Umbraco uses a section-and-node-based permission system where back-office users are organized into User Groups that control which sections (Content, Media, Settings, etc.) they can access and what operations they can perform on individual content nodes. The system supports content-tree-level permissions with inheritance, making it possible to give editors access to only their department's content branch while restricting everything else.
Permission model
Umbraco's access control operates at three levels:
- User Groups -- containers that define section access and default content permissions. A user can belong to multiple groups; permissions are additive. Each group specifies which back-office sections are visible and what content node permissions apply by default.
- Section access -- Umbraco's back office is divided into sections: Content, Media, Settings, Packages, Users, Members, Forms, Translation. Each group is granted access to specific sections.
- Content node permissions -- granular permissions on individual content tree nodes: Browse, Create, Update, Delete, Publish, Unpublish, Move, Copy, Sort, Send to Publish, Rollback, Culture and Hostnames, Public Access. These can be set per group per node, with inheritance down the tree.
Start nodes (content and media) restrict which branch of the tree a group sees. Setting a start node to /en/blog/ means users in that group only see the Blog section and its children.
Built-in user groups
| Group | Sections | Default permissions | Typical use |
|---|---|---|---|
| Administrators | All sections | All node permissions | Full back-office access |
| Writers | Content | Browse, Create, Update, Send to Publish | Content authors who cannot publish |
| Editors | Content, Media | Browse, Create, Update, Delete, Publish, Unpublish, Rollback | Content editors with publish rights |
| Translators | Content (with language-specific start node) | Browse, Update | Translation workflows |
| Sensitive Data (special group) | N/A | Grants access to properties marked as "sensitive" | GDPR/privacy compliance |
Custom groups are created at Users > User Groups. Umbraco 13+ also supports Granular Permissions at the document type level.
Admin UI paths
| Task | Path |
|---|---|
| Manage users | Users section > Users |
| Create/edit User Groups | Users section > User Groups |
| Invite users | Users > Users > Invite User |
| Set content node permissions | Right-click content node > Permissions |
| Set start nodes | User Group > Content Start Node / Media Start Node |
| Section access | User Group > Sections checkboxes |
| Member management | Members section |
| Audit trail | Content node > Info tab > Audit Trail |
API access management
Umbraco Content Delivery API (v12+):
- Read-only RESTful API at
/umbraco/delivery/api/v2/content - Enabled in
appsettings.jsonunderUmbraco:CMS:DeliveryApi - Public by default (serves published content without authentication)
- Protected content can require API key or member authentication
- API key configured in
appsettings.json
Management API (Umbraco 14+):
- Full CRUD back-office API at
/umbraco/management/api/v1/ - OAuth2 authentication via back-office user credentials
- Permissions follow the authenticated user's group permissions
- Swagger documentation at
/umbraco/swagger
Custom API controllers:
- Extend
UmbracoApiControllerfor custom endpoints - Manually check permissions via
IAuthorizationServiceor[Authorize]attributes - Back-office API controllers use
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
Webhook events (Umbraco 12+):
- Configured at Settings > Webhooks
- Trigger on content publish/unpublish/delete, media upload/delete, member events
- Include content payload in POST request
- No secret signing; verify by source IP or custom header
Analytics-specific permissions
Umbraco provides analytics integration points at several levels:
- Umbraco Analytics package (community) -- packages like
Analytics.Umbracoadd a dedicated Analytics section to the back office. Access is controlled by adding the Analytics section to a user group's section access. - Content node properties -- if analytics metadata (tracking IDs, campaign tags) are added as document type properties, access follows content node permissions. Use the "Sensitive Data" property flag to restrict visibility to the Sensitive Data group.
- Settings section -- global analytics configuration (GA tracking ID, GTM container) stored in Umbraco's Content or Settings section. Restrict the Settings section to admin groups only.
- Audit trail -- every content node has an audit trail (Info tab) showing all publish, save, and permission changes. Available to any user with Browse permission on the node.
- uSync / config files -- if tracking code is in view files (
.cshtml), changes require file system access (deployed via CI/CD). This naturally restricts analytics code changes to developers. - Umbraco Forms -- form submission data and analytics are in the Forms section. Forms section access is controlled per user group.
To create an analytics-only user:
- Create an "Analytics" user group
- Grant section access to Content (read only) and the Analytics section (if using an analytics package)
- Set content node permissions to Browse only (no Create, Update, Delete, Publish)
- Set the start node to the site root so they can browse content for context
- Do not grant Settings, Users, Packages, or Members sections
Sub-pages
- Roles and Permissions -- user group configuration, node permissions, section access, and granular document type permissions
- Adding and Removing Users -- inviting users, assigning groups, and disabling accounts