Page tree
Skip to end of metadata
Go to start of metadata

The default permissions set up in the Security app demonstrate how to assign roles, ACLs and web access in a typical scenario. These permissions are complemented by configured app access

The Security app allows you to view a comprehensive list of permissions assigned to any user or group at any point in time. If you need to revert to the default permissions for any reason, you can access them online in the demo site in the Tools tab of the Security app.

The tables below show default permissions, role and group assignments, and configured access permissions. 

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DAMRead onlySub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
TagsRead onlySelected and sub nodes/
WebsiteDeny accessSub nodes/

Web access

PermissionPath
Deny*
Deny/.magnolia*

anonymous (role, public instance)

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DamRead onlySelected and sub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
TagsRead onlySelected and sub nodes/
WebsiteRead onlySub nodes/

Web access

PermissionPath
Get & Post*
Deny/.magnolia*
Deny/.magnolia/*
Deny/.rest*

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
ConfigRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
Dms*Read/WriteSub nodes/
ForumRead/WriteSub nodes/
GoogleSitemapsRead/WriteSub nodes/
ImagingRead/WriteSub nodes/
MessagesRead/WriteSub nodes/
ProfilesRead/WriteSub nodes/
ResourcesRead/WriteSub nodes/
RssRead/WriteSub nodes/
ScriptsRead/WriteSub nodes/
SegmentsRead/WriteSub nodes/
TagsRead/WriteSub nodes/
TasksRead/WriteSub nodes/
TemplatesRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UsergroupsRead/WriteSub nodes/
UserrolesRead/WriteSub nodes/
UsersRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/
Workflow (EE)Read/WriteSub nodes/

Web access

PermissionPath
Get & Post*

Configured access

Applies toNamePath
AppActivation/modules/activation/apps/activation/permissions/roles
 Configuration/modules/ui-admincentral/apps/configuration/permissions/roles
 Security/modules/security-app/apps/security/permissions/roles
 Security/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName
 Mail tools/modules/mail/apps/mail/permissions/roles
 Dev tools/modules/tools/apps/tools/permissions/roles
 Backup/modules/backup/apps/backup/permissions/roles
App launcherDev group/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles
 Tools group/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles
PulseAbort action
/modules/workflow/messageViews/publish/actions/abort/availability/access/roles
 Archive action/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
Category

Read only

Read only

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead onlySub nodes/
ToursRead onlySub nodes/

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

PermissionPath
Get & Post*

travel-demo-editor

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
DamRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets /modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher

Access control lists

WorkspacePermissionScopePath
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets /modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor

Access control lists

WorkspacePermissionScopePath
Category

Read/Write

Read/Write

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead/WriteSub nodes/
ToursRead/WriteSub nodes/

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher

Installed by the workflow module (EE). Allows publishing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySub nodes/
ContactsRead onlySub nodes/
WebsiteRead onlySub nodes/
WorkflowRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base

Base role allowing users to use the workflow workspace (EE).

Access control lists

WorkspacePermissionScopePath
WorkflowRead/WriteSub nodes/

contact-base

Access control lists

WorkspacePermissionScopePath
ContactRead onlySub nodes/

imaging-base

Access control lists

WorkspacePermissionScopePath
ImagingRead onlySub nodes/

resources-base

Access control lists

WorkspacePermissionScopePath
Config

Read only

Selected and sub nodes

/modules/resources

ResourcesRead/WriteSub nodes/

rest

Web access

PermissionPath
Deny/.rest*
Deny/.rest/commands*
Deny/.rest/nodes*
Get & Post/.rest/nodes/v1/website*
Deny/.rest/properties*
Get & Post/.rest/properties/v1/website*
Get & Post/.rest/cache/v1*
Get & Post/.rest/api-docs*

Configured access

Applies toNamePath
CommandsDelete/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles
 Activate
/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rss-aggregator-base

Access control lists

WorkspacePermissionScopePath
RssRead-onlySub nodes/

scripter

Access control lists

WorkspacePermissionScopePath
ScriptsRead/WriteSub nodes/

Web access

PermissionPath
Get & Post*

Configured access

Applies toAppPath
AppGroovy/modules/groovy/apps/groovy/permissions/roles

security-base

Web access

PermissionPath
Deny/.magnolia/pages/jcrUtils*
Deny/.magnolia/log4j
Deny/.magnolia/pages/configuration*
Deny/.magnolia/pages/logViewer*
Deny/.magnolia/pages/users*
Deny/.magnolia/pages/import*
Deny/.magnolia/pages/export*
Deny/.magnolia/pages/permission*
Deny/.magnolia/pages/developmentUtils*
Deny/.rest*

templater-base

Access control lists

WorkspacePermissionScopePath
ConfigRead-onlySelected and sub nodes/modules/inplace-templating
TemplatesRead/WriteSub nodes/

Configured access

Applies toAppPath
AppTemplates/modules/inplace-templating/apps/inplace-templating/permissions/roles

forum_ALL-user

Role that allows posting in all forums.

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

forum_ALL-admin

Role which gives administration permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

Configured access

Applies toAppNamePath
AppForum 
/modules/forum/apps/forum/permissions/roles
ActionsForumAdd forum/modules/forum/apps/forum/subApps/browser/actions/addForum/availability/access/roles
  Edit forum/modules/forum/apps/forum/subApps/browser/actions/editForum/availability/access/roles
  Delete forum/modules/forum/apps/forum/subApps/browser/actions/deleteForum/availability/access/roles
  Confirm delete/modules/forum/apps/forum/subApps/browser/actions/confirmDeleteForum/availability/access/roles

forum_ALL-moderator

Role which gives moderation permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

Configured access

Applies toAppPath
AppForum
/modules/forum/apps/forum/permissions/roles

forum-pagecomments-user

Role which gives commenting permissions.

WorkspacePermissionScopePath
ForumRead/WriteSelected and sub nodes/pagecomments

Groups

Group permissions are the same on author and public instances.

travel-demo-editors

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral
 travel-demo-editor
 travel-demo-tour-editor
 imaging-base
 security-base
 resources-base
 workflow-base

travel-demo-publishers

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral
 travel-demo-publisher
 travel-demo-tour-editor
 security-base
 workflow-base

travel-demo-tour-editors

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral
 travel-demo-base
 travel-demo-tour-editor
 security-base
 workflow-base

editors

Assigned groupsAssigned roles
(none)editor
 workflow-base

publishers

Assigned groupsAssigned roles
(none)publisher
 workflow-base

Users

eric

User eric is an example editor.

Assigned groupsAssigned roles
travel-demo-editors(none)

eric-de

User eric-de is an example German editor.

Assigned groupsAssigned roles
travel-demo-editors(none)

peter

User peter is an example publisher.

Assigned groupsAssigned roles
travel-demo-publisher(none)

tina

User tina is an example tour editor.

Assigned groupsAssigned roles
travel-demo-tour-editors(none)

System users

anonymous (system user)

User anonymous represents a Web visitor.

(warning) The anonymous role has different permissions on author and public.

Assigned groupsAssigned roles
(none)anonymous
 categorization-base
 contact-base
 forum-pagecomments-user
 imaging-base
 travel-demo-base

superuser (system user)

User superuser represents an administrator who has full access to the system.

Assigned groupsAssigned roles
publishers (EE)superuser
 rest
 forum_ALL_admin