The default permissions set up in the Security app demonstrate how to assign roles, ACLs and web access in a typical scenario. These permissions are complemented by configured app access

The Permissions app allows you to view a comprehensive list of permissions assigned to any user or group in the Security app at any point in time.

The tables below show default permissions, role and group assignments, and configured access permissions. 

(warning) Permissions marked with an asterisk ( * ) are a legacy leftover from Magnolia 4.5. They are not used in 5.0+.

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
ContactsRead onlySelected and sub nodes/
DAMRead onlySelected and sub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
ResourcesRead onlySelected and sub nodes/
TagsRead onlySelected and sub nodes/
WebsiteDeny accessSelected and sub nodes/

Web access

PermissionPath
Deny*
Deny/.magnolia*

Configured access

Applies toPath
Public User Registration/modules/public-user-registration/config/configurations/default/defaultRoles

/modules/public-user-registration/config/configurations/demo-project/defaultRoles

(warning) Note that the PUR permissions are limited to the public realm

anonymous (role, public instance)

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
ContactsRead onlySelected and sub nodes/
DamRead onlySelected and sub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
ResourcesRead onlySelected and sub nodes/
TagsRead onlySelected and sub nodes/
WebsiteRead onlySelected and sub nodes/

Web access

PermissionPath
Get & Post*
Deny/.magnolia*
Deny/.magnolia/*
Deny/.rest*
Deny/demo-project/members-area/protected*
Deny<demo-project>/members-area/protected*

Configured access

Applies toPath
Public User Registration/modules/public-user-registration/config/configurations/default/defaultRoles

/modules/public-user-registration/config/configurations/demo-project/defaultRoles

(warning) Note that the PUR permissions are limited to the public realm

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSelected and sub nodes/
ConfigRead/WriteSelected and sub nodes/
ContactsRead/WriteSelected and sub nodes/
DamRead/WriteSelected and sub nodes/
Data*Read/WriteSelected and sub nodes/
Dms*Read/WriteSelected and sub nodes/
ForumRead/WriteSelected and sub nodes/
GoogleSitemapsRead/WriteSelected and sub nodes/
ImagingRead/WriteSelected and sub nodes/
MessagesRead/WriteSelected and sub nodes/
ProfilesRead/WriteSelected and sub nodes/
ResourcesRead/WriteSelected and sub nodes/
RssRead/WriteSelected and sub nodes/
ScriptsRead/WriteSelected and sub nodes/
TemplatesRead/WriteSelected and sub nodes/
UsergroupsRead/WriteSelected and sub nodes/
UserrolesRead/WriteSelected and sub nodes/
UsersRead/WriteSelected and sub nodes/
WebsiteRead/WriteSelected and sub nodes/
Workflow (EE)
Read/WriteSelected and sub nodes/

Web access

PermissionPath
Get & Post*

Configured access

Applies toAppNamePath
AppActivation monitor
/modules/activation/apps/activationMonitor/permissions/roles

Activation
/modules/activation/apps/activation/permissions/roles

Configuration
/modules/ui-admincentral/apps/configuration/permissions/roles

Security
/modules/security-app/apps/security/permissions/roles

Mail tools
/modules/mail/apps/mail/permissions/roles
App launcherDev group
/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

STK group
/modules/ui-admincentral/config/appLauncherLayout/groups/stk/permissions/roles

Tools group
/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles
Actions Pages (CE)Publish/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles


Publish incl.subpages
/modules/pages/apps/pages/subApps/browser/actions/activateRecursive/availability/access/roles


Unpublish/modules/pages/apps/pages/subApps/browser/actions/deactivate/availability/access/roles


Publish deletion/modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles

 Pages (EE)Publish/modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles


Publish incl.subpages/modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles


Unpublish/modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles


Publish deletion/modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles

Template access

Applies toAppNamePath
STKTemplatesEvents Overview/modules/standard-templating-kit/config/site/templates/availability/templates/stkEventsOverview/roles


News Overview/modules/standard-templating-kit/config/site/templates/availability/templates/stkNewsOverview/roles


Category Overview/modules/standard-templating-kit/config/site/templates/availability/templates/stkCategoryOverview/roles


SiteMap/modules/standard-templating-kit/config/site/templates/availability/templates/stkSiteMap/roles


Search Result/modules/standard-templating-kit/config/site/templates/availability/templates/stkSearchResult/roles


FAQ/modules/standard-templating-kit/config/site/templates/availability/templates/stkFAQ/roles


Form/modules/standard-templating-kit/config/site/templates/availability/templates/stkForm/roles


Form Step
/modules/standard-templating-kit/config/site/templates/availability/templates/stkFormStep/roles


Glossary/modules/standard-templating-kit/config/site/templates/availability/templates/stkGlossary/roles


Glossary Term/modules/standard-templating-kit/config/site/templates/availability/templates/stkGlossaryTerm/roles


