Default permissions
These are default permissions in Magnolia. You can manage them in the Security app. The default permissions are just an example how to grant permissions in a typical website. You should adapt the permissions to match your own organization. App permissions are configured in the app launcher configuration.
Roles
superuser role
The superuser
role provides full access to the system.
The permissions are the same on both author and public instances.
Workspace | Permission | Path |
---|---|---|
AdvancedCache |
Read/Write |
|
Category |
Read/Write |
|
Config |
Read/Write |
|
Contacts |
Read/Write |
|
Dam |
Read/Write |
|
Dms* |
Read/Write |
|
Forum |
Read/Write |
|
GoogleSitemaps |
Read/Write |
|
Imaging |
Read/Write |
|
Keystore |
Read/Write |
|
Marketing-tags |
Read/Write |
|
Messages |
Read/Write |
|
Personas |
Read/Write |
|
Profiles |
Read/Write |
|
Resources |
Read/Write |
|
Rss |
Read/Write |
|
Scripts |
Read/Write |
|
Segments |
Read/Write |
|
Stories |
Read/Write |
|
Tags |
Read/Write |
|
Tasks |
Read/Write |
|
Templates |
Read/Write |
|
Tours |
Read/Write |
|
Usergroups |
Read/Write |
|
Userroles |
Read/Write |
|
Users |
Read/Write |
|
Website |
Read/Write |
|
Workflow (DX Core) |
Read/Write |
|
Permission | Path |
---|---|
Get & Post |
|
Applies to | Name | Path |
---|---|---|
App |
Publishing |
|
Configuration |
|
|
Security |
|
|
Security |
|
|
Mail tools |
|
|
Dev tools |
|
|
Backup |
|
|
App launcher |
Dev group |
|
Tools group |
|
|
Tasks app |
Abort action |
|
Archive action |
|
admincentral-developer role
Workspace | Permission | Path |
---|---|---|
Category |
Read only |
|
Userroles |
Read only |
|
admincentral-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Permission | Path |
---|---|
Get & Post |
|
Deny |
|
Get & Post |
|
anonymous role - author instance
The anonymous
role defines the permissions of public, unauthenticated users.
Permissions are different on the author and public instances.
Workspace | Permission | Path |
---|---|---|
DAM |
Read only |
|
Website |
Deny access |
|
Resources |
Read only |
|
Category |
Read only |
|
Marketing-tags |
Read only |
|
Permission | Path |
---|---|
Deny |
|
Deny |
|
anonymous role - public instance
Workspace | Permission | Path |
---|---|---|
Category |
Read only |
|
Dam |
Read only |
|
GoogleSitemaps |
Read only |
|
Marketing-tags |
Read only |
|
Resources |
Read only |
|
Website |
Read only |
|
Permission | Path |
---|---|
Get & Post |
|
Deny |
|
Deny |
|
Deny |
|
Deny |
|
Deny |
|
Deny |
|
asset-editor role
Workspace | Permission | Path |
---|---|---|
Dam |
Read/Write |
|
Userroles |
Read only |
|
categorization-base role
Workspace | Permission | Path |
---|---|---|
Data |
Read-only |
|
Data |
Read-only |
|
Userroles |
Read only |
|
category-editor role
Workspace | Permission | Path |
---|---|---|
Data |
Read-only |
|
Data |
Read/Write |
|
Userroles |
Read only |
|
contact-base role
Workspace | Permission | Path |
---|---|---|
Contact |
Read only |
|
Userroles |
Read only |
|
dam-app-core-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
dam-app-jcr-editor role
Workspace | Permission | Path |
---|---|---|
Dam |
Read/Write |
|
Dam |
Read/Write |
|
Userroles |
Read only |
|
definitions-app-developer role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
diff-viewer role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Permission | Path |
---|---|
Get & Post |
|
graphql-developer role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Permission | Path |
---|---|
Get & Post |
|
Get & Post |
|
imaging-base role
Workspace | Permission | Path | Imaging |
---|---|---|---|
Read only |
|
Userroles |
Read only |
imaging-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Permission | Path |
---|---|
Get |
|
marketingTag-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Marketing tags |
Read/Write |
|
page-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Website |
Read/Write |
|
pages-app-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Website |
Read/Write |
|
resources-base role
Workspace | Permission | Path |
---|---|---|
Config |
Read only |
|
Resources |
Read/Write |
|
Userroles |
Read only |
|
resources-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Permission | Path |
---|---|
Get |
|
REST admin roles
rest-admin
role
The superuser account has the rest-admin role by default so you can use superuser to test your requests.
However, for production use, you should create a custom REST role.
