Default permissions

These are default permissions in Magnolia. You can manage them in the Security app. The default permissions are just an example how to grant permissions in a typical website. You should adapt the permissions to match your own organization. App permissions are configured in the app launcher configuration.

Roles

anonymous role - author instance

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Table 1. Access control lists
Workspace Permission Scope Path

Category

Read only

Selected and sub nodes

/

DAM

Read only

Sub nodes

/

GoogleSitemaps

Read only

Selected and sub nodes

/

Marketing-tags

Read only

Selected and sub nodes

/

Resources

Read only

Sub nodes

/

Website

Deny access

Sub nodes

/
Table 2. Web access
Permission Path

Deny

*

Deny

/.magnolia*

anonymous role - public instance

Table 3. Access control lists
Workspace Permission Scope Path

Category

Read only

Selected and sub nodes

/

Dam

Read only

Selected and sub nodes

/

GoogleSitemaps

Read only

Selected and sub nodes

/

Marketing-tags

Read only

Selected and sub nodes

/

Resources

Read only

Sub nodes

/

Website

Read only

Sub nodes

/
Table 4. Web access
Permission Path

Get & Post

*

Deny

/.magnolia

Deny

/.magnolia/*

Deny

/travel/members/protected*

Deny

/travel/members/profile-update*

Deny

<travel>/members/protected*

Deny

<travel>/members/profile-update*

superuser role

The superuser role provides full access to the system. The permissions are the same on both author and public instances.

Table 5. Access control lists
Workspace Permission Scope Path

AdvancedCache

Read/Write

Sub nodes

/

Category

Read/Write

Sub nodes

/

Config

Read/Write

Sub nodes

/

Contacts

Read/Write

Sub nodes

/

Dam

Read/Write

Sub nodes

/

Dms*

Read/Write

Sub nodes

/

Forum

Read/Write

Sub nodes

/

GoogleSitemaps

Read/Write

Sub nodes

/

Imaging

Read/Write

Sub nodes

/

Keystore

Read/Write

Sub nodes

/

Marketing-tags

Read/Write

Sub nodes

/

Messages

Read/Write

Sub nodes

/

Personas

Read/Write

Sub nodes

/

Profiles

Read/Write

Sub nodes

/

Resources

Read/Write

Sub nodes

/

Rss

Read/Write

Sub nodes

/

Scripts

Read/Write

Sub nodes

/

Segments

Read/Write

Sub nodes

/

Stories

Read/Write

Sub nodes

/

Tags

Read/Write

Sub nodes

/

Tasks

Read/Write

Sub nodes

/

Templates

Read/Write

Sub nodes

/

Tours

Read/Write

Sub nodes

/

Usergroups

Read/Write

Sub nodes

/

Userroles

Read/Write

Sub nodes

/

Users

Read/Write

Sub nodes

/

Website

Read/Write

Sub nodes

/

Workflow (DX Core)

Read/Write

Sub nodes

/
Table 6. Web access
Permission Path

Get & Post

*
Table 7. Configured access
Applies to Name Path

App

Publishing

/modules/activation/apps/activation/permissions/roles

Configuration

/modules/ui-admincentral/apps/configuration/permissions/roles

Security

/modules/security-app/apps/security/permissions/roles

Security

/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName

Mail tools

/modules/mail/apps/mail/permissions/roles

Dev tools

/modules/tools/apps/tools/permissions/roles

Backup

/modules/backup/apps/backup/permissions/roles

App launcher

Dev group

/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

Tools group

/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles

Tasks app

Abort action

/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

Archive action

/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

travel-demo-base role

The travel-demo-base role is specific to the demo website. The permissions are the same on both author and public instances.

Table 8. Access control lists
Workspace Permission Scope Path

Category

Read only

Selected and sub nodes

/tour-types /destinations

Dam

Read only

Sub nodes

/

Tours

Read only

Sub nodes

/

Userroles

Read only

Selected

/travel-demo-base

travel-demo-admincentral role

The travel-demo-admincentral role is specific to the demo-project example websites. The permissions are the same on both author and public instances.

Table 9. Web access
Permission Path

Get & Post

*

travel-demo-editor role

Table 10. Access control lists
Workspace Permission Scope Path

Category

Read/Write

Sub nodes

/

Dam

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/travel-demo-editor

Website

Read/Write

Sub nodes

/
Table 11. Configured access
Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher role

Table 12. Access control lists
Workspace Permission Scope Path

Userroles

Read only

Selected

/travel-demo-publisher

Website

Read/Write

Sub nodes

/
Table 13. Configured access
Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor role

Table 14. Access control lists
Workspace Permission Scope Path

Category

Read only

Selected and sub nodes

/tour-types

/destinations

Dam

Read only

Sub nodes

/

Tours

Read only

Sub nodes

/

Userroles

Read only

Selected

/travel-demo-tour-editor

editor role

Installed by the workflow module (DX Core). Allows editing of content.

Table 15. Access control lists
Workspace Permission Scope Path

Category

Read/Write

Sub nodes

/

Contacts

Read/Write

Sub nodes

/

Dam

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/editor

Website

Read/Write

Sub nodes

/
Table 16. Configured access
Applies to App Name Path

Action

Pages

Activate

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher role

Installed by the workflow module (DX Core). Allows publishing of content.

Table 17. Access control lists
Workspace Permission Scope Path

Category

Read only

Sub nodes

/

Contacts

Read only

Sub nodes

/

Dam

Read only

Sub nodes

/

Userroles

Read only

Selected

/publisher

Website

Read only

Sub nodes

/

Workflow

Read/Write

Sub nodes

/
Table 18. Configured access
Applies to App Name Path

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base role

Base role allowing users to use the workflow workspace (DX Core).

Table 19. Access control lists
Workspace Permission Scope Path

Workflow

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/workflow-base

contact-base role

Table 20. Access control lists
Workspace Permission Scope Path

Contact

Read only

Sub nodes

/

Userroles

Read only

Selected

/contact-base

imaging-base role

Table 21. Access control lists
Workspace Permission Scope Path

Imaging

Read only

Sub nodes

/

Userroles

Read only

Selected

/imaging-base

resources-base role

Table 22. Access control lists
Workspace Permission Scope Path

Config

Read only

Selected and sub nodes

/modules/resources

Resources

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/resources-base

rest-admin role

The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.
Table 23. Web access
Permission Path

Get & Post

/.rest/*
Table 24. Configured access
Applies to Name Path

Commands

Delete

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

Publish

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor role

Table 25. Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

Deny

/.rest/commands*

Deny

/.rest/nodes*

Get & Post

/.rest/nodes/v1/website*

Deny

/.rest/properties*

Get & Post

/.rest/properties/v1/website*

Get & Post

/.rest/cache/v1*

rest-anonymous role

If you’re a PaaS customer, there are some differences with the rest-anonymous role. This is highlighted below in a PaaS-specific section in the table.
Table 26. Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

PaaS only

Get & Post

/.rest/configuration/*

Get & Post

/.rest/cloud/*

Get

/.rest/status

rest-backup role

Table 27. Web access
Permission Path

Get & Post

/.rest/commands/v2/backup/backup
Table 28. Configured access
Applies to Name Path

Command

Backup

/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles

rss-aggregator-base role

Table 29. Access control lists
Workspace Permission Scope Path

Rss

Read-only

Sub nodes

/

Userroles

Read only

Selected

/rss-aggregator-base

scripter role

Table 30. Access control lists
Workspace Permission Scope Path

Scripts

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/scripter
Table 31. Web access
Permission Path

Get & Post

*
Table 32. Configured access
Applies to App Path

App

Groovy

/modules/groovy/apps/groovy/permissions/roles

security-base role

Table 33. Web access
Permission Path

Deny

/.magnolia/log4j

Deny

/.rest*

templater-base role

Table 34. Access control lists
Workspace Permission Scope Path

Config

Read-only

Selected and sub nodes

/modules/inplace-templating

Templates

Read/Write

Sub nodes

/

Userroles

Read only

Selected

/templater-base
Table 35. Configured access
Applies to App Path

App

Templates

/modules/inplace-templating/apps/inplace-templating/permissions/roles

Groups

Group permissions are the same on both author and public instances.

editors group

Assigned groups Assigned roles

(none)

editor

workflow-base

publishers group

Assigned groups Assigned roles

(none)

publisher

workflow-base

travel-demo-pur group

The travel-demo-pur group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

categorization-base

contact-base

forum-pagecomments-user

imaging-base

travel-demo-base

travel-demo-pur

travel-demo-editors group

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-editor

travel-demo-tour-editor

imaging-base

security-base

resources-base

workflow-base

travel-demo-publishers group

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-publisher

travel-demo-tour-editor

security-base

workflow-base

travel-demo-tour-editors group

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-base

travel-demo-tour-editor

security-base

workflow-base

Users

eric user

The user eric is an example editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

eric-de user

The user eric-de is an example German editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

peter user

The user peter is an example publisher.

Assigned groups Assigned roles

travel-demo-publisher

(none)

tina user

The user tina is an example tour editor.

Assigned groups Assigned roles

travel-demo-tour-editors

(none)

System users

anonymous system user

The system user anonymous represents a Web visitor.

The anonymous role has different permissions on the author and public instances.
Assigned groups Assigned roles

(none)

anonymous

categorization-base

contact-base

forum-pagecomments-user

imaging-base

rest-anonymous

travel-demo-base

superuser system user

The system user superuser represents an administrator who has full access to the system.

Assigned groups Assigned roles

publishers (DX Core)

superuser

rest-admin

forum_ALL_admin
Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules