Page tree
Skip to end of metadata
Go to start of metadata

The Security app is used to manage access in the system by administering users, user groups and user roles. Magnolia's built-in access management system authenticates users in order to determine who is using the system and provides them with the means to sign into applications. It also authorizes users, ensuring that they have the required permissions to do the actions such as editing pages. You can access the Security app via Set up > Security.


Users, System users and Public users

Use the subapps called Users, System users and Public users to manage the different types of users. For all these users you can:

  • Edit User info such as user name, password, full name, e-mail and language.
  • Assign the user to groups.
  • Assign roles to the user.

The configuration user data is stored in the users workspace below these paths:

System users/system
Public users/public

For further details please refer to Editing user permissions on the Users page.


Users with similar privileges are grouped together. The purpose of a group is to define the settings for the group as whole rather than for each individual user. Permissions that apply to the group are inherited by its users. 

By assigning a role to a group, all users in the group inherit the permissions associated with the role. You do not have to assign the users with the role individually.

Similarly, by assigning groups to the current group, all users in the current group inherit the roles and the permissions granted to the groups being assigned to the current group.

See Groups for further information.


A role is a function a user performs either in the management of Magnolia or as a visitor of a Magnolia website. It reflects the actions and activities assigned to, required or expected of a user. Specific permissions are granted to enable the functions of a role.

For example, the editor role is responsible for editing content displayed on the site. Permissions granted to this role allow the user to edit the content and submit it for review. The publisher role on the other hand is tasked with reviewing the content and publishing it from the author instance to the public instance(s).

Roles have JCR Access Control Lists (ACLs) and Web access permissions. For both the JCR content and Web access you can define multiple ACLs per role.

Please read Roles and access control lists carefully to understand how to configure ACLs per role.


The Tools subapp lets you query groups and permissions associated to a given user. The supapp is useful for permission reporting, auditing and troubleshooting why users cannot access the resources they should be able to.

Use the subapp's tabs to display:

  • Permissions: Groups, roles and permissions for any user.
  • Group members: Users assigned to the current group or its transitive groups.
  • Role assignments: Users or groups assigned with any role.


The Security app is installed by the Security App module. The app is based on the content app framework and it's configuration is typical of any content app. The framework is extended to provide the required additional functionality.

The app is configured in /modules/security-app/apps/security and comes with the users, systemUsers, groups, roles , tools and public subapps. The public subapp is installed and configured by the Public User Registration module. Permission to access the subapps is limited to the users assigned with the superuser role.

Node name




















The subapps operate on the following workspaces:


Node types

The Security app module registers the following custom node types in the subapp configurations. The subapps operate on these nodes types and on mgnl:folder.

SubappNode type