Page tree
Skip to end of metadata
Go to start of metadata

These are default permissions in Magnolia. You can manage them in the Security app. The default permissions are just an example how to grant permissions in a typical website. You should adapt the permissions to match your own organization. App access is configured separately in the app launcher configuration.


Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DAMRead onlySub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
Marketing-tagsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
WebsiteDeny accessSub nodes/

Web access

PermissionPath
Deny*
Deny/.magnolia*

anonymous (role, public instance)

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySelected and sub nodes/
DamRead onlySelected and sub nodes/
GoogleSitemapsRead onlySelected and sub nodes/
Marketing-tagsRead onlySelected and sub nodes/
ResourcesRead onlySub nodes/
WebsiteRead onlySub nodes/

Web access

PermissionPath
Get & Post*
Deny/.magnolia
Deny/.magnolia/*
Deny/travel/members/protected*
Deny/travel/members/profile-update*
Deny<travel>/members/protected*
Deny<travel>/members/profile-update*

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
AdvancedCacheRead/WriteSub nodes/
CategoryRead/WriteSub nodes/
ConfigRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
Dms*Read/WriteSub nodes/
ForumRead/WriteSub nodes/
GoogleSitemapsRead/WriteSub nodes/
ImagingRead/WriteSub nodes/
KeystoreRead/WriteSub nodes/
Marketing-tagsRead/WriteSub nodes/
MessagesRead/WriteSub nodes/
PersonasRead/WriteSub nodes/
ProfilesRead/WriteSub nodes/
ResourcesRead/WriteSub nodes/
RssRead/WriteSub nodes/
ScriptsRead/WriteSub nodes/
SegmentsRead/WriteSub nodes/
StoriesRead/WriteSub nodes/
TagsRead/WriteSub nodes/
TasksRead/WriteSub nodes/
TemplatesRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UsergroupsRead/WriteSub nodes/
UserrolesRead/WriteSub nodes/
UsersRead/WriteSub nodes/
WebsiteRead/WriteSub nodes/
Workflow (EE)Read/WriteSub nodes/

Web access

PermissionPath
Get & Post*

Configured access

Applies toNamePath
AppActivation/modules/activation/apps/activation/permissions/roles

Configuration/modules/ui-admincentral/apps/configuration/permissions/roles

Security/modules/security-app/apps/security/permissions/roles

Security/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName

Mail tools/modules/mail/apps/mail/permissions/roles

Dev tools/modules/tools/apps/tools/permissions/roles

Backup/modules/backup/apps/backup/permissions/roles
App launcherDev group/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

Tools group/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles
PulseAbort action
/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

Archive action/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instances.

Access control lists

WorkspacePermissionScopePath
Category

Read only

Read only

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead onlySub nodes/
ToursRead onlySub nodes/
UserrolesRead onlySelected /travel-demo-base

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

PermissionPath
Get & Post*

travel-demo-editor

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
DamRead/WriteSub nodes/
UserrolesRead onlySelected /travel-demo-editor
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets
/modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher

Access control lists

WorkspacePermissionScopePath
UserrolesRead onlySelected/travel-demo-publisher
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
AppAssets
/modules/dam-app/apps/assets/permissions/roles
ActionAssetsActivate/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor

Access control lists

WorkspacePermissionScopePath
Category

Read/Write

Read/Write

Selected and sub nodes

Selected and sub nodes

/tour-types

/destinations

DamRead/WriteSub nodes/
ToursRead/WriteSub nodes/
UserrolesRead onlySelected/travel-demo-tour-editor

editor

Installed by the workflow module (EE). Allows editing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead/WriteSub nodes/
ContactsRead/WriteSub nodes/
DamRead/WriteSub nodes/
UserrolesRead onlySelected/editor
WebsiteRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher

Installed by the workflow module (EE). Allows publishing content.

Access control lists

WorkspacePermissionScopePath
CategoryRead onlySub nodes/
ContactsRead onlySub nodes/
DamRead onlySub nodes/
UserrolesRead onlySelected/publisher
WebsiteRead onlySub nodes/
WorkflowRead/WriteSub nodes/

Configured access

Applies toAppNamePath
ActionPagesActivate/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base

Base role allowing users to use the workflow workspace (EE).

Access control lists

WorkspacePermissionScopePath
WorkflowRead/WriteSub nodes/
UserrolesRead onlySelected/workflow-base

contact-base

Access control lists

WorkspacePermissionScopePath
ContactRead onlySub nodes/
UserrolesRead onlySelected/contact-base

imaging-base

Access control lists

WorkspacePermissionScopePath
ImagingRead onlySub nodes/
UserrolesRead onlySelected/imaging-base

resources-base

Access control lists

WorkspacePermissionScopePath
Config

Read only

Selected and sub nodes

/modules/resources

ResourcesRead/WriteSub nodes/
UserrolesRead onlySelected/resources-base

rest-admin

Web access

Permission

Path

Get & Post

/.rest/*

Configured access

Applies to

Name

Path

Commands

Delete

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles


Activate

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor

Web access

Permission

Path

Deny

/.rest*

Get/.rest/delivery/*

Deny

/.rest/commands*

Deny

/.rest/nodes*

Get & Post

/.rest/nodes/v1/website*

Deny

/.rest/properties*

Get & Post

/.rest/properties/v1/website*

Get & Post

/.rest/cache/v1*

rest-anonymous

Web access

Permission

Path

Deny

/.rest*

Get

/.rest/delivery/*

rest-backup

Web access

Permission

Path

Get & Post

/.rest/commands/v2/backup/backup

Configured access

Applies to

Name

Path

Command

Backup

/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles

rss-aggregator-base

Access control lists

WorkspacePermissionScopePath
RssRead-onlySub nodes/
UserrolesRead onlySelected/rss-aggregator-base

scripter

Access control lists

WorkspacePermissionScopePath
ScriptsRead/WriteSub nodes/
UserrolesRead onlySelected/scripter

Web access

PermissionPath
Get & Post*

Configured access

Applies toAppPath
AppGroovy/modules/groovy/apps/groovy/permissions/roles

security-base

Web access

PermissionPath
Deny/.magnolia/log4j
Deny/.rest*

templater-base

Access control lists

WorkspacePermissionScopePath
ConfigRead-onlySelected and sub nodes/modules/inplace-templating
TemplatesRead/WriteSub nodes/
UserrolesRead onlySelected/templater-base

Configured access

Applies toAppPath
AppTemplates/modules/inplace-templating/apps/inplace-templating/permissions/roles

Groups

Group permissions are the same on author and public instances.

editors

Assigned groupsAssigned roles
(none)editor

workflow-base

publishers

Assigned groupsAssigned roles
(none)publisher

workflow-base

travel-demo-pur

The travel-demo-pur group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
 (none) categorization-base

contact-base

forum-pagecomments-user

imaging-base

travel-demo-base

travel-demo-pur

travel-demo-editors

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral

travel-demo-editor

travel-demo-tour-editor

imaging-base

security-base

resources-base

workflow-base

travel-demo-publishers

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral

travel-demo-publisher

travel-demo-tour-editor

security-base

workflow-base

travel-demo-tour-editors

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groupsAssigned roles
(none)travel-demo-admincentral

travel-demo-base

travel-demo-tour-editor

security-base

workflow-base

Users

eric

User eric is an example editor.

Assigned groupsAssigned roles
travel-demo-editors(none)

eric-de

User eric-de is an example German editor.

Assigned groupsAssigned roles
travel-demo-editors
(none)

peter

User peter is an example publisher.

Assigned groupsAssigned roles
travel-demo-publisher
(none)

tina

User tina is an example tour editor.

Assigned groupsAssigned roles
travel-demo-tour-editors(none)

System users

anonymous (system user)

User anonymous represents a Web visitor.

(warning) The anonymous role has different permissions on author and public.

Assigned groupsAssigned roles
(none)anonymous

categorization-base

contact-base

forum-pagecomments-user

imaging-base

rest-anonymous

travel-demo-base

superuser (system user)

User superuser represents an administrator who has full access to the system.

Assigned groupsAssigned roles
publishers (EE) superuser

rest-admin

forum_ALL_admin