HTML (component)
/modules/standard-templating-kit/templates/pages/stkArticle/areas/main/areas/content/availableComponents/stkHTML/roles

demo-project-base

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
Config*Read onlySelected and sub nodes/modules/data/config/types
Data*Read onlySelected and sub nodes/
Dms*Read onlySelected and sub nodes/templating-kit
ResourcesRead onlySelected and sub nodes/
UserrolesRead onlySelected/demo-project-base

Web access

PermissionPath
Get & Post*

Configured access

Applies toAppNamePath
AppCategories
/modules/categorization/apps/categories/permissions/roles

demo-project-member

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
UserrolesRead onlySelected/demo-project-member

Web access

PermissionPath
Get & Post/demo-project/members-area/protected*

Configured access

Applies toPath
(none)

demo-project-editor

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSelected and sub nodes/
ConfigRead onlySelected and sub nodes/modules/standard-templating-kit/templates
ContactsRead/WriteSelected and sub nodes/
DamRead/WriteSelected and sub nodes/
Data*Read/WriteSelected and sub nodes/
Dms*Read/WriteSelected and sub nodes/demo-project

Read onlySelected and sub nodes/$
UserrolesRead onlySelected/demo-project-editor
WebsiteRead/WriteSelected and sub nodes/demo-project

Read onlySelected and sub nodes/$

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

demo-project-publisher

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSelected and sub nodes/
ContactsRead/WriteSelected and sub nodes/
DamRead/WriteSelected and sub nodes/
Data*Read onlySelected and sub nodes/
Dms*Read onlySelected and sub nodes/demo-project

Read onlySelected and sub nodes/$
UserrolesRead onlySelected/demo-project-publisher
WebsiteRead onlySelected and sub nodes/demo-project

Read onlySelected and sub nodes/$

Web access

PermissionPath
(none)

Configured access

Applies toAppNamePath
ActionPages (CE)Publish/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles


Publish incl. subpages/modules/pages/apps/pages/subApps/browser/actions/activateRecursive/availability/access/roles


Unpublish/modules/pages/apps/pages/subApps/browser/actions/deactivate/availability/access/roles


Publish deleteion
/modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles
Actions Pages (EE)Publish/modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles


Publish incl.subpages/modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles


Unpublish/modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles


Publish deletion/modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSelected and sub nodes/
ContactsRead/WriteSelected and sub nodes/
DamRead/WriteSelected/
UserrolesRead onlySelected and sub nodes/editor
WebsiteRead/WriteSelected and sub nodes/

Web access

PermissionPath
(none)

Configured access

Applies toAppNamePath
AppPagesPublish/modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles


Publish incl. subpages
/modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles


Unpublish/modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles

publisher

Installed by the workflow module (EE). Allows publishing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
ContactsRead onlySelected and sub nodes/
DamRead onlySelected and sub nodes/
UserrolesRead onlySelected/publisher
WebsiteRead onlySelected and sub nodes/
WorkflowRead/WriteSelected and sub nodes/

Web access

PermissionPath
(none)

Configured access

Applies toAppNamePath
AppPagesPublish/modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles


Publish incl. subpages
/modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles


Unpublish/modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles


Publish deletion/modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles

workflow-base

Base role allowing users to use the workflow workspace (EE).

Access control lists

WorkspacePermissionScopePath
UserrolesRead onlySelected/workflow-base
WorkflowRead/WriteSelected and sub nodes/

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

categorization-base

Access control lists

WorkspacePermissionScopePath
Data*Read onlySelected and sub nodes/categorization
UserrolesRead onlySelected/categorization-base

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

contact-base

Access control lists

WorkspacePermissionScopePath
Data*Read onlySelected and sub nodes/contacts
UserrolesRead onlySelected/contact-base

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

imaging-base

Access control lists

WorkspacePermissionScopePath
ImagingRead onlySelected and sub nodes/
UserrolesRead onlySelected/imaging-base

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

public-user-registration-base

Access control lists

WorkspacePermissionScopePath
UserrolesRead onlySelected/public-user-registration-base

Web access

PermissionPath
Get & Post/.magnolia/pages/password-reminder*
Get & Post/.magnolia/pages/user-validation*
Get & Post/.magnolia/pages/register*

Configured access

Applies toPath
Public User Registration/modules/public-user-registration/config/configurations/default/defaultRoles

/modules/public-user-registration/config/configurations/demo-project/defaultRoles

(warning) Note that the PUR permissions are limited to the public realm

resources-base

Access control lists

WorkspacePermissionScopePath
ConfigRead onlySelected and sub nodes/modules/resources
ResourcesRead/WriteSelected and sub nodes/
UserrolesRead onlySelected/resources-base

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

rest

Access control lists

WorkspacePermissionScopePath
UserrolesRead onlySelected/rest

Web access

PermissionPath
Deny/.rest*
Deny/.rest/commands*
Deny/.rest/nodes*
Get & Post/.rest/nodes/v1/website*
Deny/.rest/properties*
Get & Post/.rest/properties/v1/website*

Configured access

Applies toNamePath
CommandsDelete/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

Activate
/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rss-aggregator-base

Access control lists

WorkspacePermissionScopePath
Data*Read-onlySelected and sub nodes

/rssaggregator

RssRead-onlySelected and sub nodes/
UserrolesRead onlySelected/rss-aggregator-base

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

scripter

Access control lists

WorkspacePermissionScopePath
ScriptsRead/WriteSelected and sub nodes/
UserrolesRead onlySelected/scripter

Web access

PermissionPath
Get & Post*

Configured access

Applies toAppPath
AppGroovy/modules/groovy/apps/groovy/permissions/roles

security-base

Access control lists

WorkspacePermissionScopePath
(none)


Web access

PermissionPath
Deny/.magnolia/pages/installedModulesList*
Deny/.magnolia/pages/jcrUtils*
Deny/.magnolia/log4j
Deny/.magnolia/pages/configuration*
Deny/.magnolia/pages/logViewer*
Deny/.magnolia/pages/sendMail*
Deny/.magnolia/pages/users*
Deny/.magnolia/pages/import*
Deny/.magnolia/pages/export*
Deny/.magnolia/pages/messages*
Deny/.magnolia/pages/permission*
Deny/.magnolia/pages/developmentUtils*
Deny/.magnolia/pages/activationTools*
Deny/.magnolia/pages/migrationReport*
Deny/.magnolia/pages/backup*
Deny/.magnolia/pages/activationMonitor*
Deny/.magnolia/pages/allModulesList*
Deny/.magnolia/pages/cacheTools*
Deny/.rest*
Deny (EE)/.magnolia/pages/flows*

Configured access

Applies toPath
(none)

templater-base

Access control lists

WorkspacePermissionScopePath
ConfigRead-onlySelected and sub nodes/modules/inplace-templating
TemplatesRead/WriteSelected and sub nodes/
UserrolesRead onlySelected/templater-base

Web access

PermissionPath
(none)

Configured access

Applies toAppNamePath
AppTemplates
/modules/inplace-templating/apps/inplace-templating/permissions/roles

forum_ALL-user

Role that allows posting in all forums.

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSelected and sub nodes/
UserrolesRead onlySelected/forum_ALL-user

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

Configured access

Applies toPath
(none)

forum_ALL-admin

Role which gives administration permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSelected and sub nodes/
UserrolesRead onlySelected/forum_ALL-admin

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

Configured access

Applies toAppPath
AppForum
/modules/forum/apps/forum/permissions/roles
ActionsForum/modules/forum/apps/forum/subApps/browser/actions/addForum/availability/access/roles


/modules/forum/apps/forum/subApps/browser/actions/editForum/availability/access/roles


/modules/forum/apps/forum/subApps/browser/actions/deleteForum/availability/access/roles


/modules/forum/apps/forum/subApps/browser/actions/confirmDeleteForum/availability/access/roles

forum_ALL-moderator

Role which gives moderation permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumModerate and DeleteSelected and sub nodes/
UserrolesRead OnlySelected/forum_ALL-moderator

Web access

PermissionPath
Get & Post/.magnolia/pages/forum*

Configured access

Applies toAppPath
AppForum
/modules/forum/apps/forum/permissions/roles

forum-pagecomments-user

Role which gives commenting permissions.

WorkspacePermissionScopePath
ForumRead/WriteSelected and sub nodes/pagecomments
UserrolesRead OnlySelected/forum-pagecomments-user

Web access

PermissionPath
(none)

Configured access

Applies toPath
(none)

Groups

Group permissions are the same on author and public instances.

demo-project-editors

The demo-project-editors group is used to organize the editors of the sample websites.

Assigned groupsGranted roles
(none)demo-project-base

demo-project-editor

imaging-base

security-base

demo-project-publishers

The demo-project-publishers group is used to organize the publishers of the sample websites.

Assigned groupsGranted roles
(none)demo-project-base

demo-project-publisher

imaging-base

security-base

demo-project-members

The demo-project-members group is used to organize the public users who are registered as members of the sample websites.

Assigned groupsGranted roles
(none)anonymous

contact-base

demo-project-member

imaging-base

public-user-registration-base

resources-base

editors

Assigned groupsGranted roles
(none)editor

workflow-base

publishers

Assigned groupsGranted roles
(none)publisher

workflow-base

Users

eric

User eric is an example editor.

Assigned groupsGranted roles
demo-project-editorsforum_ALL-admin
editors

peter

User peter is an example publisher.

Assigned groupsGranted roles
demo-project-publishersforum_ALL-moderator
publishers

System users

anonymous (system user, author instance)

User anonymous represents a Web visitor.

Assigned groupsGranted roles
(none)anonymous

categorization-base

contact-base

forum-pagecomments-user

imaging-base

anonymous (system user, public instance)

User anonymous represents a Web visitor.

Assigned groupsGranted roles
(none)anonymous

categorization-base

contact-base

imaging-base

public-user-registration-base

forum-pagecomments-user

superuser (system user)

User superuser represents an administrator who has full access to the system.

Assigned groupsGranted roles
publishers (EE)forum_ALL_admin

rest

superuser
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels