Magnolia 5.3 reached end of life on June 30, 2017. This branch is no longer supported, see End-of-life policy.
The default permissions set up in the Security app demonstrate how to assign roles, ACLs and web access in a typical scenario. These permissions are complemented by configured app access.
The Permissions app allows you to view a comprehensive list of permissions assigned to any user or group in the Security app at any point in time.
The tables below show default permissions, role and group assignments, and configured access permissions.
Permissions marked with an asterisk ( * ) are a legacy leftover from Magnolia 4.5. They are not used in 5.0+.
The anonymous
role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Category | Read only | Selected and sub nodes | / |
Contacts | Read only | Selected and sub nodes | / |
DAM | Read only | Selected and sub nodes | / |
GoogleSitemaps | Read only | Selected and sub nodes | / |
Resources | Read only | Selected and sub nodes | / |
Tags | Read only | Selected and sub nodes | / |
Website | Deny access | Selected and sub nodes | / |
Web access
Permission | Path |
---|---|
Deny | * |
Deny | /.magnolia* |
Configured access
Applies to | Path |
---|---|
Public User Registration | /modules/public-user-registration/config/configurations/default/defaultRoles |
/modules/public-user-registration/config/configurations/demo-project/defaultRoles |
Note that the PUR permissions are limited to the
public
realm
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Category | Read only | Selected and sub nodes | / |
Contacts | Read only | Selected and sub nodes | / |
Dam | Read only | Selected and sub nodes | / |
GoogleSitemaps | Read only | Selected and sub nodes | / |
Resources | Read only | Selected and sub nodes | / |
Tags | Read only | Selected and sub nodes | / |
Website | Read only | Selected and sub nodes | / |
Web access
Permission | Path |
---|---|
Get & Post | * |
Deny | /.magnolia* |
Deny | /.magnolia/* |
Deny | /.rest* |
Deny | /demo-project/members-area/protected* |
Deny | <demo-project>/members-area/protected* |
Configured access
Applies to | Path |
---|---|
Public User Registration | /modules/public-user-registration/config/configurations/default/defaultRoles |
/modules/public-user-registration/config/configurations/demo-project/defaultRoles |
Note that the PUR permissions are limited to the
public
realm
The superuser
role provides full access to the system. The permissions are the same on author and public instances.
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Category | Read/Write | Selected and sub nodes | / |
Config | Read/Write | Selected and sub nodes | / |
Contacts | Read/Write | Selected and sub nodes | / |
Dam | Read/Write | Selected and sub nodes | / |
Data* | Read/Write | Selected and sub nodes | / |
Dms* | Read/Write | Selected and sub nodes | / |
Forum | Read/Write | Selected and sub nodes | / |
GoogleSitemaps | Read/Write | Selected and sub nodes | / |
Imaging | Read/Write | Selected and sub nodes | / |
Messages | Read/Write | Selected and sub nodes | / |
Profiles | Read/Write | Selected and sub nodes | / |
Resources | Read/Write | Selected and sub nodes | / |
Rss | Read/Write | Selected and sub nodes | / |
Scripts | Read/Write | Selected and sub nodes | / |
Templates | Read/Write | Selected and sub nodes | / |
Usergroups | Read/Write | Selected and sub nodes | / |
Userroles | Read/Write | Selected and sub nodes | / |
Users | Read/Write | Selected and sub nodes | / |
Website | Read/Write | Selected and sub nodes | / |
Workflow (EE)
| Read/Write | Selected and sub nodes | / |
Web access
Permission | Path |
---|---|
Get & Post | * |
Configured access
Applies to | App | Name | Path |
---|---|---|---|
App | Activation monitor | /modules/activation/apps/activationMonitor/permissions/roles | |
Activation | /modules/activation/apps/activation/permissions/roles | ||
Configuration | /modules/ui-admincentral/apps/configuration/permissions/roles | ||
Security | /modules/security-app/apps/security/permissions/roles | ||
Mail tools | /modules/mail/apps/mail/permissions/roles | ||
App launcher | Dev group | /modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles | |
STK group | /modules/ui-admincentral/config/appLauncherLayout/groups/stk/permissions/roles | ||
Tools group | /modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles | ||
Actions | Pages (CE) | Publish | /modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles |
Publish incl.subpages | /modules/pages/apps/pages/subApps/browser/actions/activateRecursive/availability/access/roles | ||
Unpublish | /modules/pages/apps/pages/subApps/browser/actions/deactivate/availability/access/roles | ||
