Default permissions

The default permissions set up in the Security app demonstrate how to assign roles, ACLs and web access in a typical scenario. These permissions are complemented by configured app access.

The Permissions app allows you to view a comprehensive list of permissions assigned to any user or group in the Security app at any point in time.

The tables below show default permissions, role and group assignments, and configured access permissions.

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

Workspace	Permission	Scope	Path
Category	Read only	Selected and sub nodes	`/`
DAM	Read only	Sub nodes	`/`
GoogleSitemaps	Read only	Selected and sub nodes	`/`
Resources	Read only	Sub nodes	`/`
Tags	Read only	Selected and sub nodes	`/`
Website	Deny access	Sub nodes	`/`

Web access

Permission	Path
Deny	`*`
Deny	`/.magnolia*`

anonymous (role, public instance)

Access control lists

Workspace	Permission	Scope	Path
Category	Read only	Selected and sub nodes	`/`
Dam	Read only	Selected and sub nodes	`/`
GoogleSitemaps	Read only	Selected and sub nodes	`/`
Resources	Read only	Sub nodes	`/`
Tags	Read only	Selected and sub nodes	`/`
Website	Read only	Sub nodes	`/`

Web access

Permission	Path
Get & Post	`*`
Deny	`/.magnolia*`
Deny	`/.magnolia/*`
Deny	`/.rest*`

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

Workspace	Permission	Scope	Path
Category	Read/Write	Sub nodes	`/`
Config	Read/Write	Sub nodes	`/`
Contacts	Read/Write	Sub nodes	`/`
Dam	Read/Write	Sub nodes	`/`
Dms*	Read/Write	Sub nodes	`/`
Forum	Read/Write	Sub nodes	`/`
GoogleSitemaps	Read/Write	Sub nodes	`/`
Imaging	Read/Write	Sub nodes	`/`
Messages	Read/Write	Sub nodes	`/`
Profiles	Read/Write	Sub nodes	`/`
Resources	Read/Write	Sub nodes	`/`
Rss	Read/Write	Sub nodes	`/`
Scripts	Read/Write	Sub nodes	`/`
Segments	Read/Write	Sub nodes	`/`
Tags	Read/Write	Sub nodes	`/`
Tasks	Read/Write	Sub nodes	`/`
Templates	Read/Write	Sub nodes	`/`
Tours	Read/Write	Sub nodes	`/`
Usergroups	Read/Write	Sub nodes	`/`
Userroles	Read/Write	Sub nodes	`/`
Users	Read/Write	Sub nodes	`/`
Website	Read/Write	Sub nodes	`/`
Workflow (EE)	Read/Write	Sub nodes	`/`

Web access

Permission	Path
Get & Post	`*`

Configured access

Applies to	Name	Path
App	Activation	`/modules/activation/apps/activation/permissions/roles`
	Configuration	`/modules/ui-admincentral/apps/configuration/permissions/roles`
	Security	`/modules/security-app/apps/security/permissions/roles`
	Security	`/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName`
	Mail tools	`/modules/mail/apps/mail/permissions/roles`
	Dev tools	`/modules/tools/apps/tools/permissions/roles`
	Backup	`/modules/backup/apps/backup/permissions/roles`
App launcher	Dev group	`/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles`
	Tools group	`/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles`
Pulse	Abort action	`/modules/workflow/messageViews/publish/actions/abort/availability/access/roles`
	Archive action	`/modules/workflow/messageViews/publish/actions/archive/availability/access/roles`

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instances.

