Page tree
Skip to end of metadata
Go to start of metadata

The default permissions set up in the Security app demonstrate how to assign roles, ACLs and web access in a typical scenario. These permissions are complemented by configured app access

The Security app allows you to view a comprehensive list of permissions assigned to any user or group at any point in time. If you need to revert to the default permissions for any reason, you can access them online in the demo site in the Tools tab of the Security app.

The tables below show default permissions, role and group assignments, and configured access permissions. 

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DAMRead onlySub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
Marketing-tagsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
WebsiteDeny accessSub nodes/

Web access

PermissionPath
Deny*
Deny/.magnolia*

anonymous (role, public instance)

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DamRead onlySelected and sub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
Marketing-tagsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
WebsiteRead onlySub nodes/

Web access

PermissionPath
Get & Post*
Deny/.magnolia
Deny/.magnolia/*
Deny/travel/members/protected*
Deny/travel/members/profile-update*
Deny<travel>/members/protected*
Deny<travel>/members/profile-update*

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
AdvancedCacheRead/WriteSub nodes/
CategoryRead/WriteSub nodes/
ConfigRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
Dms*Read/WriteSub nodes/
ForumRead/WriteSub nodes/
GoogleSitemapsRead/WriteSub nodes/
ImagingRead/WriteSub nodes/
KeystoreRead/WriteSub nodes/
Marketing-tagsRead/WriteSub nodes/
MessagesRead/WriteSub nodes/
PersonasRead/WriteSub nodes/
ProfilesRead/WriteSub nodes/
ResourcesRead/WriteSub nodes/
RssRead/WriteSub nodes/
ScriptsRead/WriteSub nodes/
SegmentsRead/WriteSub nodes/
StoriesRead/WriteSub nodes/
TagsRead/WriteSub nodes/
TasksRead/WriteSub nodes/
TemplatesRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UsergroupsRead/WriteSub nodes/
UserrolesRead/WriteSub nodes/
UsersRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/
Workflow (EE)Read/WriteSub nodes/

Web access

PermissionPath
Get & Post*

Configured access

Applies toNamePath
AppActivation/modules/activation/apps/activation/permissions/roles
 Configuration/modules/ui-admincentral/apps/configuration/permissions/roles
 Security/modules/security-app/apps/security/permissions/roles
 Security/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName
 Mail tools/modules/mail/apps/mail/permissions/roles
 Dev tools/modules/tools/apps/tools/permissions/roles
 Backup/modules/backup/apps/backup/permissions/roles
App launcherDev group/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles
 Tools group/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles
PulseAbort action
/modules/workflow/messageViews/publish/actions/abort/availability/access/roles
 Archive action/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
Category

Read only

Read only

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead onlySub nodes/
ToursRead onlySub nodes/
UserrolesRead onlySelected /travel-demo-base

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

PermissionPath
Get & Post*

travel-demo-editor

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
DamRead/WriteSub nodes/
UserrolesRead onlySelected /travel-demo-editor
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets /modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher

Access control lists

WorkspacePermissionScopePath
UserrolesRead onlySelected/travel-demo-publisher
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets /modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor

Access control lists

WorkspacePermissionScopePath
Category

Read/Write

Read/Write

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UserrolesRead onlySelected/travel-demo-tour-editor

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
UserrolesRead onlySelected/editor
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher

Installed by the workflow module (EE). Allows publishing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySub nodes/
ContactsRead onlySub nodes/
DamRead onlySub nodes/
UserrolesRead onlySelected/publisher
WebsiteRead onlySub nodes/
WorkflowRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base

Base role allowing users to use the workflow workspace (EE).

Access control lists

WorkspacePermissionScopePath
WorkflowRead/WriteSub nodes/
UserrolesRead onlySelected/workflow-base

contact-base

Access control lists

WorkspacePermissionScopePath
ContactRead onlySub nodes/
UserrolesRead onlySelected/contact-base

imaging-base

Access control lists

WorkspacePermissionScopePath
ImagingRead onlySub nodes/
UserrolesRead onlySelected/imaging-base

resources-base

Access control lists

WorkspacePermissionScopePath
Config

Read only

Selected and sub nodes

/modules/resources

ResourcesRead/WriteSub nodes/
UserrolesRead onlySelected/resources-base


rest-admin

Web access

Permission

Path

Get & Post

/.rest/*

Configured access

Applies to

Name

Path

Commands

Delete

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

 

