Ezplatform User Management: Roles and Permissions

This section covers user management, roles, and permissions for eZ Platform (now Ibexa DXP) and associated analytics tools.

Overview

eZ Platform (rebranded as Ibexa DXP in 2020) is an enterprise-grade, open-source Digital Experience Platform built on Symfony. It features a sophisticated role-based access control (RBAC) system that provides exceptional flexibility and granularity for managing user permissions across complex organizational structures.

The platform's permission system operates on a policy-based model where users are assigned to roles, and roles contain policies that define specific permissions for modules, functions, and even individual content items based on sections, object states, or content types. This level of control makes eZ Platform/Ibexa DXP suitable for large-scale enterprise deployments with complex access requirements.

Understanding this powerful but intricate permission system is essential for maintaining security and ensuring users have appropriate access to perform their duties.

Platform User Management

• Roles & Permissions - Understanding user roles
• Adding & Removing Users - User administration

User Roles and Permissions

eZ Platform uses a role-based permission system with policies:

Administrator Role

• Full access to all platform features and content
• Can create, modify, and delete users and roles
• Access to all content sections and locations
• System configuration and maintenance capabilities
• Can manage content types, object states, and workflows
• Complete access to admin interface modules
• No policy restrictions apply

Editor Role

• Can create, edit, and publish content
• Access to assigned content sections
• Upload and manage media files
• Content translation capabilities
• Version control and workflow participation
• May require approval for publishing (workflow-dependent)
• Limited or no access to system configuration

Contributor/Author Role

• Can create and edit own content drafts
• Content requires review/approval before publishing
• Access to specific content types or sections
• Limited media upload capabilities
• Cannot delete published content
• No access to other users' content
• No system configuration access

Reviewer/Approver Role

• Can review and approve submitted content
• Edit content created by contributors
• Publish approved content
• Manage content workflow states
• Cannot access system settings
• Section-based access controls

Designer/Developer Role

• Access to template and design management
• Can modify page layouts and blocks
• Access to development tools and debug mode
• Cannot necessarily edit all content
• May have limited content section access
• Focused on technical implementation

SEO Manager Role

• Access to URL aliases and redirects
• Can modify content metadata and SEO fields
• View and manage site structure
• Limited content editing capabilities
• Access to search and indexing tools
• Analytics integration management

Custom Roles

eZ Platform allows unlimited custom roles with specific policy combinations to match organizational requirements.

Accessing User Management

Admin Interface Access

1. Log in to the eZ Platform/Ibexa admin interface
2. Navigate to Admin tab in the main navigation
3. Select Users from the admin panel
4. Or click on the Users icon in the admin dashboard

Alternative access:

• Navigate to Content > Browse to Users content tree
• Access via Admin > Roles for role management
• Use Admin > Sections for section-based permissions

User Management Interface

The interface provides:

• Users List: Browse all user accounts organized in user groups
• User Groups: Hierarchical organization of users
• Roles: View and manage role assignments
• Policies: Configure detailed permission policies
• Sections: Manage content section assignments
• Search: Find users by name, email, or role
• Batch Operations: Assign roles or move users in bulk

Adding and Inviting Users

Creating New Users

1. Navigate to Admin > Users or browse to Users in content tree
2. Select the appropriate User Group
3. Click Create > User (or appropriate user content type)
4. Fill in required information:
   • First name and last name
   • Email address (must be unique)
   • Username (unique login identifier)
   • Password (must meet complexity requirements)
5. Assign Roles:
   • Click Assign role button
   • Select one or more roles
   • Configure role limitations if needed:
     • Limit by Section
     • Limit by Content Type
     • Limit by Subtree
     • Limit by Object State
6. Set additional properties:
   • Account enabled/disabled status
   • User group memberships
   • Custom user fields if configured
7. Click Publish to create the user account

User Group Organization

Users should be organized in user groups:

1. Navigate to Admin > Users
2. Browse the Users content tree
3. Create new user groups as needed (e.g., "Editors", "Marketing Team")
4. Organize groups hierarchically for better management
5. Assign roles at group level when appropriate
6. Users inherit settings from parent groups

User Invitation Process

eZ Platform doesn't have built-in invitation system, but you can implement:

1. Create user account with generated temporary password
2. Set account to require password change on first login (via custom implementation)
3. Use email notification workflows (custom or extension)
4. Send secure login credentials separately
5. Provide documentation links for new users
6. Consider using invitation extensions from the eZ/Ibexa marketplace

Role Assignment and Management

Assigning Roles to Users

1. Navigate to the user account (Admin > Users > select user)
2. Click Edit or Assign role button
3. In the Roles tab/section:
   • Click Assign role
   • Select role from available roles list
   • Configure Limitations if needed:
     • Section: Limit to specific content sections
     • Subtree: Limit to specific content tree locations
     • Content Type: Limit to specific content types
     • Object State: Limit based on content workflow state
4. Multiple roles can be assigned with different limitations
5. Click Assign and then Publish to save

Managing Roles and Policies

1. Navigate to Admin > Roles
2. Create new role or edit existing:
   • Click Create for new role or select existing role
3. Add Policy to define permissions:
   • Select Module (e.g., content, section, user)
   • Select Function (e.g., read, create, edit, publish)
   • Add Limitations to restrict the policy:
     • Section limitation
     • Content Type limitation
     • Object State limitation
     • Owner limitation (only own content)
     • Subtree limitation
     • Language limitation
4. Policies are additive within a role
5. Multiple roles on a user combine permissions
6. Save the role configuration

Policy Examples

Editor with Section Limitation:

• Module: content
• Function: create, edit, publish
• Limitation: Section = "Articles"

Contributor - Own Content Only:

• Module: content
• Function: create, edit
• Limitation: Owner = "Self"

Reviewer with Workflow State:

• Module: content
• Function: publish
• Limitation: Object State = "Pending Review"

Permission Inheritance

• Users can have multiple roles assigned
• Permissions from all roles combine (union, not intersection)
• More permissive policies take precedence
• Limitations restrict policies within specific role
• Section assignments control content visibility

Security Recommendations

Authentication Security

1. Password Policy

   • Enforce minimum 12-character passwords
   • Require complexity (uppercase, lowercase, numbers, symbols)
   • Implement password expiration (90 days recommended)
   • Configure via security policies or custom implementation
   • Use strong password hashing (default in modern versions)

2. Account Security

   • Enable account lockout after failed login attempts
   • Implement session timeout for inactive users
   • Use HTTPS for all admin interface access
   • Configure secure cookie settings
   • Enable CSRF protection (default)

3. Two-Factor Authentication

   • Install 2FA bundle for Ibexa/eZ Platform
   • Require 2FA for Administrator and Editor roles
   • Provide recovery code options
   • Document 2FA setup and recovery procedures

4. Access Control

   • Limit Administrator role to 2-3 trusted individuals
   • Use role limitations extensively
   • Regularly audit role assignments
   • Remove or disable inactive user accounts
   • Monitor access logs for suspicious activity

Content Security

1. Section-Based Access

   • Organize content into logical sections
   • Assign section-based role limitations
   • Use sections to separate sensitive content
   • Regularly review section assignments

2. Workflow Integration

   • Implement approval workflows for sensitive content
   • Use object states for workflow stages
   • Limit publish permissions based on states
   • Require peer review for high-visibility content

3. Version Control

   • Utilize eZ Platform's built-in versioning
   • Maintain version history for audit trails
   • Implement content archiving policies
   • Train users on version restoration

System Hardening

1. Admin Interface Protection

   • Use custom admin URL (not /admin)
   • Implement IP whitelisting for admin access
   • Configure .htaccess or nginx restrictions
   • Use VPN for remote administration
   • Enable maintenance mode during updates

