Roles, groups and users

The system of roles, groups, and users makes the role or group assignment process efficient so that, for example, onboarding new editors or publishers becomes a simple assignment to a group or role.

With privileges being usually highly granular in a fully deployed authoring and publishing configuration, it’s possible to segment the editing experience further by app and workspace access, and without custom roles.

This reduces the overall complexity, particularly for projects with external user management.

Managing roles, groups, and users

Use the Security app to manage the assignment of roles, groups, and users.

Default roles, groups, and users in DX Core webapp

Roles

Except the anonymous, scripter and superuser roles, system of roles follows a unified role naming convention of type <module>-<privilege> (for example pages-publisher, admincentral-editor).

Click an individual role to see full details about its permissions.
Role Description

admincentral-developer

Allows users to read the config workspace.

admincentral-editor

Allows users to enter the Admincentral (permissions to the /.magnolia/admincentral* path).

anonymous

Base role for public, unauthenticated users.

asset-editor

Allows users to edit assets (stored in the dam workspace).

categorization-base

Base role allowing users to read categorization information.

category-editor

Allows users to edit content categories (stored in the category workspace).

dam-app-core-editor

Allows users to read content on the /dam-app-core-editor path.

dam-app-jcr-editor

Allows users to edit content in the dam workspace.

definitions-app-developer

Allows users to read the content on the /definitions-app-developer path.

diff-viewer

Allows users to access the web path .magnolia/versionDiff*.

editor

Allows editing content.

graphql-developer

Allows users to read the /graphql-developer path workspace content and to access the web paths /.graphiql and /.graphql.

imaging-base

Base role allowing users to read the imaging workspace.

imaging-editor

Allow users to access the /.imaging/* web path.

marketingTag-editor

Allow users to access update content in the marketings-app workspace.

page-editor

Allows users to access and update content in the website workspace and the /page-editor path.

pages-app-editor

Allows users to access and update content in the website workspace and access the /page-app-editor path.

resources-base

Base role allowing users to use the resources workspace.

resources-editor

Allows web content retrieval from the /.resources/* path.

rest-admin

REST administrator role granting GET/POST permissions to all Magnolia’s REST APIs.

rest-anonymous

REST Anonymous Consumer granting GET permissions to Magnolia’s content delivery REST API.

rest-backup

Allows executing backup command from a running magnolia instance.

rest-editor

REST editor role.

scripter

Base role allowing users to use scripts workspace.

security-base

Base role denying to certain system pages.

stories-base

Base role allowing users to read stories.

story-editor

Allows users to read and create stories (in the stories workspace).

superuser

A user with unrestricted access to all content everywhere.

workflow-base

Base role allowing users to use the workflow.

workflow-editor

Allows users to edit content.

workflow-publisher

Allows users to publish content.

Groups

The purpose of groups is to define settings for a group of users, as opposed to individual users. Users with similar privileges are assigned to appropriate groups. Permissions that apply to a group are inherited by its users.

In the Magnolia DX Core webapp, there are no pre-defined groups.

In magnolia-core, however, these three default groups (JCR primary type mgnl:group) are available:

  • developers

  • editors

  • publishers

See default permissions for these groups

Role Developers Editors Publishers

admincentral-editor

admincentral-developer

asset-editor

category-editor

dam-app-core-editor

dam-app-jcr-editor

definitions-app-developer

diff-viewer

graphql-developer

imaging-editor

marketingTag-editor

page-editor

pages-app-editor

resources-editor

sso-redirect-uri-authorizer

stories-app-editor

story-editor

tour-editor

tourCategory-editor

userranking-editor

workflow-editor

workflow-publisher

Other modules can use these default groups for role assignments.

If you create a new user and give it the superuser role, it won’t get task notifications by default. They are only sent when the user is added to the publishing group.

Users

System users

System user Description Assigned roles Assigned groups

anonymous

Unauthenticated public users access the websites using this account.

  • anonymous

  • categorization-base

  • imaging-base

  • rest-anonymous

superuser

User assigned unlimited access permissions.

  • rest-admin

  • superuser
Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules