Roles, groups and users

The system of roles, groups, and users makes the role or group assignment process efficient so that, for example, onboarding new editors or publishers becomes a simple assignment to a group or role.

With privileges being usually highly granular in a fully deployed authoring and publishing configuration, it’s possible to segment the editing experience further by app and workspace access, and without custom roles.

This reduces the overall complexity, particularly for projects with external user management.

Managing roles, groups, and users

Use the Security app to manage the assignment of roles, groups, and users.

Default roles, groups, and users in DX Core webapp

Roles

Except the anonymous, scripter and superuser roles, system of roles follows a unified role naming convention of type <module>-<privilege> (for example pages-publisher, admincentral-editor).

Role Description

Role	Description
`admincentral-developer`	Allows users to read the `config` workspace.
`admincentral-editor`	Allows users to enter the Admincentral (permissions to the `/.magnolia/admincentral*` path).
`anonymous`	Base role for public, unauthenticated users.
`asset-editor`	Allows users to edit assets (stored in the `dam` workspace).
`categorization-base`	Base role allowing users to read categorization information.
`category-editor`	Allows users to edit content categories (stored in the `category` workspace).
`dam-app-core-editor`	Allows users to read content on the `/dam-app-core-editor` path.
`dam-app-jcr-editor`	Allows users to edit content in the `dam` workspace.
`definitions-app-developer`	Allows users to read the content on the `/definitions-app-developer` path.
`diff-viewer`	Allows users to access the web path `.magnolia/versionDiff*`.
`editor`	Allows editing content.
`graphql-developer`	Allows users to read the `/graphql-developer` path workspace content and to access the web paths `/.graphiql` and `/.graphql`.
`imaging-base`	Base role allowing users to read the `imaging` workspace.
`imaging-editor`	Allow users to access the `/.imaging/*` web path.
`marketingTag-editor`	Allow users to access update content in the `marketings-app` workspace.
`page-editor`	Allows users to access and update content in the `website` workspace and the `/page-editor` path.
`pages-app-editor`	Allows users to access and update content in the `website` workspace and access the `/page-app-editor` path.
`resources-base`	Base role allowing users to use the `resources` workspace.
`resources-editor`	Allows web content retrieval from the `/.resources/*` path.
`rest-admin`	REST administrator role granting GET/POST permissions to all Magnolia’s REST APIs.
`rest-anonymous`	REST Anonymous Consumer granting GET permissions to Magnolia’s content delivery REST API.
`rest-backup`	Allows executing backup command from a running magnolia instance.
`rest-editor`	REST editor role.
`scripter`	Base role allowing users to use `scripts` workspace.
`security-base`	Base role denying to certain system pages.
`stories-base`	Base role allowing users to read stories.
`story-editor`	Allows users to read and create stories (in the `stories` workspace).
`superuser`	A user with unrestricted access to all content everywhere.
`workflow-base`	Base role allowing users to use the workflow.
`workflow-editor`	Allows users to edit content.
`workflow-publisher`	Allows users to publish content.

admincentral-developer

Allows users to read the config workspace.

admincentral-editor

Allows users to enter the Admincentral (permissions to the /.magnolia/admincentral* path).

anonymous

Base role for public, unauthenticated users.

asset-editor

Allows users to edit assets (stored in the dam workspace).

categorization-base

Base role allowing users to read categorization information.

category-editor

Allows users to edit content categories (stored in the category workspace).

dam-app-core-editor

Allows users to read content on the /dam-app-core-editor path.

dam-app-jcr-editor

Allows users to edit content in the dam workspace.

definitions-app-developer

Allows users to read the content on the /definitions-app-developer path.

diff-viewer

Allows users to access the web path .magnolia/versionDiff*.

editor

Allows editing content.

graphql-developer

Allows users to read the /graphql-developer path workspace content and to access the web paths /.graphiql and /.graphql.

imaging-base

Base role allowing users to read the imaging workspace.

imaging-editor

Allow users to access the /.imaging/* web path.

marketingTag-editor

Allow users to access update content in the marketings-app workspace.

page-editor

Allows users to access and update content in the website workspace and the /page-editor path.

pages-app-editor

Allows users to access and update content in the website workspace and access the /page-app-editor path.

resources-base

Base role allowing users to use the resources workspace.

resources-editor

Allows web content retrieval from the /.resources/* path.

rest-admin

REST administrator role granting GET/POST permissions to all Magnolia’s REST APIs.

rest-anonymous

REST Anonymous Consumer granting GET permissions to Magnolia’s content delivery REST API.

rest-backup

Allows executing backup command from a running magnolia instance.

rest-editor

REST editor role.

scripter

Base role allowing users to use scripts workspace.

security-base

Base role denying to certain system pages.

stories-base

Base role allowing users to read stories.

story-editor

Allows users to read and create stories (in the stories workspace).

superuser

A user with unrestricted access to all content everywhere.

workflow-base

Base role allowing users to use the workflow.

workflow-editor

Allows users to edit content.

workflow-publisher

Allows users to publish content.

Groups

The purpose of groups is to define settings for a group of users, as opposed to individual users. Users with similar privileges are assigned to appropriate groups. Permissions that apply to a group are inherited by its users.

In the Magnolia DX Core webapp, there are no pre-defined groups.

In magnolia-core, however, these three default groups (JCR primary type mgnl:group) are available:

developers
editors
publishers

Other modules can use these default groups for role assignments.

If you create a new user and give it the superuser role, it won’t get task notifications by default. They are only sent when the user is added to the publishing group.

Users

System users

System user Description Assigned roles Assigned groups

System user	Description	Assigned roles	Assigned groups
`anonymous`	Unauthenticated public users access the websites using this account.	`anonymous` `categorization-base` `imaging-base` `rest-anonymous`
`superuser`	User assigned unlimited access permissions.	`rest-admin` `superuser`

anonymous

Unauthenticated public users access the websites using this account.

anonymous
categorization-base
imaging-base
rest-anonymous

superuser

User assigned unlimited access permissions.

rest-admin
superuser

Feedback

DX Core