2. Audit and Monitoring

   • Enable audit logging for user actions
   • Monitor content changes and deletions
   • Track role assignment modifications
   • Review login attempts and failures
   • Set up alerts for security events

3. Database Security

   • Use least privilege for database users
   • Restrict direct database access
   • Implement regular backup schedules
   • Encrypt sensitive data at rest
   • Monitor database queries for anomalies

Common Issues and Solutions

Users Cannot Access Admin Interface

Symptoms: Login fails or admin interface not accessible

Solutions:

• Verify user has role with "user/login" policy
• Check account is enabled (not disabled)
• Confirm user is assigned to correct user group
• Clear Symfony cache: php bin/console cache:clear
• Check for .htaccess or server blocking rules
• Verify database connection is functioning
• Review error logs in var/logs directory
• Check for conflicting bundle configurations

Missing Content Access

Symptoms: Users cannot see or edit expected content

Solutions:

• Verify user has role with content/read policy
• Check section assignments and limitations
• Confirm subtree limitations include content location
• Review content type limitations on policies
• Check object state doesn't restrict access
• Clear cache after permission changes
• Verify user is in correct user group
• Check language limitations if multilingual

Permission Denied Errors

Symptoms: Users get access denied when trying actions

Solutions:

• Review role policies for required module/function
• Check policy limitations (section, subtree, content type)
• Verify user has necessary roles assigned
• Test with more permissive role to isolate issue
• Check for owner limitations on policies
• Review workflow state limitations
• Ensure policies are published (not just drafted)

Cannot Publish Content

Symptoms: Publish button missing or grayed out

Solutions:

• Verify role has content/publish policy
• Check if workflow requires approval first
• Confirm user has access to target location
• Review section limitations on publish policy
• Check content type is allowed in policy
• Verify all required fields are filled
• Check if location permissions allow publishing

Role Assignment Not Taking Effect

Symptoms: Role assigned but permissions not working

Solutions:

• Clear all caches (Symfony, HTTP, persistence)
• Verify role assignment was published, not just saved
• Check role limitations don't exclude the content
• Confirm policies within role are configured correctly
• Test with simple policy first, then add limitations
• Check for conflicting bundle or custom code
• Review role inheritance from user groups

Analytics Tool Access

Google Analytics 4

Manage GA4 access in Admin > Account/Property Access Management:

• Administrator: Full control over account and all properties
• Editor: Can modify configurations and create/edit reports
• Analyst: Can create reports and configure shared assets, no config changes
• Viewer: Read-only access to reports and data

Best practices for GA4 access:

• Assign Viewer role by default for content editors
• Grant Editor access to marketing team members
• Limit Administrator access to 2-3 trusted individuals
• Use Google Groups for team-based access management
• Regularly review and audit user access quarterly
• Integrate GA4 via template includes or page builder blocks

Google Tag Manager

Manage GTM access in Admin > User Management:

• Administrator: Full control over container and user management
• Publish: Can publish container changes to production
• Approve: Can approve changes but not publish
• Edit: Can edit tags, triggers, and variables but not approve/publish
• Read: View-only access to container configuration

GTM access workflow:

• Use Read access for stakeholders and content editors
• Grant Edit access to developers and marketers
• Limit Approve access to team leads or senior marketers
• Restrict Publish to 2-3 senior team members
• Implement container versioning and testing procedures
• Add GTM container code to base templates

Meta Business Manager

Manage access in Business Settings > People:

• Admin: Full control over Business Manager and all assets
• Employee: Limited access based on assigned assets and roles

Additional Meta pixel and conversion API considerations:

• Assign asset-specific roles rather than full admin access
• Use partner access for agency relationships
• Regularly audit connected accounts and integrations
• Remove access for former employees immediately
• Document all third-party access grants
• Implement Meta pixel via GTM or template code

Best Practices

User Management Strategy

1. Principle of Least Privilege: Grant minimum required access

   • Start with minimal role assignments
   • Add policies incrementally as needed
   • Use limitations extensively to restrict scope
   • Regularly review and reduce unnecessary permissions
   • Document rationale for elevated access

