Default permissions

These are default permissions in Magnolia. You can manage them in the Security app. The default permissions are just an example how to grant permissions in a typical website. You should adapt the permissions to match your own organization. App permissions are configured in the app launcher configuration.

Roles

anonymous role - author instance

The anonymous role defines the permissions of public, unauthenticated users. Permissions are different on the author and public instances.

Table 1. Access control lists
Workspace Permission Path

DAM

Read only

/*

Website

Deny access

/*

Resources

Read only

/*

Category

Read only

/

/*

Marketing-tags

Read only

/

/*

Table 2. Web access
Permission Path

Deny

*

Deny

/.magnolia*

anonymous role - public instance

Table 3. Access control lists
Workspace Permission Path

Category

Read only

/

/*

Dam

Read only

/

/*

GoogleSitemaps

Read only

/

/*

Marketing-tags

Read only

/

/*

Resources

Read only

/*

Website

Read only

/*

Table 4. Web access
Permission Path

Get & Post

*

Deny

/.magnolia

Deny

/.magnolia/*

Deny

/travel/members/protected*

Deny

/travel/members/profile-update*

Deny

<travel>/members/protected*

Deny

<travel>/members/profile-update*

superuser role

The superuser role provides full access to the system. The permissions are the same on both author and public instances.

Table 5. Access control lists
Workspace Permission Path

AdvancedCache

Read/Write

/*

Category

Read/Write

/*

Config

Read/Write

/*

Contacts

Read/Write

/*

Dam

Read/Write

/*

Dms*

Read/Write

/*

Forum

Read/Write

/*

GoogleSitemaps

Read/Write

/*

Imaging

Read/Write

/*

Keystore

Read/Write

/*

Marketing-tags

Read/Write

/*

Messages

Read/Write

/*

Personas

Read/Write

/*

Profiles

Read/Write

/*

Resources

Read/Write

/*

Rss

Read/Write

/*

Scripts

Read/Write

/*

Segments

Read/Write

/*

Stories

Read/Write

/*

Tags

Read/Write

/*

Tasks

Read/Write

/*

Templates

Read/Write

/*

Tours

Read/Write

/*

Usergroups

Read/Write

/*

Userroles

Read/Write

/*

Users

Read/Write

/*

Website

Read/Write

/*

Workflow (DX Core)

Read/Write

/*

Table 6. Web access
Permission Path

Get & Post

*

Table 7. Configured access
Applies to Name Path

App

Publishing

/modules/activation/apps/activation/permissions/roles

Configuration

/modules/ui-admincentral/apps/configuration/permissions/roles

Security

/modules/security-app/apps/security/permissions/roles

Security

/modules/security-app/dialogs/role/form/tabs/role/fields/jcrName

Mail tools

/modules/mail/apps/mail/permissions/roles

Dev tools

/modules/tools/apps/tools/permissions/roles

Backup

/modules/backup/apps/backup/permissions/roles

App launcher

Dev group

/modules/ui-admincentral/config/appLauncherLayout/groups/dev/permissions/roles

Tools group

/modules/ui-admincentral/config/appLauncherLayout/groups/tools/permissions/roles

Tasks app

Abort action

/modules/workflow/messageViews/publish/actions/abort/availability/access/roles

Archive action

/modules/workflow/messageViews/publish/actions/archive/availability/access/roles

travel-demo-base role

The travel-demo-base role is specific to the demo website. The permissions are the same on both author and public instances.

Table 8. Access control lists
Workspace Permission Path

Category

Read only

/tour-types

/tour-types/

/destinations

/destinations/

Dam

Read only

/*

Tours

Read only

/*

Stories

Deny

/

/*

Userroles

Read only

/travel-demo-base

travel-demo-admincentral role

The travel-demo-admincentral role is specific to the demo-project example websites. The permissions are the same on both author and public instances.

Table 9. Web access
Permission Path

Get & Post

*

travel-demo-editor role

Table 10. Access control lists
Workspace Permission Path

Category

Read/Write

/*

Dam

Read/Write

/*

Userroles

Read only

/travel-demo-editor

Website

Read/Write

/*

Stories

Read/Write

/

/*

Table 11. Configured access
Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-publisher role

Table 12. Access control lists
Workspace Permission Path

Userroles

Read only

/travel-demo-publisher

Website

Read/Write

/*

Stories

Read/Write

/

/*

Table 13. Configured access
Applies to App Name Path

App

Assets

/modules/dam-app/apps/assets/permissions/roles

Action

Assets

Publish

/modules/dam-app/apps/assets/subApps/browser/actions/activate/availability/access/roles

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

travel-demo-tour-editor role

Table 14. Access control lists
Workspace Permission Path

Category

Read/Write

/tour-types

/tour-types/

/destinations

/destinations/

Dam

Read/Write

/*

Tours

Read/Write

/*

Userroles

Read only

/travel-demo-tour-editor

editor role

Installed by the workflow module (DX Core). Allows editing of content.

