Default permissions
These are default permissions in Magnolia. You can manage them in the Security app. The default permissions are just an example how to grant permissions in a typical website. You should adapt the permissions to match your own organization. App permissions are configured in the app launcher configuration.
Roles
anonymous
role - author instance
The anonymous
role defines the permissions of public, unauthenticated users.
Permissions are different on the author and public instances.
Workspace | Permission | Scope | Path |
---|---|---|---|
Category |
Read only |
Selected and sub nodes |
|
DAM |
Read only |
Sub nodes |
|
GoogleSitemaps |
Read only |
Selected and sub nodes |
|
Marketing-tags |
Read only |
Selected and sub nodes |
|
Resources |
Read only |
Sub nodes |
|
Website |
Deny access |
Sub nodes |
|
Permission | Path |
---|---|
Deny |
|
Deny |
|
anonymous
role - public instance
Workspace | Permission | Scope | Path |
---|---|---|---|
Category |
Read only |
Selected and sub nodes |
|
Dam |
Read only |
Selected and sub nodes |
|
GoogleSitemaps |
Read only |
Selected and sub nodes |
|
Marketing-tags |
Read only |
Selected and sub nodes |
|
Resources |
Read only |
Sub nodes |
|
Website |
Read only |
Sub nodes |
|
Permission | Path |
---|---|
Get & Post |
|
Deny |
|
Deny |
|
Deny |
|
Deny |
|
Deny |
|
Deny |
|
superuser
role
The superuser
role provides full access to the system.
The permissions are the same on both author and public instances.
Workspace | Permission | Scope | Path |
---|---|---|---|
AdvancedCache |
Read/Write |
Sub nodes |
|
Category |
Read/Write |
Sub nodes |
|
Config |
Read/Write |
Sub nodes |
|
Contacts |
Read/Write |
Sub nodes |
|
Dam |
Read/Write |
Sub nodes |
|
Dms* |
Read/Write |
Sub nodes |
|
Forum |
Read/Write |
Sub nodes |
|
GoogleSitemaps |
Read/Write |
Sub nodes |
|
Imaging |
Read/Write |
Sub nodes |
|
Keystore |
Read/Write |
Sub nodes |
|
Marketing-tags |
Read/Write |
Sub nodes |
|
Messages |
Read/Write |
Sub nodes |
|
Personas |
Read/Write |
Sub nodes |
|
Profiles |
Read/Write |
Sub nodes |
|
Resources |
Read/Write |
Sub nodes |
|
Rss |
Read/Write |
Sub nodes |
|
Scripts |
Read/Write |
Sub nodes |
|
Segments |
Read/Write |
Sub nodes |
|
Stories |
Read/Write |
Sub nodes |
|
Tags |
Read/Write |
Sub nodes |
|
Tasks |
Read/Write |
Sub nodes |
|
Templates |
Read/Write |
Sub nodes |
|
Tours |
Read/Write |
Sub nodes |
|
Usergroups |
Read/Write |
Sub nodes |
|
Userroles |
Read/Write |
Sub nodes |
|
Users |
Read/Write |
Sub nodes |
|
Website |
Read/Write |
Sub nodes |
|
Workflow (DX Core) |
Read/Write |
Sub nodes |
|
Permission | Path |
---|---|
Get & Post |
|
Applies to | Name | Path |
---|---|---|
App |
Publishing |
|
Configuration |
|
|
Security |
|
|
Security |
|
|
Mail tools |
|
|
Dev tools |
|
|
Backup |
|
|
App launcher |
Dev group |
|
Tools group |
|
|
Tasks app |
Abort action |
|
Archive action |
|
travel-demo-base
role
The travel-demo-base
role is specific to the demo website.
The permissions are the same on both author and public instances.
Workspace | Permission | Scope | Path |
---|---|---|---|
Category |
Read only |
Selected and sub nodes |
|
Dam |
Read only |
Sub nodes |
|
Tours |
Read only |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
travel-demo-admincentral
role
The travel-demo-admincentral
role is specific to the demo-project example websites.
The permissions are the same on both author and public instances.
