Default permissions

These are default permissions in Magnolia. You can manage them in the Security app. The default permissions are just an example how to grant permissions in a typical website. You should adapt the permissions to match your own organization. App access is configured separately in the app launcher configuration.

Roles

anonymous (role, author instance)

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Access control lists

Workspace Permission Scope Path

Category

Read only

Selected and sub nodes

/

DAM

Read only

Sub nodes

/

GoogleSitemaps

Read only

Selected and sub nodes

/

Marketing-tags

Read only

Selected and sub nodes

/

Resources

Read only

Sub nodes

/

Website

Deny access

Sub nodes

/

Web access

Permission Path

Deny

*

Deny

/.magnolia*

anonymous (role, public instance)

Access control lists

Workspace Permission Scope Path

Category

Read only

Selected and sub nodes

/

Dam

Read only

Selected and sub nodes

/

GoogleSitemaps

Read only

Selected and sub nodes

/

Marketing-tags

Read only

Selected and sub nodes

/

Resources

Read only

Sub nodes

/

Website

Read only

Sub nodes

/

Web access

Permission Path

Get & Post

*

Deny

/.magnolia

Deny

/.magnolia/*

Deny

/travel/members/protected*

Deny

/travel/members/profile-update*

Deny

<travel>/members/protected*

Deny

<travel>/members/profile-update*

superuser (role)

The superuser role provides full access to the system. The permissions are the same on author and public instances.

Access control lists

Workspace Permission Scope Path

AdvancedCache

Read/Write

Sub nodes

/

Category

Read/Write

Sub nodes

/

Config

Read/Write

Sub nodes

/

Contacts

Read/Write

Sub nodes

/

Dam

Read/Write

Sub nodes

/

Dms*

Read/Write

Sub nodes

/

Forum

Read/Write

Sub nodes

/

GoogleSitemaps

Read/Write

Sub nodes

/

Imaging

Read/Write

Sub nodes

/

Keystore

Read/Write

Sub nodes

/

Marketing-tags

Read/Write

Sub nodes

/

Messages

Read/Write

Sub nodes

/

Personas

Read/Write

Sub nodes

/

Profiles

Read/Write

Sub nodes

/

Resources

Read/Write

Sub nodes

/

Rss

Read/Write

Sub nodes

/

Scripts

Read/Write

Sub nodes

/

Segments

Read/Write

Sub nodes

/

Stories

Read/Write

Sub nodes

/

Tags

Read/Write

Sub nodes

/

Tasks

Read/Write

Sub nodes

/

Templates

Read/Write

Sub nodes

/

Tours

Read/Write

Sub nodes

/

Usergroups

Read/Write

Sub nodes

/

Userroles

Read/Write

Sub nodes

/

Users

Read/Write

Sub nodes

/

Website

Read/Write

Sub nodes

/

Workflow (DX Core)

Read/Write

Sub nodes

/

Web access

Permission Path

Get & Post

*

Configured access

Applies to Name Path

App

Publishing

/modules/activation/apps/activation/permissions/roles

Configuration

/modules/ui-admincentral/apps/configuration/permissions/roles

Security

/modules/security-app/apps/security/permissions/roles

Security

/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName

Mail tools

/modules/mail/apps/mail/permissions/roles

Dev tools

/modules/tools/apps/tools/permissions/roles

Backup

/modules/backup/apps/backup/permissions/roles

App launcher

Dev group

/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

Tools group

/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles

Tasks app

Abort action

/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

Archive action

/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

travel-demo-base

These are roles specific to the demo websites. The permissions are the same on author and public instances.

Access control lists

Path

/tour-types; Read only; Selected and sub nodes; Workspace: Category

Path

/destinations; Read only; Selected and sub nodes; Workspace: Category

Path

/; Read only; Sub nodes; Workspace: DAM

Path

/; Read only; Sub nodes; Workspace: Tours

Path

/travel-demo-base; Read only; Selected; Workspace: Userroles

travel-demo-admincentral

These are roles specific to the demo-project example websites. The permissions are the same on author and public instances.

Web access

Permission Path

Get & Post

*

travel-demo-editor

Access control lists

Workspace Permission Scope Path

Category

Read/Write

Sub nodes

/

Dam

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/travel-demo-editor

Website

Read/Write

Sub nodes

/

Configured access

Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher

Access control lists

Workspace Permission Scope Path

Userroles

Read only

Selected

/travel-demo-publisher

Website

Read/Write

Sub nodes

/

Configured access

Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor

Access control lists

Path

/tour-types; Read only; Selected and sub nodes; Workspace: Category

Path

/destinations; Read only; Selected and sub nodes; Workspace: Category

Path

/; Read only; Sub nodes; Workspace: DAM

Path

/; Read only; Sub nodes; Workspace: Tours

Path

/travel-demo-tour-editor; Read only; Selected; Workspace: Userroles

editor

Installed by the workflow module (DX Core). Allows editing content.

Access control lists

Workspace Permission Scope Path

Category

Read/Write

Sub nodes

/

Contacts

Read/Write

Sub nodes

/

Dam

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/editor

Website

Read/Write

Sub nodes

/

Configured access

Applies to App Name Path

Action

Pages

Activate

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher

Installed by the workflow module (DX Core). Allows publishing content.

Access control lists

Workspace Permission Scope Path

Category

Read only

Sub nodes

/

Contacts

Read only

Sub nodes

/

Dam

Read only

Sub nodes

/

Userroles

Read only

Selected

/publisher

Website

Read only

Sub nodes

/

Workflow

Read/Write

Sub nodes

/

Configured access

Applies to App Name Path

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base

Base role allowing users to use the workflow workspace (DX Core).

Access control lists

Workspace Permission Scope Path

Workflow

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/workflow-base

contact-base

Access control lists

Workspace Permission Scope Path

Contact

Read only

Sub nodes

/

Userroles

Read only

Selected

/contact-base

imaging-base

Access control lists

Workspace Permission Scope Path

Imaging

Read only

Sub nodes

/

Userroles

Read only

Selected

/imaging-base

resources-base

Access control lists

Workspace Permission Scope Path

Config

Read only

Selected and sub nodes

/modules/resources

Resources

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/resources-base

rest-admin

rest-admin

The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.
Web access
Permission Path

Get & Post

/.rest/*

Configured access
Applies to Name Path

Commands

Delete

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

Publish

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor

Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

Deny

/.rest/commands*

Deny

/.rest/nodes*

Get & Post

/.rest/nodes/v1/website*

Deny

/.rest/properties*

Get & Post

/.rest/properties/v1/website*

Get & Post

/.rest/cache/v1*

rest-anonymous

Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

rest-backup

Web access
Permission Path

Get & Post

/.rest/commands/v2/backup/backup

Configured access
Applies to Name Path

Command

Backup

/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles

rss-aggregator-base

Access control lists

Workspace Permission Scope Path

Rss

Read-only

Sub nodes

/

Userroles

Read only

Selected

/rss-aggregator-base

scripter

Access control lists

Workspace Permission Scope Path

Scripts

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/scripter

Web access

Permission Path

Get & Post

*

Configured access

Applies to App Path

App

Groovy

/modules/groovy/apps/groovy/permissions/roles

security-base

Web access

Permission Path

Deny

/.magnolia/log4j

Deny

/.rest*

templater-base

Access control lists

Workspace Permission Scope Path

Config

Read-only

Selected and sub nodes

/modules/inplace-templating

Templates

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/templater-base

Configured access

Applies to App Path

App

Templates

/modules/inplace-templating/apps/inplace-templating/permissions/roles

Groups

Group permissions are the same on author and public instances.

editors

Assigned groups Assigned roles

(none)

editor

workflow-base

publishers

Assigned groups Assigned roles

(none)

publisher

workflow-base

travel-demo-pur

The travel-demo-pur group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

categorization-base

contact-base

forum-pagecomments-user

imaging-base

travel-demo-base

travel-demo-pur

travel-demo-editors

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-editor

travel-demo-tour-editor

imaging-base

security-base

resources-base

workflow-base

travel-demo-publishers

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-publisher

travel-demo-tour-editor

security-base

workflow-base

travel-demo-tour-editors

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-base

travel-demo-tour-editor

security-base

workflow-base

Users

eric

User eric is an example editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

eric-de

User eric-de is an example German editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

peter

User peter is an example publisher.

Assigned groups Assigned roles

travel-demo-publisher

(none)

tina

User tina is an example tour editor.

Assigned groups Assigned roles

travel-demo-tour-editors

(none)

System users

anonymous (system user)

User anonymous represents a Web visitor.

warning: The anonymous role has different permissions on

author and public.

Assigned groups Assigned roles

(none)

anonymous

categorization-base

contact-base

forum-pagecomments-user

imaging-base

rest-anonymous

travel-demo-base

superuser (system user)

User superuser represents an administrator who has full access to the system.

Assigned groups Assigned roles

publishers (DX Core)

superuser

rest-admin

forum_ALL_admin

Feedback