Activate

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor

Web access

Permission

Path

Deny

/.rest*

Get/.rest/delivery/*

Deny

/.rest/commands*

Deny

/.rest/nodes*

Get & Post

/.rest/nodes/v1/website*

Deny

/.rest/properties*

Get & Post

/.rest/properties/v1/website*

Get & Post

/.rest/cache/v1*

rest-anonymous

Web access

Permission

Path

Deny

/.rest*

Get

/.rest/delivery/*

rest-backup

Web access

Permission

Path

Get & Post

/.rest/commands/v2/backup/backup

Configured access

Applies to

Name

Path

Command

Backup

/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles

rss-aggregator-base

Access control lists

WorkspacePermissionScopePath
RssRead-onlySub nodes/
UserrolesRead onlySelected/rss-aggregator-base

scripter

Access control lists

WorkspacePermissionScopePath
ScriptsRead/WriteSub nodes/
UserrolesRead onlySelected/scripter

Web access

PermissionPath
Get & Post*

Configured access

Applies toAppPath
AppGroovy/modules/groovy/apps/groovy/permissions/roles

security-base

Web access

PermissionPath
Deny/.magnolia/log4j
Deny/.rest*

templater-base

Access control lists

WorkspacePermissionScopePath
ConfigRead-onlySelected and sub nodes/modules/inplace-templating
TemplatesRead/WriteSub nodes/
UserrolesRead onlySelected/templater-base

Configured access

Applies toAppPath
AppTemplates/modules/inplace-templating/apps/inplace-templating/permissions/roles

forum_ALL-user

Role that allows posting in all forums.

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/
UserrolesRead onlySelected/forum_ALL-user

forum_ALL-admin

Role which gives administration permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/
UserrolesRead onlySelected/forum_ALL-admin


Configured access

Applies toAppNamePath
AppForum 
/modules/forum/apps/forum/permissions/roles
ActionsForumAdd forum/modules/forum/apps/forum/subApps/browser/actions/addForum/availability/access/roles
  Edit forum/modules/forum/apps/forum/subApps/browser/actions/editForum/availability/access/roles
  Delete forum/modules/forum/apps/forum/subApps/browser/actions/deleteForum/availability/access/roles
  Confirm delete/modules/forum/apps/forum/subApps/browser/actions/confirmDeleteForum/availability/access/roles

forum_ALL-moderator

Role which gives moderation permissions on ALL forums

Access control lists

WorkspacePermissionScopePath
ForumRead/WriteSub nodes/
UserrolesRead onlySelected/forum_ALL-moderator

Configured access

Applies toAppPath
AppForum
/modules/forum/apps/forum/permissions/roles

forum-pagecomments-user

Role which gives commenting permissions.

WorkspacePermissionScopePath
ForumRead/WriteSelected and sub nodes/pagecomments
UserrolesRead onlySelected/forum-pagecomments-user

Groups

Group permissions are the same on author and public instances.

editors

Assigned groupsAssigned roles
(none)editor
 workflow-base

publishers

Assigned groupsAssigned roles
(none)publisher
 workflow-base

travel-demo-pur

The travel-demo-pur group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
 (none) categorization-base

contact-base

forum-pagecomments-user

imaging-base

travel-demo-base
 travel-demo-pur

travel-demo-editors

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral
 travel-demo-editor
 travel-demo-tour-editor
 imaging-base
 security-base
 resources-base
 workflow-base

travel-demo-publishers

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral
 travel-demo-publisher
 travel-demo-tour-editor
 security-base
 workflow-base

travel-demo-tour-editors

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral
 travel-demo-base
 travel-demo-tour-editor
 security-base
 workflow-base

Users

eric

User eric is an example editor.

Assigned groupsAssigned roles
travel-demo-editors(none)

eric-de

User eric-de is an example German editor.

Assigned groupsAssigned roles
travel-demo-editors
(none)

peter

User peter is an example publisher.

Assigned groupsAssigned roles
travel-demo-publisher
(none)

tina

User tina is an example tour editor.

Assigned groupsAssigned roles
travel-demo-tour-editors(none)

System users

anonymous (system user)

User anonymous represents a Web visitor.

(warning) The anonymous role has different permissions on author and public.

Assigned groupsAssigned roles
(none)anonymous
 categorization-base
 contact-base
 forum-pagecomments-user
 imaging-base

rest-anonymous
 travel-demo-base

superuser (system user)

User superuser represents an administrator who has full access to the system.

Assigned groupsAssigned roles
publishers (EE) superuser
 rest-admin
 forum_ALL_admin