Publish deletion | /modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles | ||
Pages (EE) | Publish | /modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles | |
Publish incl.subpages | /modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles | ||
Unpublish | /modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles | ||
Publish deletion | /modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles |
Template access
Applies to | App | Name | Path |
---|---|---|---|
STK | Templates | Events Overview | /modules/standard-templating-kit/config/site/templates/availability/templates/stkEventsOverview/roles |
News Overview | /modules/standard-templating-kit/config/site/templates/availability/templates/stkNewsOverview/roles | ||
Category Overview | /modules/standard-templating-kit/config/site/templates/availability/templates/stkCategoryOverview/roles | ||
SiteMap | /modules/standard-templating-kit/config/site/templates/availability/templates/stkSiteMap/roles | ||
Search Result | /modules/standard-templating-kit/config/site/templates/availability/templates/stkSearchResult/roles | ||
FAQ | /modules/standard-templating-kit/config/site/templates/availability/templates/stkFAQ/roles | ||
Form | /modules/standard-templating-kit/config/site/templates/availability/templates/stkForm/roles | ||
Form Step | /modules/standard-templating-kit/config/site/templates/availability/templates/stkFormStep/roles | ||
Glossary | /modules/standard-templating-kit/config/site/templates/availability/templates/stkGlossary/roles | ||
Glossary Term | /modules/standard-templating-kit/config/site/templates/availability/templates/stkGlossaryTerm/roles | ||
HTML (component) | /modules/standard-templating-kit/templates/pages/stkArticle/areas/main/areas/content/availableComponents/stkHTML/roles |
These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Config* | Read only | Selected and sub nodes | /modules/data/config/types |
Data* | Read only | Selected and sub nodes | / |
Dms* | Read only | Selected and sub nodes | /templating-kit |
Resources | Read only | Selected and sub nodes | / |
Userroles | Read only | Selected | /demo-project-base |
Web access
Permission | Path |
---|---|
Get & Post | * |
Configured access
Applies to | App | Name | Path |
---|---|---|---|
App | Categories | /modules/categorization/apps/categories/permissions/roles |
These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Userroles | Read only | Selected | /demo-project-member |
Web access
Permission | Path |
---|---|
Get & Post | /demo-project/members-area/protected* |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Category | Read/Write | Selected and sub nodes | / |
Config | Read only | Selected and sub nodes | /modules/standard-templating-kit/templates |
Contacts | Read/Write | Selected and sub nodes | / |
Dam | Read/Write | Selected and sub nodes | / |
Data* | Read/Write | Selected and sub nodes | / |
Dms* | Read/Write | Selected and sub nodes | /demo-project |
Read only | Selected and sub nodes | /$ | |
Userroles | Read only | Selected | /demo-project-editor |
Website | Read/Write | Selected and sub nodes | /demo-project |
Read only | Selected and sub nodes | /$ |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Category | Read/Write | Selected and sub nodes | / |
Contacts | Read/Write | Selected and sub nodes | / |
Dam | Read/Write | Selected and sub nodes | / |
Data* | Read only | Selected and sub nodes | / |
Dms* | Read only | Selected and sub nodes | /demo-project |
Read only | Selected and sub nodes | /$ | |
Userroles | Read only | Selected | /demo-project-publisher |
Website | Read only | Selected and sub nodes | /demo-project |
Read only | Selected and sub nodes | /$ |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | App | Name | Path |
---|---|---|---|
Action | Pages (CE) | Publish | /modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles |
Publish incl. subpages | /modules/pages/apps/pages/subApps/browser/actions/activateRecursive/availability/access/roles | ||
Unpublish | /modules/pages/apps/pages/subApps/browser/actions/deactivate/availability/access/roles | ||
Publish deleteion | /modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles | ||
Actions | Pages (EE) | Publish | /modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles |
Publish incl.subpages | /modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles | ||
Unpublish | /modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles | ||
Publish deletion | /modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles |
Installed by the workflow
module (EE). Allows editing content.
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Category | Read/Write | Selected and sub nodes | / |
Contacts | Read/Write | Selected and sub nodes | / |
Dam | Read/Write | Selected | / |
Userroles | Read only | Selected and sub nodes | /editor |
Website | Read/Write | Selected and sub nodes | / |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | App | Name | Path |
---|---|---|---|
App | Pages | Publish | /modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles |
Publish incl. subpages | /modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles | ||
Unpublish | /modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles |
Installed by the workflow
module (EE). Allows publishing content.
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Category | Read only | Selected and sub nodes | / |
Contacts | Read only | Selected and sub nodes | / |
Dam | Read only | Selected and sub nodes | / |
Userroles | Read only | Selected | /publisher |
Website | Read only | Selected and sub nodes | / |
Workflow | Read/Write | Selected and sub nodes | / |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | App | Name | Path |
---|---|---|---|
App | Pages | Publish | /modules/pages/apps/pages/subApps/browser/actions/startPublication/availability/access/roles |
Publish incl. subpages | /modules/pages/apps/pages/subApps/browser/actions/startPublicationRecursive/availability/access/roles | ||
Unpublish | /modules/pages/apps/pages/subApps/browser/actions/startUnpublication/availability/access/roles | ||
Publish deletion | /modules/pages/apps/pages/subApps/browser/actions/activateDeletion/availability/access/roles |
Base role allowing users to use the workflow
workspace (EE).
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Userroles | Read only | Selected | /workflow-base |
Workflow | Read/Write | Selected and sub nodes | / |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Data* | Read only | Selected and sub nodes | /categorization |
Userroles | Read only | Selected | /categorization-base |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Data* | Read only | Selected and sub nodes | /contacts |
Userroles | Read only | Selected | /contact-base |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Imaging | Read only | Selected and sub nodes | / |
Userroles | Read only | Selected | /imaging-base |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Userroles | Read only | Selected | /public-user-registration-base |
Web access
Permission | Path |
---|---|
Get & Post | /.magnolia/pages/password-reminder* |
Get & Post | /.magnolia/pages/user-validation* |
Get & Post | /.magnolia/pages/register* |
Configured access
Applies to | Path |
---|---|
Public User Registration | /modules/public-user-registration/config/configurations/default/defaultRoles |
/modules/public-user-registration/config/configurations/demo-project/defaultRoles |
Note that the PUR permissions are limited to the
public
realm
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Config | Read only | Selected and sub nodes | /modules/resources |
Resources | Read/Write | Selected and sub nodes | / |
Userroles | Read only | Selected | /resources-base |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Userroles | Read only | Selected | /rest |
Web access
Permission | Path |
---|---|
Deny | /.rest* |
Deny | /.rest/commands* |
Deny | /.rest/nodes* |
Get & Post | /.rest/nodes/v1/website* |
Deny | /.rest/properties* |
Get & Post | /.rest/properties/v1/website* |
Configured access
Applies to | Name | Path |
---|---|---|
Commands | Delete | /modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles |
Activate | /modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Data* | Read-only | Selected and sub nodes |
|
Rss | Read-only | Selected and sub nodes | / |
Userroles | Read only | Selected | /rss-aggregator-base |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Scripts | Read/Write | Selected and sub nodes | / |
Userroles | Read only | Selected | /scripter |
Web access
Permission | Path |
---|---|
Get & Post | * |
Configured access
Applies to | App | Path |
---|---|---|
App | Groovy | /modules/groovy/apps/groovy/permissions/roles |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
(none) |
Web access
Permission | Path |
---|---|
Deny | /.magnolia/pages/installedModulesList* |
Deny | /.magnolia/pages/jcrUtils* |
Deny | /.magnolia/log4j |
Deny | /.magnolia/pages/configuration* |
Deny | /.magnolia/pages/logViewer* |
Deny | /.magnolia/pages/sendMail* |
Deny | /.magnolia/pages/users* |
Deny | /.magnolia/pages/import* |
Deny | /.magnolia/pages/export* |
Deny | /.magnolia/pages/messages* |
Deny | /.magnolia/pages/permission* |
Deny | /.magnolia/pages/developmentUtils* |
Deny | /.magnolia/pages/activationTools* |
Deny | /.magnolia/pages/migrationReport* |
Deny | /.magnolia/pages/backup* |
Deny | /.magnolia/pages/activationMonitor* |
Deny | /.magnolia/pages/allModulesList* |
Deny | /.magnolia/pages/cacheTools* |
Deny | /.rest* |
Deny (EE) | /.magnolia/pages/flows* |
Configured access
Applies to | Path |
---|---|
(none) |
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Config | Read-only | Selected and sub nodes | /modules/inplace-templating |
Templates | Read/Write | Selected and sub nodes | / |
Userroles | Read only | Selected | /templater-base |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | App | Name | Path |
---|---|---|---|
App | Templates | /modules/inplace-templating/apps/inplace-templating/permissions/roles |
Role that allows posting in all forums.
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Forum | Read/Write | Selected and sub nodes | / |
Userroles | Read only | Selected | /forum_ALL-user |
Web access
Permission | Path |
---|---|
Get & Post | /.magnolia/pages/forum* |
Configured access
Applies to | Path |
---|---|
(none) |
Role which gives administration permissions on ALL forums
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Forum | Read/Write | Selected and sub nodes | / |
Userroles | Read only | Selected | /forum_ALL-admin |
Web access
Permission | Path |
---|---|
Get & Post | /.magnolia/pages/forum* |
Configured access
Applies to | App | Path |
---|---|---|
App | Forum | /modules/forum/apps/forum/permissions/roles |
Actions | Forum | /modules/forum/apps/forum/subApps/browser/actions/addForum/availability/access/roles |
/modules/forum/apps/forum/subApps/browser/actions/editForum/availability/access/roles | ||
/modules/forum/apps/forum/subApps/browser/actions/deleteForum/availability/access/roles | ||
/modules/forum/apps/forum/subApps/browser/actions/confirmDeleteForum/availability/access/roles |
Role which gives moderation permissions on ALL forums
Access control lists
Workspace | Permission | Scope | Path |
---|---|---|---|
Forum | Moderate and Delete | Selected and sub nodes | / |
Userroles | Read Only | Selected | /forum_ALL-moderator |
Web access
Permission | Path |
---|---|
Get & Post | /.magnolia/pages/forum* |
Configured access
Applies to | App | Path |
---|---|---|
App | Forum | /modules/forum/apps/forum/permissions/roles |
Role which gives commenting permissions.
Workspace | Permission | Scope | Path |
---|---|---|---|
Forum | Read/Write | Selected and sub nodes | /pagecomments |
Userroles | Read Only | Selected | /forum-pagecomments-user |
Web access
Permission | Path |
---|---|
(none) |
Configured access
Applies to | Path |
---|---|
(none) |
Group permissions are the same on author and public instances.
The demo-project-editors
group is used to organize the editors of the sample websites.
Assigned groups | Granted roles |
---|---|
(none) | demo-project-base |
demo-project-editor | |
imaging-base | |
security-base |
The demo-project-publishers
group is used to organize the publishers of the sample websites.
Assigned groups | Granted roles |
---|---|
(none) | demo-project-base |
demo-project-publisher | |
imaging-base | |
security-base |
The demo-project-members
group is used to organize the public users who are registered as members of the sample websites.
Assigned groups | Granted roles |
---|---|
(none) | anonymous |
contact-base | |
demo-project-member | |
imaging-base | |
public-user-registration-base | |
resources-base |
Assigned groups | Granted roles |
---|---|
(none) | editor |
workflow-base |
Assigned groups | Granted roles |
---|---|
(none) | publisher |
workflow-base |
User eric
is an example editor.
Assigned groups | Granted roles |
---|---|
demo-project-editors | forum_ALL-admin |
editors |
User peter
is an example publisher.
Assigned groups | Granted roles |
---|---|
demo-project-publishers | forum_ALL-moderator |
publishers |
User anonymous
represents a Web visitor.
Assigned groups | Granted roles |
---|---|
(none) | anonymous |
categorization-base | |
contact-base | |
forum-pagecomments-user | |
imaging-base |
User anonymous
represents a Web visitor.
Assigned groups | Granted roles |
---|---|
(none) | anonymous |
categorization-base | |
contact-base | |
imaging-base | |
public-user-registration-base | |
forum-pagecomments-user |
User superuser
represents an administrator who has full access to the system.
Assigned groups | Granted roles |
---|---|
publishers (EE) | forum_ALL_admin |
rest | |
superuser |