Default permissions

These are default permissions in Magnolia. You can manage them in the Security app. The default permissions are just an example how to grant permissions in a typical website. You should adapt the permissions to match your own organization. App permissions are configured in the app launcher configuration.

Roles

superuser role

The superuser role provides full access to the system. The permissions are the same on both author and public instances.

Table 1. Access control lists
Workspace Permission Path

AdvancedCache

Read/Write

/*

Category

Read/Write

/*

Config

Read/Write

/*

Contacts

Read/Write

/*

Dam

Read/Write

/*

Dms*

Read/Write

/*

Forum

Read/Write

/*

GoogleSitemaps

Read/Write

/*

Imaging

Read/Write

/*

Keystore

Read/Write

/*

Marketing-tags

Read/Write

/*

Messages

Read/Write

/*

Personas

Read/Write

/*

Profiles

Read/Write

/*

Resources

Read/Write

/*

Rss

Read/Write

/*

Scripts

Read/Write

/*

Segments

Read/Write

/*

Stories

Read/Write

/*

Tags

Read/Write

/*

Tasks

Read/Write

/*

Templates

Read/Write

/*

Tours

Read/Write

/*

Usergroups

Read/Write

/*

Userroles

Read/Write

/*

Users

Read/Write

/*

Website

Read/Write

/*

Workflow (DX Core)

Read/Write

/*

Table 2. Web access
Permission Path

Get & Post

*

Table 3. Configured access
Applies to Name Path

App

Publishing

/modules/activation/apps/activation/permissions/roles

Configuration

/modules/ui-admincentral/apps/configuration/permissions/roles

Security

/modules/security-app/apps/security/permissions/roles

Security

/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName

Mail tools

/modules/mail/apps/mail/permissions/roles

Dev tools

/modules/tools/apps/tools/permissions/roles

Backup

/modules/backup/apps/backup/permissions/roles

App launcher

Dev group

/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

Tools group

/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles

Tasks app

Abort action

/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

Archive action

/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

admincentral-developer role

Table 4. Access control lists
Workspace Permission Path

Category

Read only

/*

Userroles

Read only

/admincentral-developer

admincentral-editor role

Table 5. Access control lists
Workspace Permission Path

Userroles

Read only

/admincentral-editor

Table 6. Web access
Permission Path

Get & Post

*

Deny

/.*

Get & Post

/.magnolia/admincentral/*

anonymous role - author instance

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Table 7. Access control lists
Workspace Permission Path

DAM

Read only

/*

Website

Deny access

/*

Resources

Read only

/*

Category

Read only

/

/*

Marketing-tags

Read only

/

/*

Table 8. Web access
Permission Path

Deny

*

Deny

/.magnolia*

anonymous role - public instance

Table 9. Access control lists
Workspace Permission Path

Category

Read only

/

/*

Dam

Read only

/

/*

GoogleSitemaps

Read only

/

/*

Marketing-tags

Read only

/

/*

Resources

Read only

/*

Website

Read only

/*

Table 10. Web access
Permission Path

Get & Post

*

Deny

/.magnolia

Deny

/.magnolia/*

Deny

/travel/members/protected*

Deny

/travel/members/profile-update*

Deny

<travel>/members/protected*

Deny

<travel>/members/profile-update*

asset-editor role

Table 11. Access control lists
Workspace Permission Path

Dam

Read/Write

/*

Userroles

Read only

/asset-editor

categorization-base role

Table 12. Access control lists
Workspace Permission Path

Data

Read-only

/categorization

Data

Read-only

/categorization/*

Userroles

Read only

/categorization-base

category-editor role

Table 13. Access control lists
Workspace Permission Path

Data

Read-only

/category-editor

Data

Read/Write

/*

Userroles

Read only

/category-editor

contact-base role

Table 14. Access control lists
Workspace Permission Path

Contact

Read only

/*

Userroles

Read only

/contact-base

dam-app-core-editor role

Table 15. Access control lists
Workspace Permission Path

Userroles

Read only

/dam-app-core-editor

dam-app-jcr-editor role

Table 16. Access control lists
Workspace Permission Path

Dam

Read/Write

/

Dam

Read/Write

/*

Userroles

Read only

/dam-app-jcr-editor

definitions-app-developer role

Table 17. Access control lists
Workspace Permission Path

Userroles

Read only

/definitions-app-developer

diff-viewer role

Table 18. Access control lists
Workspace Permission Path

Userroles

Read only

/diff-viewer

Table 19. Web access
Permission Path

Get & Post

/.magnolia/versionDiff*

graphql-developer role

Table 20. Access control lists
Workspace Permission Path

Userroles

Read only

/graphql-developer

Table 21. Web access
Permission Path

Get & Post

/.graphiql

Get & Post

/.graphql

imaging-base role

Table 22. Access control lists
Workspace Permission Path Imaging

Read only

/*

Userroles

Read only

imaging-editor role

Table 23. Access control lists
Workspace Permission Path

Userroles

Read only

/imaging-editor

Table 24. Web access
Permission Path

Get

/.imaging/*

marketingTag-editor role

Table 25. Access control lists
Workspace Permission Path

Userroles

Read only

/marketingTag-editor

Marketing tags

Read/Write

/*

page-editor role

Table 26. Access control lists
Workspace Permission Path

Userroles

Read only

/page-editor

Website

Read/Write

/*

pages-app-editor role

Table 27. Access control lists
Workspace Permission Path

Userroles

Read only

/page-app-editor

Website

Read/Write

/*

resources-base role

Table 28. Access control lists
Workspace Permission Path

Config

Read only

/modules/resources

/modules/resources/*

Resources

Read/Write

/*

Userroles

Read only

/resources-base

resources-editor role

Table 29. Access control lists
Workspace Permission Path

Userroles

Read only

/resources-editor

Table 30. Web access
Permission Path

Get

./resources/*

REST admin roles

rest-admin role

The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.
Table 31. Web access
Permission Path

Get & Post

/.rest/*

Table 32. Configured access
Applies to Name Path

Commands

Delete

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

Publish

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor role

Table 33. Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

Deny

/.rest/commands*

Deny

/.rest/nodes*

Get & Post

/.rest/nodes/v1/website*

Deny

/.rest/properties*

Get & Post

/.rest/properties/v1/website*

Get & Post

/.rest/cache/v1*

rest-anonymous role

If you’re a PaaS customer, there are some differences with the rest-anonymous role. This is highlighted below in a PaaS-specific section in the table.
Table 34. Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

PaaS only

Get & Post

/.rest/configuration/*

Get & Post

/.rest/cloud/*

Get

/.rest/status

rest-backup role

Table 35. Web access
Permission Path

Get & Post

/.rest/commands/v2/backup/backup

Table 36. Configured access
Applies to Name Path

Command

Backup

/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles

rss-aggregator-base role

Table 37. Access control lists
Workspace Permission Path

Data

Read-only

/rss-aggregator

/rss-aggregator/*

Rss

Read-only

/*

Userroles

Read only

/rss-aggregator-base

scripter role

Table 38. Access control lists
Workspace Permission Path

Scripts

Read/Write

/*

Userroles

Read only

/scripter

Table 39. Web access
Permission Path

Get & Post

*

Table 40. Configured access
Applies to App Path

App

Groovy

/modules/groovy/apps/groovy/permissions/roles

security-base role

Table 41. Web access
Permission Path

Deny

/.magnolia/log4j

Deny

/.rest*

stories-base role

Table 42. Access control lists
Workspace Permission Path

Userroles

Read only

/stories-base

Stories

Read only

/

Stories

Read only

/*

story-editor role

Table 43. Access control lists
Workspace Permission Path

Userroles

Read only

/stories-editor

Stories

Read/Write

/*

travel-demo-base role

The `travel-demo-base role is specific to the demo website. The permissions are the same on both author and public instances.

Table 44. Access control lists
Workspace Permission Path

Category

Read only

/tour-types

/tour-types/

/destinations

/destinations/

Dam

Read only

/*

Tours

Read only

/*

Stories

Deny

/

/*

Userroles

Read only

/travel-demo-base

travel-demo-admincentral role

The `travel-demo-admincentral role is specific to the demo-project example websites. The permissions are the same on both author and public instances.

Table 45. Web access
Permission Path

Get & Post

*

travel-demo-editor role

Table 46. Access control lists
Workspace Permission Path

Category

Read/Write

/*

Dam

Read/Write

/*

Userroles

Read only

/travel-demo-editor

Website

Read/Write

/*

Stories

Read/Write

/

/*

Table 47. Configured access
Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher role

Table 48. Access control lists
Workspace Permission Path

Userroles

Read only

/travel-demo-publisher

Website

Read/Write

/*

Stories

Read/Write

/

/*

Table 49. Configured access
Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor role

Table 50. Access control lists
Workspace Permission Path

Category

Read/Write

/tour-types

/tour-types/

/destinations

/destinations/

Dam

Read/Write

/*

Tours

Read/Write

/*

Userroles

Read only

/travel-demo-tour-editor

workflow-editor role

Installed by the workflow module (DX Core). Allows editing of content.

Table 51. Access control lists
Workspace Permission Path

Category

Read/Write

/*

Contacts

Read/Write

/*

Dam

Read/Write

/*

Userroles

Read only

/editor

Website

Read/Write

/*

Table 52. Configured access
Applies to App Name Path

Action

Pages

Activate

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-publisher role

Installed by the workflow module (DX Core). Allows publishing of content.

Table 53. Access control lists
Workspace Permission Path

Category

Read only

/*

Contacts

Read only

/*

Dam

Read only

/*

Userroles

Read only

/publisher

Website

Read only

/*

Workflow

Read/Write

/*

Table 54. Configured access
Applies to App Name Path

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base role

Base role allowing users to use the workflow workspace (DX Core).

Table 55. Access control lists
Workspace Permission Path

Workflow

Read/Write

/*

Userroles

Read only

/workflow-base

Groups

Group permissions are the same on both author and public instances. The three core groups of developers, editors, and publishers are represented in the table. You can find the roles referenced in the table in Roles.

The travel demo groups are in a subsection after the table.

Role Developers Editors Publishers

admincentral-editor

admincentral-developer

asset-editor

category-editor

dam-app-core-editor

dam-app-jcr-editor

definitions-app-developer

diff-viewer

graphql-developer

imaging-editor

marketingTag-editor

page-editor

pages-app-editor

resources-editor

sso-redirect-uri-authorizer

stories-app-editor

story-editor

tour-editor

tourCategory-editor

userranking-editor

workflow-editor

workflow-publisher

Travel demo groups

travel-demo-pur group

The travel-demo-pur group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

categorization-base

contact-base

forum-pagecomments-user

imaging-base

travel-demo-base

travel-demo-pur

travel-demo-editors group

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-editor

travel-demo-tour-editor

imaging-base

security-base

resources-base

workflow-base

travel-demo-publishers group

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-publisher

travel-demo-tour-editor

security-base

workflow-base

travel-demo-tour-editors group

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-base

travel-demo-tour-editor

security-base

workflow-base

Users

eric user

The user eric is an example editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

eric-de user

The user eric-de is an example German editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

peter user

The user peter is an example publisher.

Assigned groups Assigned roles

travel-demo-publisher

(none)

tina user

The user tina is an example tour editor.

Assigned groups Assigned roles

travel-demo-tour-editors

(none)

System users

anonymous system user

The system user anonymous represents a Web visitor.

The anonymous role has different permissions on the author and public instances.
Assigned groups Assigned roles

(none)

anonymous

categorization-base

contact-base

forum-pagecomments-user

imaging-base

rest-anonymous

travel-demo-base

superuser system user

The system user superuser represents an administrator who has full access to the system.

Assigned groups Assigned roles

(none)

superuser

rest-admin

forum_ALL_admin

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules