Docs Developer Site
Enonic XP
arrow-down
    1. Overview
    2. Core concepts
    3. Using docs
    4. Intro Videos
    5. Tutorials
    1. Intro
    2. GraphQL API
    3. Media API
    4. Extending the API
    5. Component API
    1. Content Studio
      1. Branches
    3. Layers
      1. Lifecycle
      2. Media
      3. Attachments
      4. X-data
        1. Page templates
        2. Fragments
      6. Variants
      7. Permissions
      8. Versions
    5. Sites
      1. Visual editor
    7. Publishing
    1. Introduction
      1. Controllers
      2. Globals
      3. Events
      4. HTTP Request
      5. HTTP Response
      6. Error handler
      7. Filters
      8. Templating
      9. Localization
      10. Websocket
      11. Tasks
      12. Main controller
      13. Java bridge
      1. Admin Lib
      2. Application Lib
      3. Auditlog Lib
      4. Authentication Lib
      5. Cluster Lib
      6. Common Lib
      7. Content Lib
      8. Context Lib
      9. Event Lib
      10. Export Lib
      11. Grid Lib
      12. I18N Lib
      13. IO Lib
      14. Mail Lib
      15. Node Lib
      16. Portal Lib
      17. Project Lib
      18. Repo Lib
      19. Scheduler Lib
      20. Schema Lib
      21. Tasks Lib
      22. Value Lib
      23. VHost Lib
      24. Websocket Lib
    4. Other Libraries
      1. CLI
      2. Sandboxes
      3. Code
      4. Building
      5. Configuration
      6. TypeScript
    6. Building APIs
      1. Mappings
      2. Components
      3. Processors
      4. Contributions
    8. Building Webapps
      1. ID providers
      2. Admin Apps
      3. Admin Widgets
    1. Architecture
      1. TODO
      1. Navigating
      2. Users
      3. Applications
      4. Data management
      5. System info
      6. Audit Logs
      7. Task management
      1. Portal
      2. IDprovider
      3. Management
      4. Statistics
      1. Nodes and repos
      2. Properties
      3. Indexing
      4. Branches
      5. Editors
      1. DSL Queries
      2. NoQL Queries
      3. Filters
      4. Aggregations
      5. Highlighting
      1. ID providers
      2. System ID provider
      3. Users and groups
      4. Roles
      1. Strategies
      2. Distributions
      3. Docker
      4. Kubernetes
      5. Systemd
      6. Vhosts
      7. Configuration
      8. Backup & restore
      9. Clustering
      10. Observability
      1. Notes
      2. Upgrade
      3. Upgrading Apps
        1. Asset service
        2. HTTP service
        3. Image service
    1. Best practice
        1. AttachmentUploader
        2. Checkbox
        3. Combobox
        4. ContentSelector
        5. ContentTypeFilter
        6. CustomSelector
        7. Date
        8. DateTime
        9. Double
        10. GeoPoint
        11. HtmlArea
        12. ImageSelector
        13. Long
        14. MediaSelector
        15. Radiobutton
        16. Tag
        17. TextArea
        18. TextLine
        19. Time
        1. Field set
        2. Item set
        3. Option set
      3. Mixins
      4. Localization
      5. Styles
    3. Content Types
    4. X-data
    5. Macros
      1. Pages
      2. Regions
      3. Part component
      4. Layout component
      5. Text component
      6. Component Filtering
      7. Component Indexing
    1. Marketplace
    2. Market guidelines
Developer Docs Xp Next Iam Roles

Roles

Contents

Introduction

Roles provide access to application specific functionality via so-called Role Based Access Control (RBAC).

Custom roles

Roles can be seen and managed from the Users admin app.

A role consist of:

  • Display Name

  • name (unique identifier)

  • Description (optional)

When editing a role via the users app, you instantly grant the role to users or groups as well.

Creating a role in the Users app
Only Users with the Administrator or Users Administrator role may create or edit roles.

You are free to manually define custom roles, i.e. by giving it select permissions. In general however, it is recommended that roles are created and managed by applications. The applications then typically also implement the related functionality that the role gives access to.

Unlike groups, a role may not be assigned other roles. It is designed to provide a specific access, and nothing else.

Permissions

Just like users and groups, a role may be given explicit permissions to content in the CMS via Content Studio

System roles

Enonic XP ships with several built-in roles. Each of which provide specific access and privileges in the system.

List of system roles

system.admin Users with this role have full access to all content and admin tools through the user interface.

system.admin.login Users with this role can log in to the administration console. These users will also require a role for each of the admin tools that the users need access to.

system.user.admin Grants full access to the Users admin tool, including create/edit/delete for ID providers, users, roles, and groups.

system.user.app Provides read-only access to the Users admin tool.

system.schema.admin Grants permissions to read/write schemas.

Dynamic roles

The system also includes two special roles which cannot be directly assigned to a user or group, but are conditionally assigned to users automatically.

system.authenticated All users that are authenticated gets this role, regardless of ID provider.

system.everyone All users, both authenticated and non-authenticated users (The Anonymous user) are assigned this role.

The role can is typically used to grant read access to public content, thus making it available to - well everyone.

CMS Roles

cms.admin Allows full access to Content Studio, including ability to create and delete content projects.

cms.expert Grants the ability to view and modify source code in the rich text editor.

cms.cm.app NOTE: This role is deprecated. It gives users to access to the legacy default project in Content Studio. Users with this role can see content and sites, but cannot create new sites or any new content in the project.

XP 7.11.0 When using Content Projects, each project automatically creates a set of project roles in addition to the built-in roles listed above.

These roles will be prefixed with cms.projectname., and as such be unique to each individual project.

Contents

Contents

AI-powered search

Juke AI