Magnolia 5.7 reached extended end of life on May 31, 2022. Support for this branch is limited, see End-of-life policy. Please note that to cover the extra maintenance effort, this EEoL period is a paid extension in the life of the branch. Customers who opt for the extended maintenance will need a new license key to run future versions of Magnolia 5.7. If you have any questions or to subscribe to the extended maintenance, please get in touch with your local contact at Magnolia.

You can control app access by specifying a role. Members of the role can see the app in the launcher and can start the app. With this mechanism you can provision an entire group of apps in one go or individual apps. You should provision apps only to users who actually need them. This ensures that the app launcher stays clean and users find apps quickly.

Here is a comparison what superuser and editor roles see in the app launcher. The editor role only sees apps that are necessary for his work.

  

Granting permissions to an app group 

An app group contains apps that have something in common, grouped together in the App launcher. For example, the Edit group contains the Pages, Assets and Contacts apps. Each app in the group covers specific duties in content management.

To grant permission to app group:

  1. Create a permissions node under the group in the app launcher layout.
  2. List the permitted roles as properties.

Example: The Tools group is provisioned to the superuser role only.

Node nameValue

 modules


 ui-admincentral


 config


 appLauncherLayout


 groups


 tools


 permissions


 roles


 superuser

superuser

If the role doesn't exist, create it first in the Security app. If you need a role just for the purpose of provisioning apps, an "empty" role is enough. The role does not need any ACLs or permissions to site URLs. To grant additional users access, assign them to the role. You can add as many role properties as you need.

Best practice

Create a new app group for your own apps, especially if you have multiple apps. This approach is better than placing your apps in the native Magnolia groups. A dedicated group gives your organization's apps an identity and makes them instantly recognizable. Remember to choose a safe app group color.

Advanced example: Use voters to include and exclude groups in a flexible way. The info.magnolia.voting.voters.RoleBaseVoter class checks if the current user has access permissions by comparing user roles and configured roles. The configured roles can be allowed or denied.

This example denies (not=true) permission to the travel-demo-admincentral role. This saves the effort of listing all roles that are permitted.

Node nameValue

 permissions


 voters


 deniedRoles


 roles


 travel-demo-admincentral

travel-demo-admincentral

 class

info.magnolia.voting.voters.RoleBaseVoter

 not

true

 class

info.magnolia.cms.security.operations.VoterBasedConfiguredAccessDefinition

Granting permissions to an app

To grant permission to an app:

  1. Create a permissions node under the app descriptor.
  2. List the permitted roles as properties.

Example: The Groovy app is provisioned to the scripter role only.

Node nameValue

 modules


 groovy


 apps


 groovy


 permissions


 roles


 scripter

scripter

Best practice

Provision apps only to users who actually need them. This ensures that the app launcher stays uncluttered and users find apps quickly.

Configuring action availability

Action availability is the lowest level of app access you can configure by role. Actions define what a user can do with the app.

You can configure action availability at two levels:

Action availability is provided by  ConfiguredAvailabilityDefinition . The node names are different from those used in granting permissions to apps and app groups.

In this example the Publish deletion action is granted only to superuser and demo-project-publisher roles.

Node nameValue
 modules

 pages


 apps


 pages


 subapps


 browser


 actions


 activateDeletion


 availability


 access


 roles


 demo-publisher

demo-project-publisher

 superuser

superuser