/
UsersRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/
Workflow (EE)Read/WriteSub nodes/

Web access

PermissionPath
Get & Post*

Configured access

...

/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

...

Deny*
Deny/.magnolia*

Anchor
anonymousrolepublicinstance
anonymousrolepublicinstance
anonymous (role, public instance)

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DamRead onlySelected and sub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
Marketing-tagsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
WebsiteRead onlySub nodes/

Web access

PermissionPath
Get & Post*
Deny/.magnolia
Deny/.magnolia/*
Deny/travel/members/protected*
Deny/travel/members/profile-update*
Deny<travel>/members/protected*
Deny<travel>/members/profile-update*

superuser (role)

The superuser role provides full access to the system. The

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instances.

...

Read onlyTours only
WorkspacePermissionScopePath
CategoryAdvancedCacheRead only

Read only

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

Dam/WriteSub nodes/
CategoryRead/WriteSub nodes/
ConfigRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
UserrolesDamRead only/WriteSelectedSub nodes/travel-demo-base

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

...

Dms*Read/WriteSub nodes/
ForumRead/WriteSub nodes/
GoogleSitemapsRead/WriteSub nodes/
ImagingRead/WriteSub nodes/
Keystore

travel-demo-editor

Access control lists

DamUserroles onlySelectedtravel-demo-editorWebsite
WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
Marketing-tagsRead/WriteSub nodes/
MessagesRead/WriteSub nodes/
PersonasRead/WriteSub nodes/

Configured access

...

ProfilesRead/WriteSub nodes/
ResourcesRead/WriteSub nodes/
RssRead/WriteSub nodes/
ScriptsRead/WriteSub nodes/
SegmentsRead/WriteSub nodes/
StoriesRead/WriteSub nodes/
TagsRead/WriteSub nodes/
TasksRead/WriteSub nodes/
TemplatesRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UsergroupsRead/WriteSub nodes/
UserrolesRead/WriteSub nodes/
UsersRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/
Workflow (EE)

travel-demo-publisher

Access control lists

WorkspacePermissionScopePath
UserrolesRead onlySelected/travel-demo-publisher
WebsiteRead/WriteSub nodes//

Web access

PermissionPath
Get & Post*

Configured access

App
Applies toNamePath
AppAssets /modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
Path
AppActivationActionPagesActivate/modules/pagesactivation/apps/activation/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor

Access control lists

...

Read/Write

Read/Write

...

Selected and sub nodes

Selected and sub nodes

...

/tour-types

/destinations

...

permissions/roles

Configuration/modules/ui-admincentral/apps/configuration/permissions/roles

Security/modules/security-app/apps/security/permissions/roles

Security/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName

Mail tools/modules/mail/apps/mail/permissions/roles

Dev tools/modules/tools/apps/tools/permissions/roles

Backup/modules/backup/apps/backup/permissions/roles
App launcherDev group/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

Tools group/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles
PulseAbort action
/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

Archive action/modules/workflow/messageViews/publish/actions/archive

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

...

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instancesInstalled by the workflow module (EE). Allows publishing content.

Access control lists

WorkspacePermissionScopePath
Category

Read only

Sub nodes/Contacts

Read only

Sub nodes/
DamRead onlySub nodes/
UserrolesRead onlySelected/publisher

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamWebsiteRead onlySub nodes/
WorkflowToursRead /WriteSub nodes/

Configured access

...

onlySub nodes/
UserrolesRead onlySelected /travel-demo-base

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

PermissionPath
Get & Post*

travel-demo-editor

workflow-base

...

Access control lists

WorkspacePermissionScope
PathWorkflow
Path
CategoryRead/WriteSub nodes/
DamRead/WriteSub nodes/
UserrolesRead onlySelected/
workflow
travel-
base

...

demo-

...

editor

Access control lists

...

WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets
/modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher

imaging-base

Access control lists

...

Access control lists

Config and sub nodesmodules/resourcesResources
WorkspacePermissionScopePath
UserrolesRead onlySelected/travel-demo-publisher
WebsiteRead/WriteSub nodes/
UserrolesRead onlySelected/resources-base

...

MultiExcerptNamerest-role-permissions

rest-admin

Web access

...

Permission

...

Path

...

Get & Post

...

/.rest/*

Configured access

...

Applies to

...

Name

...

Path

...

Commands

...

Delete

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

...

 

...

Activate

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor

Web access

...

Permission

...

Path

...

Deny

...

/.rest*

...

Deny

...

/.rest/commands*

...

Deny

...

/.rest/nodes*

...

Get & Post

...

/.rest/nodes/v1/website*

...

Deny

...

/.rest/properties*

...

Get & Post

...

/.rest/properties/v1/website*

...

Get & Post

...

/.rest/cache/v1*

Configured access

Applies toAppNamePath
AppAssets
/modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor

Access control lists

WorkspacePermissionScopePath
Category

Read/Write

Read/Write

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UserrolesRead onlySelected/travel-demo-tour-editor

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
UserrolesRead onlySelected/editor
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher

Installed by the workflow module (EE). Allows publishing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySub nodes/
ContactsRead onlySub nodes/
DamRead onlySub nodes/
UserrolesRead onlySelected/publisher
WebsiteRead onlySub nodes/
WorkflowRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base

Base role allowing users to use the workflow workspace (EE).

Configured access

...

Applies to

...

Name

...

Path

...

Commands

...

Delete

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

...

 

...

Activate

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-anonymous

Web access

...

Permission

...

Path

...

Deny

...

/.rest*

...

Get

...

/.rest/delivery/*

Configured access

...

Applies to

...

Name

...

Path

...

Commands

...

Delete

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

...

 

...

Activate

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-backup

Web access

...

Permission

...

Path

...

Get & Post

...

/.rest/commands/v2/backup/backup

Configured access

...

Applies to

...

Name

...

Path

...

Commands

...

Delete

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

...

 

...

Activate

...

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rss-aggregator-base

Access control lists

WorkspacePermissionScopePath
Rss
WorkflowRead
-only
/WriteSub nodes/
UserrolesRead onlySelected/
rss
workflow-
aggregator
base

contact-base

scripter

Access control lists

WorkspacePermissionScopePath
ScriptsRead/WriteSub nodes/
UserrolesRead onlySelected/scripter

Web access

PermissionPath
Get & Post*

Configured access

...

ContactRead onlySub nodes/
UserrolesRead onlySelected/contact-base

imaging-base

Access control lists

WorkspacePermissionScopePath
ImagingRead onlySub nodes/
UserrolesRead onlySelected/imaging-base

resources

security-base

Web access

...

-base

Access control lists

/templater-base
WorkspacePermissionScopePath
Config

Read

-

only

Selected and sub nodes

/modules/

inplace-templating

resources

Templates
ResourcesRead/WriteSub nodes/
UserrolesRead onlySelectedSelected/resources-base
Multiexcerpt
MultiExcerptNamerest-role-permissions

rest-admin

Web access

Permission

Path

Get & Post

/.rest/*

Configured access


Applies to

...

Name

Path

...

Commands

...

Delete

/modules/

...

rest-

...

services/

...

rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles


Activate

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor

Web access

Permission

Path

Deny

/.rest*

Get/.rest/delivery/*

Deny

/.rest/commands*

Deny

/.rest/nodes*

Get & Post

/.rest/nodes/v1/website*

Deny

/.rest/properties*

Get & Post

/.rest/properties/v1/website*

Get & Post

/.rest/cache/v1*

rest-anonymous

Web access

Permission

Path

Deny

/.rest*

Get

/.rest/delivery/*

rest-backup

Web access

Permission

Path

Get & Post

/.rest/commands/v2/backup/backup

Configured access

Applies to

Name

Path

Command

Backup

/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles

rss-aggregator-base

Access control lists

WorkspacePermissionScopePath
RssRead-onlySub nodes/
UserrolesRead onlySelected/rss-aggregator-base

scripter

...

forum_ALL-user

Role that allows posting in all forums.

Access control lists

...

forum_ALL-admin

Role which gives administration permissions on ALL forums

Access control lists

...

/modules/forum/apps/forum/permissions/roles

...

forum_ALL-moderator

...

Access control lists

WorkspacePermissionScopePath
ForumScriptsRead/WriteSub nodes/
UserrolesRead onlySelected/forum_ALL-moderatorscripter

Web access

PermissionPath
Get & Post*

Configured access

forumforum
Applies toAppPath
AppForumGroovy/modules/groovy/apps/groovy/permissions/roles

forum-pagecomments-user

security-base

Web access

PermissionPath
Deny/.magnolia/log4j
Deny/.rest*

templater-base

Access control listsRole which gives commenting permissions.

WorkspacePermissionScopePath
ForumConfigRead/Write-onlySelected and sub nodes/modules/inplace-templating/pagecommentsUserrolesRead onlySelected
TemplatesRead/WriteSub nodes/
UserrolesRead onlySelected/templater-base

Configured access

/forum-pagecomments-user
Applies toAppPath
AppTemplates/modules/inplace-templating/apps/inplace-templating/permissions/roles

Groups

Group permissions are the same on author and public instances.

editors

Assigned groupsAssigned roles
(none)editor
 

workflow-base

publishers

Assigned groupsAssigned roles
(none)publisher
 

workflow-base

travel-demo-pur

The travel-demo-editorspur group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
 (none) categorization-base

contact-base
 imaging-base

forum-pagecomments-user
travel-demo

imaging-base
 

travel
-demo-pur imaging-base categorization-base  contact
-demo-base
 workflow-base

travel-demo-pur

travel-demo-editors

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral

 travel-demo-editor

 travel-demo-tour-editor

 imaging-base 

security-base

 resources-base 

workflow-base

travel-demo-publishers

...

Assigned groupsAssigned roles
(none)travel-demo-admincentral 

travel-demo-publisher

 travel-demo-tour-editor

 security-base

 workflow-base

travel-demo-tour-editors

...

Assigned groupsAssigned roles
(none)travel-demo-admincentral 

travel-demo-base

 travel-demo-tour-editor 

security-base  

workflow-base

Users

eric

User eric is an example editor.

...

Assigned groupsAssigned roles
travel-demo-editors
(none)

peter

User peter is an example publisher.

Assigned groupsAssigned roles
travel-demo-publisher
(none)

tina

User tina is an example tour editor.

...

  
Assigned groupsAssigned roles
(none)anonymous

 categorization-base 

contact-base

forum-pagecomments-user

imaging-base

 rest-anonymous

travel-demo-base

superuser (system user)

...

Assigned groupsAssigned roles
publishers (EE)superuser 

rest -admin

forum_ALL_admin