TYPO3 uses a deeply granular permission system that separates backend users (editors, admins) from frontend users (website members) with entirely different authentication and authorization mechanisms. Backend permissions combine user groups, page and file mount points, DB mount points, access lists, and TSconfig overrides to create precise access controls. The system is one of the most configurable in the CMS space but requires careful planning to avoid permission complexity.
Permission model
TYPO3's backend access control has five interacting layers:
- Backend User Groups -- the primary permission containers. Users belong to one or more groups. Permissions are additive across all groups. Groups can include sub-groups (inheritance).
- DB Mounts (Database Mounts) -- define which page tree branches a user can see and edit. A mount at page ID 42 gives access to that page and all children. Without a mount, the user sees an empty page tree.
- File Mounts -- define which directories in the file system or FAL (File Abstraction Layer) storage the user can access for uploads and file management.
- Access Lists -- per-group settings that control: allowed content element types (text, image, HTML, plugin), allowed page types (standard, shortcut, folder, external URL), allowed tables for listing/editing, and allowed modules (Web > Page, Web > List, File, System, etc.).
- TSconfig (User/Page) -- TypeScript-like configuration overrides that fine-tune the backend UI per user or per page. Can hide fields, set defaults, restrict options in dropdowns, and override access list settings.
Built-in roles and groups
TYPO3 does not ship with pre-defined groups beyond the admin account. Common configurations:
| Group | DB Mounts | Modules | Access lists | Typical use |
|---|---|---|---|---|
| Admin (system flag) | All pages | All modules | Everything | System administrators (checkbox on user record, bypasses all checks) |
| Editor | Content branches | Web > Page, Web > List | Text, Image, Text & Media content types | Day-to-day content editing |
| Advanced Editor | Content + template branches | Web > Page, Web > List, Web > View | All content types, limited page types | Senior editors, landing page builders |
| News Editor | /news/ branch only |
Web > Page, Web > List | tx_news records | Blog/news team |
| File Manager | N/A | File > Filelist | All file types | Media and asset management |
| SEO Manager | Content branches | Web > Page, Web > Info | Limited content types, SEO fields visible via TSconfig | SEO and analytics team |
Groups are created at System > Backend Users > Backend User Groups.
Admin UI paths
| Task | Location |
|---|---|
| Backend user management | System > Backend Users |
| Backend user groups | System > Backend Users > Backend User Groups tab |
| DB Mount assignment | User Group record > Mounts tab > DB Mounts |
| File Mount management | System > File Mounts |
| Access Lists | User Group record > Access Lists tab |
| TSconfig (user-level) | User record > Options tab > TSconfig |
| TSconfig (page-level) | Page record > Resources tab > Page TSconfig |
| Frontend user management | Web > List on the sys_folder containing fe_users |
| System log | System > Log |
API access management
TYPO3 REST API (EXT:rest or headless extensions):
- Not built into TYPO3 core. Third-party extensions provide REST/GraphQL APIs.
EXT:headlessturns TYPO3 into a headless CMS with JSON responses -- permissions follow the page access restrictions and user authentication context.EXT:restleror custom Extbase controllers expose endpoints with authentication.
Backend API (AJAX):
- TYPO3's backend uses internal AJAX endpoints for the admin panel
- Authenticated via backend session cookies
- All requests check backend user permissions through the core access control
API key patterns:
- No built-in API key system in TYPO3 core
- Extensions like
EXT:api_tokenadd Bearer token authentication - For integrations, create a dedicated backend user with restricted group membership and use session-based auth or extension-provided token auth
GraphQL (EXT:graphql):
- Community extension providing GraphQL endpoint
- Resolvers respect TYPO3's page access restrictions
- Frontend user authentication for protected content
Analytics-specific permissions
TYPO3's analytics access depends on the extension ecosystem:
- System Log -- TYPO3's core log module (System > Log) records backend user actions including page edits, user logins, and errors. Access requires the "System > Log" module in the user group's access list.
- Google Analytics extension (EXT:google_analytics or similar) -- configuration typically stored in TypoScript or site settings. Modifying requires access to the template module (Web > Template) or the Sites configuration.
- Matomo/Piwik integration (EXT:matomo_widgets) -- adds dashboard widgets showing analytics data. Widget visibility controlled by backend user group module access and TSconfig.
- SEO module (core, TYPO3 v9+) -- built-in SEO fields (title, description, canonical, Open Graph) on every page. Visible to all users with page editing access. Use TSconfig to show/hide fields per group:
# Show SEO tab only for seo_manager group
TCEFORM.pages.seo_title.disabled = 1
[backend.user.isInGroup(3)]
TCEFORM.pages.seo_title.disabled = 0
[end]
- Info module -- Web > Info shows page statistics, localization overview, and page TSconfig. Useful for content auditing. Enable via access list.
- Indexed Search statistics -- if using EXT:indexed_search, search statistics are available in the backend. Access requires the relevant module permission.
To create an analytics-only backend user:
- Create a "SEO & Analytics" backend user group
- Set DB Mounts to relevant content branches (read access)
- In Access Lists, enable only: Web > Page (view), Web > Info, System > Log
- Use TSconfig to disable content editing fields and show only SEO/analytics fields
- Deny all content types in the group's "Explicitly allow/deny field values" settings
Sub-pages
- Roles and Permissions -- group configuration, mount points, access lists, and TSconfig permission overrides
- Adding and Removing Users -- creating backend users, group assignment, and deactivation procedures