Access control lists

Workspace Permission Scope Path

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

Permission	Path
Get & Post	`*`

travel-demo-editor

Access control lists

Workspace	Permission	Scope	Path
Category	Read/Write	Sub nodes	`/`
Dam	Read/Write	Sub nodes	`/`
Website	Read/Write	Sub nodes	`/`

Configured access

Applies to	App	Name	Path
App	Assets		`/modules/dam-app/apps/assets/permissions/roles`
Action	Assets	Activate	`/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles`
Action	Pages	Activate	`/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles`

travel-demo-publisher

Access control lists

Workspace	Permission	Scope	Path
Website	Read/Write	Sub nodes	`/`

Configured access

Applies to	App	Name	Path
App	Assets		`/modules/dam-app/apps/assets/permissions/roles`
Action	Assets	Activate	`/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles`
Action	Pages	Activate	`/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles`

travel-demo-tour-editor

Access control lists

Workspace Permission Scope Path

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

Workspace	Permission	Scope	Path
Category	Read/Write	Sub nodes	`/`
Contacts	Read/Write	Sub nodes	`/`
Dam	Read/Write	Sub nodes	`/`
Website	Read/Write	Sub nodes	`/`

Configured access

Applies to	App	Name	Path
Action	Pages	Activate	`/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles`

publisher

Installed by the workflow module (EE). Allows publishing content.

Access control lists

Workspace	Permission	Scope	Path
Category	Read only	Sub nodes	`/`
Contacts	Read only	Sub nodes	`/`
Website	Read only	Sub nodes	`/`
Workflow	Read/Write	Sub nodes	`/`

Configured access

Applies to	App	Name	Path
Action	Pages	Activate	`/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles`

workflow-base

Base role allowing users to use the workflow workspace (EE).

Access control lists

Workspace	Permission	Scope	Path
Workflow	Read/Write	Sub nodes	`/`

contact-base

Access control lists

Workspace	Permission	Scope	Path
Contact	Read only	Sub nodes	`/`

imaging-base

Access control lists

Workspace	Permission	Scope	Path
Imaging	Read only	Sub nodes	`/`

resources-base

Access control lists

Workspace	Permission	Scope	Path
Config	Read only	Selected and sub nodes	`/modules/resources`
Resources	Read/Write	Sub nodes	`/`

rest

Web access

Permission	Path
Deny	`/.rest*`
Deny	`/.rest/commands*`
Deny	`/.rest/nodes*`
Get & Post	`/.rest/nodes/v1/website*`
Deny	`/.rest/properties*`
Get & Post	`/.rest/properties/v1/website*`
Get & Post	`/.rest/cache/v1*`
Get & Post	`/.rest/api-docs*`

Configured access

Applies to	Name	Path
Commands	Delete	`/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles`
	Activate	`/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles`

rss-aggregator-base

Access control lists

Workspace	Permission	Scope	Path
Rss	Read-only	Sub nodes	`/`

scripter

Access control lists

Workspace	Permission	Scope	Path
Scripts	Read/Write	Sub nodes	`/`

Web access

Permission	Path
Get & Post	`*`

Configured access

Applies to	App	Path
App	Groovy	`/modules/groovy/apps/groovy/permissions/roles`

security-base

Web access

Permission	Path
Deny	`/.magnolia/pages/jcrUtils*`
Deny	`/.magnolia/log4j`
Deny	`/.magnolia/pages/configuration*`
Deny	`/.magnolia/pages/logViewer*`
Deny	`/.magnolia/pages/users*`
Deny	`/.magnolia/pages/import*`
Deny	`/.magnolia/pages/export*`
Deny	`/.magnolia/pages/permission*`
Deny	`/.magnolia/pages/developmentUtils*`
Deny	`/.rest*`

templater-base

Access control lists

Workspace	Permission	Scope	Path
Config	Read-only	Selected and sub nodes	`/modules/inplace-templating`
Templates	Read/Write	Sub nodes	`/`

Configured access

Applies to	App	Path
App	Templates	`/modules/inplace-templating/apps/inplace-templating/permissions/roles`

forum_ALL-user

Role that allows posting in all forums.