2. Regular Access Audits: Review access quarterly

   • Identify and disable inactive accounts (90+ days)
   • Verify role assignments match current job functions
   • Review and optimize role policies
   • Check for orphaned or duplicate accounts
   • Document audit findings and actions

3. Separate Accounts: Don't share login credentials

   • Create individual accounts for each team member
   • Avoid generic "admin" or "editor" accounts
   • Use service accounts for automated processes
   • Maintain clear accountability through unique accounts
   • Track actions via audit logs

4. Document Access: Maintain a record of who has access

   • Keep spreadsheet of all users, groups, and roles
   • Document purpose for each role and limitation
   • Track when access was granted and by whom
   • Include contact information for each user
   • Note access review dates and findings

Role Design Strategy

1. Role Organization

   • Create roles based on job functions, not individuals
   • Limit total number of roles (5-15 is typical)
   • Document the purpose and policies of each role
   • Use descriptive role names
   • Maintain a role-policy matrix

2. Policy Design

   • Start with broad policies, add limitations as needed
   • Use section limitations for department separation
   • Apply subtree limitations for content area restrictions
   • Use content type limitations for specialized roles
   • Test policies thoroughly before deployment
   • Document the reasoning behind each policy

3. Limitation Strategy

   • Use limitations to create flexible, reusable roles
   • Prefer limitations over creating many specific roles
   • Combine multiple limitation types when appropriate
   • Document common limitation patterns
   • Test limitation combinations carefully

User Group Organization

1. Hierarchical Structure

   • Organize groups by department or function
   • Use nested groups for sub-teams
   • Apply roles at appropriate group levels
   • Document group hierarchy and purpose
   • Review group structure periodically

2. Group Management

   • Assign users to groups based on team membership
   • Use groups for batch role assignments
   • Maintain consistent group naming conventions
   • Document group membership criteria

Onboarding New Team Members

1. Identify appropriate user group and roles for their position
2. Create account in correct user group location
3. Assign standard roles with appropriate limitations
4. Provide eZ Platform/Ibexa DXP training materials
5. Grant temporary elevated access for initial training if needed
6. Configure personalized settings (timezone, language, preferences)
7. Schedule 30-day review to assess permission needs
8. Adjust roles and limitations based on actual requirements

Offboarding Departing Team Members

1. Disable account immediately upon departure
2. Review and reassign content ownership if needed
3. Transfer draft content to appropriate team members
4. Change shared passwords or API credentials
5. Remove from all external tool access (GA4, GTM, Meta)
6. Document access removal in audit records
7. Keep account disabled for 30-90 days before deletion
8. Archive important work and content appropriately

Content Workflow Best Practices

1. Implement Workflows

   • Use object states to track workflow stages
   • Configure policies based on workflow states
   • Require approvals for sensitive or public content
   • Document workflow processes clearly
   • Train users on workflow procedures

2. Section Management

   • Organize content into logical sections
   • Use sections for access control boundaries
   • Assign sections based on content sensitivity
   • Review section structure regularly
   • Document section purposes and owners

3. Multi-Language Considerations

   • Use language limitations when appropriate
   • Assign translators language-specific access
   • Implement translation workflows
   • Review language permissions regularly

Performance and Scalability

1. Permission Caching

   • Understand how eZ Platform caches permissions
   • Clear caches after role or policy changes
   • Monitor cache performance
   • Use HTTP cache appropriately

2. Large-Scale Deployments

   • Design role structure for scalability
   • Use user groups extensively for large teams
   • Optimize policy complexity
   • Monitor query performance for permission checks
   • Consider caching strategies for permission-heavy pages

By implementing these user management practices, you can maintain a secure, efficient, and well-organized eZ Platform/Ibexa DXP installation while ensuring appropriate access control for your team and analytics tools. The platform's powerful RBAC system provides the flexibility needed for complex enterprise requirements when properly configured and maintained.