Roles, groups and users

The system of roles, groups, and users makes the role or group assignment process efficient so that, for example, onboarding new editors or publishers becomes a simple assignment to a group or role.

With privileges being usually highly granular in a fully deployed authoring and publishing configuration, it’s possible to segment the editing experience further by app and workspace access, and without custom roles.

This reduces the overall complexity, particularly for projects with external user management.

Managing roles, groups, and users

Use the Security app to manage the assignment of roles, groups, and users.

Default roles, groups, and users in DX Core webapp

Roles

Except the anonymous, scripter and superuser roles, system of roles follows a unified role naming convention of type <module>-<privilege> (for example pages-publisher, admincentral-editor).

Role Description

admincentral-developer

Allows users to read the config workspace.

admincentral-editor

Allows users to enter the Admincentral (permissions to the /.magnolia/admincentral* path).

anonymous

Base role for public, unauthenticated users.

asset-editor

Allows users to edit assets (stored in the dam workspace).

categorization-base

Base role allowing users to read categorization information.

category-editor

Allows users to edit content categories (stored in the category workspace).

dam-app-core-editor

Allows users to read content on the /dam-app-core-editor path.

dam-app-jcr-editor

Allows users to edit content in the dam workspace.

definitions-app-developer

Allows users to read the content on the /definitions-app-developer path.

diff-viewer

Allows users to access the web path .magnolia/versionDiff*.

editor

Allows editing content.

graphql-developer

Allows users to read the /graphql-developer path workspace content and to access the web paths /.graphiql and /.graphql.

imaging-base

Base role allowing users to read the imaging workspace.

imaging-editor

Allow users to access the /.imaging/* web path.

marketingTag-editor

Allow users to access update content in the marketings-app workspace.

page-editor

Allows users to access and update content in the website workspace and the /page-editor path.

pages-app-editor

Allows users to access and update content in the website workspace and access the /page-app-editor path.

resources-base

Base role allowing users to use the resources workspace.

resources-editor

Allows web content retrieval from the /.resources/* path.

rest-admin

REST administrator role granting GET/POST permissions to all Magnolia’s REST APIs.

rest-anonymous

REST Anonymous Consumer granting GET permissions to Magnolia’s content delivery REST API.

rest-backup

Allows executing backup command from a running magnolia instance.

rest-editor

REST editor role.

scripter

Base role allowing users to use scripts workspace.

security-base

Base role denying to certain system pages.

stories-base

Base role allowing users to read stories.

story-editor

Allows users to read and create stories (in the stories workspace).

superuser

A user with unrestricted access to all content everywhere.

Superuser can’t publish tasks

In the default configuration, superuser can create publishing tasks but the tasks are restricted to the publishers group (/modules/workflow-jbpm/tasks/publish/groups@publishers).

To lift this restriction, you must reconfigure the group and role assignments for publishing workflow.

This is a limitation in the beta release. It will be fixed with MAGNOLIA-9357.

workflow-base

Base role allowing users to use the workflow.

workflow-editor

Allows users to edit content.

workflow-publisher

Allows users to publish content.

Groups

The purpose of groups is to define settings for a group of users, as opposed to individual users. Users with similar privileges are assigned to appropriate groups. Permissions that apply to a group are inherited by its users.

In the Magnolia DX Core webapp, there are no pre-defined groups.

In magnolia-core, however, these three default groups (JCR primary type mgnl:group) are available:

  • developers

  • editors

  • publishers

Other modules can use these default groups for role assignments.

Users

System users

System user Description Assigned roles Assigned groups

anonymous

Unauthenticated public users access the websites using this account.

  • anonymous

  • categorization-base

  • imaging-base

  • rest-anonymous

superuser

User assigned unlimited access permissions.

  • rest-admin

  • superuser
Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules
6.3 beta
X

Magnolia 6.3 beta

Magnolia 6.3 is in beta. We are updating docs based on development and feedback. Consider the 6.3 docs currently in a state of progress and not final.

We are working on some 6.3-beta known issues during this phase.