Access control lists

Workspace	Permission	Scope	Path
Forum	Read/Write	Sub nodes	`/`

Web access

Permission	Path
Get & Post	`/.magnolia/pages/forum*`

forum_ALL-admin

Role which gives administration permissions on ALL forums

Access control lists

Workspace	Permission	Scope	Path
Forum	Read/Write	Sub nodes	`/`

Web access

Permission	Path
Get & Post	`/.magnolia/pages/forum*`

Configured access

Applies to	App	Name	Path
App	Forum		`/modules/forum/apps/forum/permissions/roles`
Actions	Forum	Add forum	`/modules/forum/apps/forum/subApps/browser/actions/addForum/availability/access/roles`
		Edit forum	`/modules/forum/apps/forum/subApps/browser/actions/editForum/availability/access/roles`
		Delete forum	`/modules/forum/apps/forum/subApps/browser/actions/deleteForum/availability/access/roles`
		Confirm delete	`/modules/forum/apps/forum/subApps/browser/actions/confirmDeleteForum/availability/access/roles`

forum_ALL-moderator

Role which gives moderation permissions on ALL forums

Access control lists

Workspace	Permission	Scope	Path
Forum	Read/Write	Sub nodes	`/`

Web access

Permission	Path
Get & Post	`/.magnolia/pages/forum*`

Configured access

Applies to	App	Path
App	Forum	`/modules/forum/apps/forum/permissions/roles`

forum-pagecomments-user

Role which gives commenting permissions.

Workspace	Permission	Scope	Path
Forum	Read/Write	Selected and sub nodes	`/pagecomments`

Groups

Group permissions are the same on author and public instances.

travel-demo-editors

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groups	Assigned roles
(none)	`travel-demo-admincentral`
	`travel-demo-editor`
	`travel-demo-tour-editor`
	`imaging-base`
	`security-base`
	`resources-base`
	`workflow-base`

travel-demo-publishers

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groups	Assigned roles
(none)	`travel-demo-admincentral`
	`travel-demo-publisher`
	`travel-demo-tour-editor`
	`security-base`
	`workflow-base`

travel-demo-tour-editors

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groups	Assigned roles
(none)	`travel-demo-admincentral`
	`travel-demo-base`
	`travel-demo-tour-editor`
	`security-base`
	`workflow-base`

editors

Assigned groups	Assigned roles
(none)	`editor`
	`workflow-base`

publishers

Assigned groups	Assigned roles
(none)	`publisher`
	`workflow-base`

Users

eric

User eric is an example editor.

Assigned groups	Assigned roles
`travel-demo-editors`	(none)

eric-de

User eric-de is an example German editor.

Assigned groups	Assigned roles
`travel-demo-editors`	(none)

peter

User peter is an example publisher.

Assigned groups	Assigned roles
`travel-demo-publisher`	(none)

tina

User tina is an example tour editor.

Assigned groups	Assigned roles
`travel-demo-tour-editors`	(none)

System users

anonymous (system user)

User anonymous represents a Web visitor.

The anonymous role has different permissions on author and public.

Assigned groups	Assigned roles
(none)	`anonymous`
	`categorization-base`
	`contact-base`
	`forum-pagecomments-user`
	`imaging-base`
	`travel-demo-base`

superuser (system user)

User superuser represents an administrator who has full access to the system.

Assigned groups	Assigned roles
`publishers` (EE)	`superuser`
	`rest`
	`forum_ALL_admin`

Page tree

Default permissions

Roles

anonymous (role, author instance)

anonymous (role, public instance)

superuser (role)

travel-demo-base

travel-demo-admincentral

travel-demo-editor

travel-demo-publisher

travel-demo-tour-editor

editor

publisher

workflow-base

contact-base

imaging-base

resources-base

rest

rss-aggregator-base

scripter

security-base

templater-base

forum_ALL-user

forum_ALL-admin

forum_ALL-moderator

forum-pagecomments-user

Groups

travel-demo-editors

travel-demo-publishers

travel-demo-tour-editors

editors

publishers

Users

eric

eric-de

peter

tina

System users

anonymous (system user)

superuser (system user)