Table 15. Access control lists
Workspace Permission Path

Category

Read/Write

/*

Contacts

Read/Write

/*

Dam

Read/Write

/*

Userroles

Read only

/editor

Website

Read/Write

/*

Table 16. Configured access
Applies to App Name Path

Action

Pages

Activate

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

publisher role

Installed by the workflow module (DX Core). Allows publishing of content.

Table 17. Access control lists
Workspace Permission Path

Category

Read only

/*

Contacts

Read only

/*

Dam

Read only

/*

Userroles

Read only

/publisher

Website

Read only

/*

Workflow

Read/Write

/*

Table 18. Configured access
Applies to App Name Path

Action

Pages

Publish

/modules/pages/apps/pages/subApps/browser/actions/activate/availability/access/roles

workflow-base role

Base role allowing users to use the workflow workspace (DX Core).

Table 19. Access control lists
Workspace Permission Path

Workflow

Read/Write

/*

Userroles

Read only

/workflow-base

contact-base role

Table 20. Access control lists
Workspace Permission Path

Contact

Read only

/*

Userroles

Read only

/contact-base

imaging-base role

Table 21. Access control lists
Workspace Permission Path Imaging

Read only

/*

Userroles

Read only

resources-base role

Table 22. Access control lists
Workspace Permission Path

Config

Read only

/modules/resources

/modules/resources/*

Resources

Read/Write

/*

Userroles

Read only

/resources-base

rest-admin role

The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.
Table 23. Web access
Permission Path

Get & Post

/.rest/*

Table 24. Configured access
Applies to Name Path

Commands

Delete

/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles

Publish

/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/roles

rest-editor role

Table 25. Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

Deny

/.rest/commands*

Deny

/.rest/nodes*

Get & Post

/.rest/nodes/v1/website*

Deny

/.rest/properties*

Get & Post

/.rest/properties/v1/website*

Get & Post

/.rest/cache/v1*

rest-anonymous role

If you’re a PaaS customer, there are some differences with the rest-anonymous role. This is highlighted below in a PaaS-specific section in the table.
Table 26. Web access
Permission Path

Deny

/.rest*

Get

/.rest/delivery/*

PaaS only

Get & Post

/.rest/configuration/*

Get & Post

/.rest/cloud/*

Get

/.rest/status

rest-backup role

Table 27. Web access
Permission Path

Get & Post

/.rest/commands/v2/backup/backup

Table 28. Configured access
Applies to Name Path

Command

Backup

/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles

rss-aggregator-base role

Table 29. Access control lists
Workspace Permission Path

Data

Read-only

/rss-aggregator

/rss-aggregator/*

Rss

Read-only

/*

Userroles

Read only

/rss-aggregator-base

scripter role

Table 30. Access control lists
Workspace Permission Path

Scripts

Read/Write

/*

Userroles

Read only

/scripter

Table 31. Web access
Permission Path

Get & Post

*

Table 32. Configured access
Applies to App Path

App

Groovy

/modules/groovy/apps/groovy/permissions/roles

security-base role

Table 33. Web access
Permission Path

Deny

/.magnolia/log4j

Deny

/.rest*

Groups

Group permissions are the same on both author and public instances.

editors group

Assigned groups Assigned roles

(none)

editor

workflow-base

publishers group

Assigned groups Assigned roles

(none)

publisher

workflow-base

travel-demo-pur group

The travel-demo-pur group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

categorization-base

contact-base

forum-pagecomments-user

imaging-base

travel-demo-base

travel-demo-pur

travel-demo-editors group

The travel-demo-editors group is used to organize the editors of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-editor

travel-demo-tour-editor

imaging-base

security-base

resources-base

workflow-base

travel-demo-publishers group

The travel-demo-publishers group is used to organize the publishers of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-publisher

travel-demo-tour-editor

security-base

workflow-base

travel-demo-tour-editors group

The travel-demo-tour-editors group is used to organize editors in the tour apps of the sample websites.

Assigned groups Assigned roles

(none)

travel-demo-admincentral

travel-demo-base

travel-demo-tour-editor

security-base

workflow-base

Users

eric user

The user eric is an example editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

eric-de user

The user eric-de is an example German editor.

Assigned groups Assigned roles

travel-demo-editors

(none)

peter user

The user peter is an example publisher.

Assigned groups Assigned roles

travel-demo-publisher

(none)

tina user

The user tina is an example tour editor.

Assigned groups Assigned roles

travel-demo-tour-editors

(none)

System users

anonymous system user

The system user anonymous represents a Web visitor.

The anonymous role has different permissions on the author and public instances.
Assigned groups Assigned roles

(none)

anonymous

categorization-base

contact-base

forum-pagecomments-user

imaging-base

rest-anonymous

travel-demo-base

superuser system user

The system user superuser represents an administrator who has full access to the system.

Assigned groups Assigned roles

publishers (DX Core)

superuser

rest-admin

forum_ALL_admin

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules