Users
A user is an account that identifies the person accessing Magnolia. In addition to a username, Magnolia stores the user’s full name, email address, language and time zone by default. These settings can be edited by the user itself in the Edit user profile dialog.
Every user has a certain set of permissions to grant access to resources, content, apps and similar things. Users inherit their permissions from the groups and roles they are attached to (see Organizing users). Use the Security app to edit the permissions of a user.
Types of users
Type | Example | |
---|---|---|
Users |
Accounts for people who work on site content such as authors, editors and publishers. |
|
System users |
Technical accounts such as
|
|
Public users |
End users or visitors of the site. They can be registered through the Public User Registration (PUR) module. Registering visitors allows you to provide them with personalized content such as members-only sections of the site, newsletters and mailing lists. |
superuser
The term superuser
may refer either to a system user (an account
type) or to a role (a definition of what a user is allowed to do in
the system). In a vanilla installation of Magnolia, the superuser
role
is assigned to the superuser
account. In addition to the superuser
role,
the superuser
account has some other roles too (see
Default
roles, groups and users).
As the name implies, the permissions of the superuser account are
usually unrestricted in any way. For instance, superuser can read and
write to all default JCR workspaces on /
.
On a production system, create specific users with distinct roles and deactivate the superuser account.
anonymous
The term anonymous
may refer either to a system user or to a role.
The latter is assigned to the former. Apart from the anonymous
role, the
anonymous
system user is by default assigned other roles too (see
Default
roles, groups and users).
Every Magnolia resource intended to be accessible without authentication must be enabled for the anonymous system user. A users that interacts with Magnolia without authentication is determined as anonymous user.
On most systems, the rights and permissions of the anonymous role differ between author and public instances: allow read access to all on the public instance, while deny the same on the author instance. That is why you should not activate that role. |
Editing user profile
Every user can set their own preferences. Next to your username in the upper-right corner, click the down arrow and select Edit user profile.
In the User profile tab, change your password, full name and email address.
In the Preferences tab, change your language, time zone, and home screen.
Setting time zone
Every user can select their own time zone. Open the Edit user profile dialog, go to the Preferences tab and set the time zone accordingly.
Magnolia continues to record events such as page creation using the host server time. The recorded time is converted and displayed in the user’s preferred time zone.
User home screen configuration
The home screen is what appears by default when you log in or close an app. Individual users can select either App launcher or Find Bar suggestions as their home screen.
Instructions
-
Open the Edit User Profile dialog.
-
Go to the Preferences tab.
-
Select your desired home screen option.
For the global configuration, see Global home screen configuration. |
Organizing users
In Magnolia, users are organized as follows:
-
Users can have both roles and groups.
-
Groups can have groups and roles.
-
Roles can have only Access Control Lists (ACLs).
Permissions are defined in the ACL. Users inherit permissions from the roles and groups assigned to them.
In a small site you can manage users and groups in Magnolia. On a larger site (hundreds of users), it is better to manage users and groups in an enterprise-grade user management infrastructure such as Microsoft Active Directory. You would define roles and ACLs in Magnolia but manage users and groups in the external system.
Get a list of all permissions assigned to a user or group in the Tools tab of the Security app. |
Editing user permissions
Every user known to Magnolia is granted a set of permissions defined by roles. You can either assign roles directly to a user, or assign a user to a group that itself grants a set of roles (see Organizing users above).
Use the Security app to edit the
permissions. The app is available in the Set up group of Admincentral, and
by default the superuser
role is required to access it.
The Security app provides subapps to edit the users (system users and public users), groups and roles. Select the user you want to edit and double-click it or use the Edit user action. The Edit user action is available in the following subapps: Users, System users and Public users.
The dialog where you can edit user details has three tabs:
-
User info: Use this tab to edit the user’s name and full name, the password, the email address, and the language, a property editable also in the Edit user profile dialog. You can use the tab to enable or disable a user account.
-
Groups: On this tab you can assign the user to existing groups:
-
Roles: On this tab you can grant roles to the user.
Automatic lockout
An automatic lockout is a security precaution that prevents users from accessing Magnolia after a number of failed login attempts.
By default, a lockout is triggered and an account is automatically
disabled after N+1
failed login attempts. The number of failed
attempts can be configured. No lockout is triggered when a username
that does not exist is entered. A lockout applies to both system and
admin users, but not to public users. After a lockout, an administrator
can re-enable the account by selecting the Enabled checkbox in the
user profile. When a lockout occurs, this checkbox is cleared.
The number of failed login attempts N
that will trigger a lockout can be configured using
the maxFailedLoginAttempts
property in /server/security/userManagers/system
and /admin
.
Different values may be set for Users and Systems Users.
Properties
Property | Description | ||
---|---|---|---|
|
optional, default is Allows duplicate usernames in different realms. Only applicable to
|
||
|
required A class that implements the UserManager interface. Implementations:
|
||
|
optional, default is Allows to disable caching if set to |
||
|
required Realm name corresponding to JAAS login configuration. |
||
|
optional, default is Indicates what methods are used to deal with the
|
||
|
optional A subnode which allows you to specify a custom |
||
|
The class that implements the The default class used is
Two additional implementations are available:
|
||
|
optional A subnode which specifies the If not defined explicitly then the predicate accepts anything within the following namespaces:
|
||
|
The class that implements the The default class is
|
||
|
optional A subnode which defines the decoding method of the admin password used
by the
|
||
|
The decoder is available in three implementations:
|
||
|
optional, default is Specifies the number of objects to be returned in a single search result. |
AdminCentral user login information
For peace of mind and added protection, all users within AdminCentral can see their latest login information conveniently from the App Launcher. Typically, the login information is found in the top-right of the App Launcher and is displayed in the user’s local time.
- Login information format
-
Last login: DD/MM/YYYY, hh:mm
The latest login information is shown for Magnolia users, accessing via the default login, and SSO users (accessing via the SSO module, version 3.1.2 and later).
The following types of authentication still need to be extended with the latest login information: custom client authentications, the LDAP connector module, and the SSO connector module. |
External services
The LDAP Connector module is a standard JAAS login module that connects to any LDAP V3 supported directory service. This module is useful where an enterprise-grade user management infrastructure already exists. With the JAAS standard support you can meet single sign-on requirements or connect to legacy LDAP/ADS directory servers.