Liferay DXP/CE uses a comprehensive three-scoped role system: Regular (portal-wide), Site, and Organization roles. Permissions are assigned at the resource and action level.
Role Scopes
| Scope | Applies To | Example |
|---|---|---|
| Regular | Entire portal | Administrator, Power User, User |
| Site | Specific site | Site Administrator, Site Content Reviewer |
| Organization | Organization hierarchy | Organization Administrator, Organization User |
Built-in Regular Roles
| Role | Portal Admin | Manage Users | All Sites Access | All Content | System Settings |
|---|---|---|---|---|---|
| Administrator | Yes | Yes | Yes | Yes | Yes |
| Power User | No | No | Assigned sites | Assigned content | No |
| User | No | No | Public sites | Own content | No |
| Guest | No | No | Public only | Read-only | No |
Resource Permissions
Liferay permissions are defined as actions on resources:
# Example resource permission definitions
# Resource: com.liferay.portal.kernel.model.Layout (pages)
# Actions: VIEW, UPDATE, PERMISSIONS, DELETE, ADD_LAYOUT, CUSTOMIZE
#
# Resource: com.liferay.journal.model.JournalArticle (web content)
# Actions: VIEW, UPDATE, DELETE, PERMISSIONS, ADD_DISCUSSION, EXPIRE
Custom Roles
Create roles via Control Panel > Roles > Add:
# Liferay supports role creation via JSON API
curl -X POST "http://localhost:8080/o/headless-admin-user/v1.0/roles" \
-u admin@liferay.com:admin \
-H "Content-Type: application/json" \
-d '{
"name": "Analytics Manager",
"description": "Manages analytics configuration and tracking",
"roleType": "regular"
}'
After creation, assign permissions via Control Panel > Roles > Analytics Manager > Define Permissions.
Analytics-Relevant Permissions
| Action | Required Permission |
|---|---|
| Edit theme templates | Site Administrator + UPDATE on Layout |
| Add JavaScript to pages | UPDATE on Layout or Page Fragment access |
| Configure site settings | Site Administrator |
| Access analytics (if Liferay Analytics Cloud) | Analytics Cloud admin |
Adding Analytics via Theme
<!-- In your Liferay theme: src/templates/portal_normal.ftl -->
<head>
<title>${the_title}</title>
${theme.include(themeDisplay.getCompanyId(), top_head_include)}
<!-- Google Analytics 4 -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-XXXXXXXXXX');
</script>
</head>
Best Practices
- Use Site Roles for site-specific permissions rather than granting portal-wide Regular Roles
- Create a custom "Analytics Manager" Regular Role with only Layout UPDATE permissions
- Leverage Organization Roles for multi-tenant setups
- Use Liferay Analytics Cloud for built-in analytics rather than manual script injection where possible
- Audit role assignments via Control Panel > Roles > [Role] > Assignees