Permission | Path |
---|---|
Get & Post |
|
travel-demo-editor
role
Workspace | Permission | Scope | Path |
---|---|---|---|
Category |
Read/Write |
Sub nodes |
|
Dam |
Read/Write |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
Website |
Read/Write |
Sub nodes |
|
Applies to | App | Name | Path |
---|---|---|---|
App |
Assets |
|
|
Action |
Assets |
Publish |
|
Action |
Pages |
Publish |
|
travel-demo-publisher
role
Workspace | Permission | Scope | Path |
---|---|---|---|
Userroles |
Read only |
Selected |
|
Website |
Read/Write |
Sub nodes |
|
Applies to | App | Name | Path |
---|---|---|---|
App |
Assets |
|
|
Action |
Assets |
Publish |
|
Action |
Pages |
Publish |
|
travel-demo-tour-editor
role
Workspace | Permission | Scope | Path |
---|---|---|---|
Category |
Read only |
Selected and sub nodes |
|
Dam |
Read only |
Sub nodes |
|
Tours |
Read only |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
editor
role
Installed by the workflow
module (DX Core). Allows editing of content.
Workspace | Permission | Scope | Path |
---|---|---|---|
Category |
Read/Write |
Sub nodes |
|
Contacts |
Read/Write |
Sub nodes |
|
Dam |
Read/Write |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
Website |
Read/Write |
Sub nodes |
|
Applies to | App | Name | Path |
---|---|---|---|
Action |
Pages |
Activate |
|
publisher
role
Installed by the workflow
module (DX Core). Allows publishing of content.
Workspace | Permission | Scope | Path |
---|---|---|---|
Category |
Read only |
Sub nodes |
|
Contacts |
Read only |
Sub nodes |
|
Dam |
Read only |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
Website |
Read only |
Sub nodes |
|
Workflow |
Read/Write |
Sub nodes |
|
Applies to | App | Name | Path |
---|---|---|---|
Action |
Pages |
Publish |
|
workflow-base
role
Base role allowing users to use the workflow
workspace (DX Core).
Workspace | Permission | Scope | Path |
---|---|---|---|
Workflow |
Read/Write |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
contact-base
role
Workspace | Permission | Scope | Path |
---|---|---|---|
Contact |
Read only |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
rest-admin
role
The superuser account has the rest-admin role by default so you can use superuser to test your requests.
However, for production use, you should create a custom REST role.
The anonymous role is specifically denied access to the REST endpoints.
|
Permission | Path |
---|---|
Get & Post |
|
Applies to | Name | Path |
---|---|---|
Commands |
Delete |
|
Publish |
|
rest-editor
role
Permission | Path |
---|---|
Deny |
|
Get |
|
Deny |
|
Deny |
|
Get & Post |
|
Deny |
|
Get & Post |
|
Get & Post |
|
rest-anonymous
role
If you’re a Magnolia PaaS customer, there are some differences with the rest-anonymous role.
This is highlighted below in a PaaS-specific section in the table.
|
Permission | Path |
---|---|
Deny |
|
Get |
|
PaaS only |
|
Get & Post |
|
Get & Post |
|
Get |
|
rest-backup
role
Permission | Path |
---|---|
Get & Post |
|
Applies to | Name | Path |
---|---|---|
Command |
Backup |
|
rss-aggregator-base
role
Workspace | Permission | Scope | Path |
---|---|---|---|
Rss |
Read-only |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
scripter
role
Workspace | Permission | Scope | Path |
---|---|---|---|
Scripts |
Read/Write |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
Permission | Path |
---|---|
Get & Post |
|
Applies to | App | Path |
---|---|---|
App |
Groovy |
|
templater-base
role
Workspace | Permission | Scope | Path |
---|---|---|---|
Config |
Read-only |
Selected and sub nodes |
|
Templates |
Read/Write |
Sub nodes |
|
Userroles |
Read only |
Selected |
|
Applies to | App | Path |
---|---|---|
App |
Templates |
|
Groups
Group permissions are the same on both author and public instances.
travel-demo-pur
group
The travel-demo-pur
group is used to organize the editors of the sample websites.
Assigned groups | Assigned roles |
---|---|
(none) |
|
|
|
|
|
|
|
|
|
|
travel-demo-editors
group
The travel-demo-editors
group is used to organize the editors of the sample websites.
Assigned groups | Assigned roles |
---|---|
(none) |
|
|
|
|
|
|
|
|
|
|
|
|
Users
eric
user
The user eric
is an example editor.
Assigned groups | Assigned roles |
---|---|
|
(none) |
eric-de
user
The user eric-de
is an example German editor.
Assigned groups | Assigned roles |
---|---|
|
(none) |
System users
anonymous
system user
The system user anonymous
represents a Web visitor.
The anonymous role has different permissions on the author and public instances.
|
Assigned groups | Assigned roles |
---|---|
(none) |
|
|
|
|
|
|
|
|
|
|
|
|