Security app

The Security app is where you manage access in the system by administering users, user groups and user roles. Magnolia’s built-in access management system authenticates users to determine who is using the system and provides them with the means to sign into applications. It also authorizes users, ensuring that they have the required permissions for actions such as editing pages. You can access the Security app via Set up > Security.

Security app


Users, System users and Public users

Use the subapps called Users, System users and Public users to manage the different types of user. For all these users you can:

  • Edit user information such as user name, password, full name, e-mail, and language.

  • Assign the user to groups.

  • Assign roles to the user.

User info field

The configuration user data is stored in the users workspace below these paths:

System users




Public users


For more information, see Editing user permissions.


Users with similar privileges are grouped together. The purpose of a group is to define the settings for the group as whole rather than for each individual user. Permissions that apply to the group are inherited by its users.

By assigning a role to a group, all users in the group inherit the permissions associated with the role. You do not have to assign the users with the role individually.

Similarly, by assigning groups to the current group, all users in the current group inherit the roles and the permissions granted to the groups being assigned to the current group.

Group info

See Groups for further information.


A role is a function a user performs either in the management of Magnolia or as a visitor of a Magnolia website. It reflects the actions and activities assigned to, required, or expected of a user. Specific permissions are granted to enable the functions of a role.

For example, the editor role is responsible for editing content displayed on the site. Permissions granted to this role allow the user to edit the content and submit it for review. The publisher role, on the other hand, is tasked with reviewing the content and publishing it from the author instance to the public instance(s).

Roles have JCR Access Control Lists (ACLs) and Web access permissions. For both the JCR content and Web access, you can define multiple ACLs per role.

Role info tab

To understand how to configure ACLs per role, see Roles and access control lists


The Tools subapp lets you query groups and permissions associated to a given user. The subapp is useful for permission reporting, auditing, and troubleshooting why users can’t access the resources they should be able to.

Use the subapp’s tabs to display:

  • Permissions: Groups, roles, and permissions for any user.

  • Group members: Users assigned to the current group or its transitive groups.

  • Role assignments: Users or groups assigned with any role.

Security permissions


The Security app is installed by the Security app module. The app is configured in /modules/security-app and comes with the users, systemUsers, groups, roles, tools and public subapps.

The public subapp is installed and configured by the Public User Registration module.

Only users assigned the superuser role have permission to access the subapps.

Security app module in the Configuration app


The subapps operate on the following workspaces:

Subapp Workspace











Node types

The Security app module registers the following custom node types in the subapp configurations. The subapps operate on these nodes types and on mgnl:folder.

Subapp Node type












DX Core



This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules