Boltcms User Management: Roles and Permissions

This section covers user management, roles, and permissions for Bolt CMS and associated analytics tools. Bolt CMS is a modern, open-source content management system built on PHP and Symfony, designed for ease of use and flexibility.

Overview

Bolt CMS provides robust user management capabilities suitable for small to medium-sized teams. The platform offers a sophisticated role-based permission system that allows fine-grained control over content, configuration, and administrative functions.

User management in Bolt CMS features:

• Database-driven user storage with secure authentication
• Flexible role system with customizable permissions
• Per-content-type permissions for granular access control
• User profiles with custom fields
• Built-in security with password hashing and session management
• API token support for programmatic access

Bolt CMS strikes a balance between simplicity and power, making it ideal for projects requiring more than basic blogging but less than enterprise-level complexity.

Platform User Management

• Roles & Permissions - Understanding user roles
• Adding & Removing Users - User administration

Accessing User Management

To access user management in Bolt CMS:

1. Log in to the Bolt admin panel at /bolt
2. Navigate to Configuration in the main menu
3. Select Users & Permissions or Users
4. View and manage existing users and roles

Only users with appropriate administrative permissions can access user management features.

Bolt CMS User Roles

Bolt CMS provides a flexible role system with default roles that can be customized:

Administrator (Root)

Bolt administrators have complete system access:

• Full access to all configuration files
• Can manage all users and permissions
• Can create, edit, and delete all content types
• Install and configure extensions
• Access to file management and media
• Modify theme files and templates
• View system logs and debug information
• Database management capabilities

When to use: Assign to site owners and lead developers only. Limit to 1-2 users.

Chief Editor

Chief editors have broad content and user management permissions:

• Can manage all content across all content types
• Can create and manage editor and author users
• Cannot modify system configuration
• Cannot install extensions or modify code
• Full access to media library
• Can manage menus and navigation
• Access to basic analytics and reports

When to use: Assign to content team leaders who oversee editorial operations.

Editor

Editors focus on content quality and management:

• Can create, edit, publish, and delete content
• Access to all content types (configurable)
• Can upload and manage media files
• Can edit content from other users
• Cannot manage users or change settings
• Limited to content-related functions
• Can manage taxonomies (tags, categories)

When to use: Assign to content managers who work across the entire site.

Author

Authors have permissions limited to their own content:

• Can create and edit their own content
• Can save drafts and submit for review
• Can publish own content (if configured)
• Cannot edit others' content
• Can upload media files
• Cannot delete published content
• Cannot access settings or configuration

When to use: Assign to content contributors who create their own articles or pages.

Developer

For technical team members:

• Access to template files and code
• Can modify theme and extension files
• Access to developer tools and debugging
• Cannot manage users by default
• Cannot modify critical system settings
• Focus on technical implementation

When to use: Assign to front-end developers and integrators.

Customizing Roles and Permissions

Bolt CMS allows detailed permission customization through configuration files:

Editing permissions.yml

Permissions are defined in /config/bolt/permissions.yml:

roles:
    custom_role:
        label: 'Custom Role'
        permissions: [contenttype:pages:edit, contenttype:pages:create]

Available Permissions

Key permission types include:

• contenttype:*: Content type specific permissions
• files:*: File and media management
• users:*: User management capabilities
• extensions:*: Extension management
• configuration:*: System configuration access
• maintenance:*: System maintenance tasks

Per-Content-Type Permissions

Define granular access to specific content types:

• view: Can see content in the backend
• edit: Can modify existing content
• create: Can create new content
• delete: Can remove content
• publish: Can publish/unpublish content
• depublish: Can take content offline

Adding and Inviting Users

Creating a New User

To add a user in Bolt CMS:

1. Navigate to Configuration > Users
2. Click Add a new user or +
3. Enter user details:
   • Username: Unique login identifier
   • Display name: Public-facing name
   • Email: User's email address
   • Password: Secure initial password
4. Select Role from dropdown
5. Optionally set:
   • Locale/language preference
   • Enabled/disabled status
6. Click Save

Users can log in immediately with provided credentials.

User Profile Management

User profiles can include:

• Display name and avatar
• Email address and contact information
• Biography or description
• Language/locale preferences
• Custom fields (configurable)
• Last login information
• Created date and user history

Password Management

Administrators can reset passwords:

1. Navigate to user edit screen
2. Enter new password
3. Optionally require password change on next login
4. Save changes

Users can change their own passwords:

1. Click profile icon in top right
2. Select Profile or My Account
3. Enter current and new passwords
4. Save changes

Removing Users

To delete a user:

1. Navigate to Configuration > Users
2. Click on user to delete
3. Scroll to bottom and click Delete User
4. Confirm deletion

Content created by deleted users remains but may need author reassignment.

API Access and Authentication

API Tokens

Bolt CMS supports API authentication via tokens:

1. Navigate to user settings
2. Generate an API token
3. Use token in API requests:

   Authorization: Bearer YOUR_TOKEN
   

4. Set token expiration and permissions
5. Revoke tokens when no longer needed

API Permissions

Control what API users can access:

• Read-only access for content delivery
• Write permissions for content creation
• Admin access for user management
• Custom scopes for specific endpoints

API tokens should have minimal required permissions and be rotated regularly.

Security Best Practices

Access Control

1. Use Appropriate Roles: Assign the least privileged role necessary
2. Limit Root Users: Only 1-2 administrators maximum
3. Regular Audits: Review user list quarterly
4. Remove Inactive Users: Disable or delete unused accounts
5. Document Permissions: Keep records of who has access

Authentication Security

1. Strong Password Policy: Enforce minimum 12 characters
2. Two-Factor Authentication: Enable via extensions if available
3. Session Management: Configure appropriate timeout values
4. Secure Connections: Always use HTTPS for admin panel
5. Login Monitoring: Review failed login attempts

Configuration Security

1. Protect Config Files: Restrict file system access to configuration
2. Environment Variables: Use for sensitive credentials
3. Disable Debug Mode: Never run debug in production
4. Regular Updates: Keep Bolt CMS and extensions updated
5. Backup Regularly: Include database and configuration files

Common Issues and Solutions

Issue: Cannot Log In

Solution:

• Verify username and password are correct
• Check if user account is enabled
• Ensure database connection is working
• Clear browser cache and cookies
• Check server error logs for authentication issues

Issue: Insufficient Permissions

Solution:

• Verify user has correct role assigned
• Check permissions.yml for role configuration
• Clear application cache after permission changes
• Ensure content type permissions are set correctly
• Verify no conflicting permission rules

Issue: Lost Administrator Access

Solution:

• Use Bolt CLI to create new admin user
• Access database directly to modify user role
• Run bin/console bolt:setup to create emergency admin
• Check Bolt documentation for account recovery procedures

Issue: Cannot Upload Files

Solution:

• Verify user has file upload permissions
• Check file size limits in configuration
• Ensure upload directory has write permissions
• Verify allowed file types in configuration
• Check PHP upload_max_filesize setting

Issue: API Token Not Working

Solution:

• Verify token hasn't expired
• Check token has appropriate scopes/permissions
• Ensure correct header format in API requests
• Verify API is enabled in configuration
• Check for CORS issues if accessing from browser

Multi-Site Management

For Bolt installations managing multiple sites:

Per-Site Users

• Create separate user databases per site
• Use different configuration per site
• Implement site-specific roles
• Consider shared authentication if needed

Centralized User Management

• Use shared user database across sites
• Implement per-site permission schemes
• Use groups or custom fields to denote site access
• Consider SSO for unified authentication

Extension Ecosystem

Enhance Bolt user management with extensions:

Recommended Extensions

• Two-Factor Authentication: Add 2FA to login
• LDAP/Active Directory: Enterprise authentication
• User Activity Log: Track user actions
• Custom User Fields: Extended profile information
• SSO Integration: Connect to external auth providers

Installing Extensions

1. Navigate to Extend in admin panel
2. Search for desired extension
3. Click Install
4. Configure extension settings
5. Activate for use

Analytics Tool Access

Google Analytics 4

Manage GA4 access in Admin > Account/Property Access Management:

• Administrator: Full control over account settings and users
• Editor: Can modify configurations and settings
• Analyst: Can create reports and audiences, no configuration changes
• Viewer: Read-only access to reports and data

Integrate GA4 in Bolt via:

• Configuration file settings
• Theme template modifications
• Extension installation

Google Tag Manager

Manage GTM access in Admin > User Management:

• Administrator: Full control over container and users
• Publish: Can publish container changes to production
• Approve: Can approve changes but not publish
• Edit: Can edit tags and triggers but cannot approve or publish
• Read: View-only access to container configuration

Implement GTM by:

• Adding container code to base template
• Using GTM extension if available
• Modifying theme files (requires developer access)

Meta Business Manager

Manage access in Business Settings > People:

• Admin: Full control over business settings and assets
• Employee: Limited access based on assigned assets and permissions

Best Practices

1. Customize Roles: Modify default roles to match your organization's needs
2. Use Content-Type Permissions: Implement granular access per content type
3. Regular Permission Reviews: Audit user access quarterly
4. Enforce Strong Passwords: Implement password complexity requirements
5. Enable HTTPS: Always use SSL/TLS for admin access
6. Monitor User Activity: Review logs for suspicious behavior
7. Backup User Database: Include user data in regular backups
8. Document Custom Permissions: Keep records of permission modifications
9. Test Role Changes: Verify permission changes in development first
10. Use API Tokens Wisely: Grant minimal permissions and rotate regularly

Additional Resources

• Bolt CMS Official Documentation
• User Management Guide
• Permissions Configuration
• Bolt CMS Community
• Bolt CMS Extensions