The anonymous role is specifically denied access to the REST endpoints.
|
Permission | Path |
---|---|
Get & Post |
|
Applies to | Name | Path |
---|---|---|
Commands |
Delete |
|
Publish |
|
rest-editor
role
Permission | Path |
---|---|
Deny |
|
Get |
|
Deny |
|
Deny |
|
Get & Post |
|
Deny |
|
Get & Post |
|
Get & Post |
|
rest-anonymous
role
If you’re a PaaS customer, there are some differences with the rest-anonymous role.
This is highlighted below in a PaaS-specific section in the table.
|
Permission | Path |
---|---|
Deny |
|
Get |
|
PaaS only |
|
Get & Post |
|
Get & Post |
|
Get |
|
rss-aggregator-base role
Workspace | Permission | Path |
---|---|---|
Data |
Read-only |
|
Rss |
Read-only |
|
Userroles |
Read only |
|
scripter role
Workspace | Permission | Path |
---|---|---|
Scripts |
Read/Write |
|
Userroles |
Read only |
|
Permission | Path |
---|---|
Get & Post |
|
Applies to | App | Path |
---|---|---|
App |
Groovy |
|
stories-base role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Stories |
Read only |
|
Stories |
Read only |
|
story-editor role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Stories |
Read/Write |
|
travel-demo-base role
The `travel-demo-base role is specific to the demo website. The permissions are the same on both author and public instances.
Workspace | Permission | Path |
---|---|---|
Category |
Read only |
|
Dam |
Read only |
|
Tours |
Read only |
|
Stories |
Deny |
|
Userroles |
Read only |
|
travel-demo-admincentral role
The `travel-demo-admincentral role is specific to the demo-project example websites. The permissions are the same on both author and public instances.
Permission | Path |
---|---|
Get & Post |
|
travel-demo-editor role
Workspace | Permission | Path |
---|---|---|
Category |
Read/Write |
|
Dam |
Read/Write |
|
Userroles |
Read only |
|
Website |
Read/Write |
|
Stories |
Read/Write |
|
Applies to | App | Name | Path |
---|---|---|---|
App |
Assets |
|
|
Action |
Assets |
Publish |
|
Action |
Pages |
Publish |
|
travel-demo-publisher role
Workspace | Permission | Path |
---|---|---|
Userroles |
Read only |
|
Website |
Read/Write |
|
Stories |
Read/Write |
|
Applies to | App | Name | Path |
---|---|---|---|
App |
Assets |
|
|
Action |
Assets |
Publish |
|
Action |
Pages |
Publish |
|
travel-demo-tour-editor role
Workspace | Permission | Path |
---|---|---|
Category |
Read/Write |
|
Dam |
Read/Write |
|
Tours |
Read/Write |
|
Userroles |
Read only |
|
workflow-editor role
Installed by the workflow
module (DX Core). Allows editing of content.
Workspace | Permission | Path |
---|---|---|
Category |
Read/Write |
|
Contacts |
Read/Write |
|
Dam |
Read/Write |
|
Userroles |
Read only |
|
Website |
Read/Write |
|
Applies to | App | Name | Path |
---|---|---|---|
Action |
Pages |
Activate |
|
workflow-publisher role
Installed by the workflow
module (DX Core). Allows publishing of content.
Workspace | Permission | Path |
---|---|---|
Category |
Read only |
|
Contacts |
Read only |
|
Dam |
Read only |
|
Userroles |
Read only |
|
Website |
Read only |
|
Workflow |
Read/Write |
|
Applies to | App | Name | Path |
---|---|---|---|
Action |
Pages |
Publish |
|
Groups
Group permissions are the same on both author and public instances.
The three core groups of developers
, editors
, and publishers
are represented in the table.
You can find the roles referenced in the table in Roles.
The travel demo groups are in a subsection after the table.
Role | Developers | Editors | Publishers |
---|---|---|---|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Travel demo groups
travel-demo-pur group
The travel-demo-pur
group is used to organize the editors of the sample websites.
Assigned groups | Assigned roles |
---|---|
(none) |
|
|
|
|
|
|
|
|
|
|
travel-demo-editors group
The travel-demo-editors
group is used to organize the editors of the sample websites.
Assigned groups | Assigned roles |
---|---|
(none) |
|
|
|
|
|
|
|
|
|
|
|
|
Users
eric user
The user eric
is an example editor.
Assigned groups | Assigned roles |
---|---|
|
(none) |
eric-de user
The user eric-de
is an example German editor.
Assigned groups | Assigned roles |
---|---|
|
(none) |
System users
anonymous system user
The system user anonymous
represents a Web visitor.
The anonymous role has different permissions on the author and public instances.
|
Assigned groups | Assigned roles |
---|---|
(none) |
|
|
|
|
|
|
|
|
|
|
|
|