Default roles, groups and users
Magnolia is an enterprise-wide solution. Numerous users in varied roles work within the system. While a developer may use Magnolia daily, others may only access it sporadically to update specific content on a website. Users need permissions to access the features that allow them to do their job.
For instance, a Web content editor working with Magnolia needs permissions to view and edit sections of a Website that they are responsible for. They may also need the ability to create new pages and submit changes to a review process.
On the other hand, the end-user level functions are not as crucial to a developer who needs access to Magnolia's configuration options, templates and data types.
Between these extreme examples lie the administrators. Although they may not work in Magnolia often, when they do, they expect access to tools and functionality such as settings, maintenance and security configurations.
The standard installation of Magnolia includes default definitions of roles, groups and users. A sample structure is provided to demonstrate a typical setup and can be adapted using the appropriate features.
Default roles
| Role | Description | ACL |
|---|---|---|
| anonymous | Base role for public, unauthenticated users. | Read permissions to dms, resources, store and expressions workspaces. Note that a user assigned an anonymous role has different access permissions to website workspace in Author and Public instances. |
| categorization-base | Base role allowing users to read categorydata type information. | Read permissions to the category data type. |
| contact-base | Base role allowing users to read contact data type information. Sample role for data module. | Read permission to contact data type. |
| demo-project-base | Base role allowing users to access the system from STK point of view. | Read permissions to data and resources workspaces, as well as /templating-kit, dms folder and related paths in config workspace. User assigned to this role is able to get and post any URL response or request. |
| demo-project-editor | Editor role allowing content editing of demo-project website. | Read and write permissions to related paths in website, dms and data workspaces. |
| demo-project-member | Member role allowing users to access the protected members area based on public user registration module. | Get and post URL permissions to related paths. |
| demo-project-publisher | Publisher role allowing publishing of content in demo-project websites. | Read permissions to related paths in website, dms and data workspaces. |
| forum-base | Base role for features of forum module. | Minimal permissions to read the forum workspace and to get and post forum comments. |
| forum-moderator-base | Base forum moderator role. | In addition to the permissions of forum-base role, users assigned to this role have minimal permissions to access the moderation interface of the forum module in the config workspace. |
| forum-pagecomments-admin | Forum page commenting administrator role. | Administration permissions to the /pagecomments path of forum workspace. |
| forum-pagecomments-moderator | Forum page commenting moderator role. | Moderate and delete permissions to the /pagecomments path of forum workspace. |
| forum-pagecomments-user | Common user role for forum page commenting. | Comment and post permissions to the /pagecomments path of forum workspace. |
| forum_ALL-admin | Role giving administration permissions on ALL forums | Administration permissions to the / path of forum workspace. |
| forum_ALL-moderator | Role giving moderation permissions on ALL forums | Moderation permissions to the / path of forum workspace |
| forum_ALL-user | Role allowing posting in all forums | Post(Write} permissions to the / path of forum workspace |
| imaging-base | Base role allowing users to read and generate images using imaging module. | Read and write permissions to the imaging workspace. |
| public-user-registration-base | Base PUR role assigned to anonymous users allowing access to the PUR features. | Get and post URL permissions to related PUR pages. |
| resources-base | Base role allowing users to use the resources workspace. | Read and write permissions to resources workspace as well as read permissions to related config paths. |
| rss-aggregator-base | Base role allowing users to read rssaggregatordata type information. | Read permissions to the rssaggregator data type. |
| security-base | Base role denying users access to certain system pages | Access denied permissions to /.magnolia/pages/installedModulesList, /jcrUtils, /log4j, /configuration, /logViewer and /sendMail. |
| templater-base | Base role allowing users to modify content of templates workspace. | Read and write permissions to templates workspace, as well as read permissions to related config paths. |
| workflow-base | Base role for the workflow process. | Read and write permissions to the workflow related expressions and store workspaces, as well as read permissions to related config paths. |
Default groups
The purpose of groups is to define settings for a group of users, as opposed to individual users. Users with similar privileges are assigned to appropriate groups. Permissions that apply to a group are inherited by its users.
| Group | Description | Assigned roles | Assigned group |
|---|---|---|---|
| editors | This group is created by the workflow module and its users are registered upon installation. It is used by the default action workflow and rejected items are sent to the group's inbox. | workflow-base | |
| publishers | This group is created by the workflow module and its users are registered upon installation. | workflow-base | |
| demo-project-editors | Sample group allowing users to edit content of demo-project website. | demo-project-base, demo-project-editor, imaging-base | editors |
| demo-project-publishers | Sample group allowing users to publish pages of demo-project website. | demo-project-base, demo-project-publisher, imaging-base | publishers |
| demo-project-member | Sample group allowing registered users access access to members area pages. | anonymous, contact-base, demo-project-member, resources-base, imaging-base, public-user-registration-base |
Default users
User settings define the login credentials as well as certain personal settings that identify individuals accessing Magnolia. Users inherit permissions from the roles they belong to, either directly or through groups.
System users
| System user | Description | Assigned roles | Assigned group |
|---|---|---|---|
| anonymous | Unauthenticated, public users access the websites using this account. | categorization-base, contact-base, imaging-base, anonymous | |
| superuser | User assigned unlimited access permissions. | superuser, forum_ALL-admin | publishers |
Users
The following sample users are included in the standard installation.
| User | Description | Assigned group |
|---|---|---|
| eric | Sample demo-project editor. | demo-project-editor |
| peter | Sample demo-project publisher. | demo-project-publisher |
You can get a list of all permissions assigned to a user or group using the permission list tool.