Contao User Management: Roles and Permissions

This section covers user management, roles, and permissions for Contao and associated analytics tools.

Overview

Contao is a powerful open-source CMS originally developed in Germany, featuring an advanced user and permission management system. The platform distinguishes between two types of users: backend users (administrators and editors who manage content) and frontend users (website visitors with authenticated access). This dual-user system provides flexibility for both content management and membership-based websites.

Contao's permission system is highly granular, allowing administrators to control access to specific modules, content elements, page trees, and even individual database fields. Understanding this sophisticated access control system is essential for maintaining security and efficiency in your Contao installation.

Platform User Management

• Roles & Permissions - Understanding user roles
• Adding & Removing Users - User administration

User Types and Roles

Backend Users (Administrative Access)

Backend users manage the Contao CMS and are divided into two categories:

Administrators

• Full access to all backend modules and functions
• Can create, modify, and delete all users and groups
• Access to system settings and maintenance tools
• Can install and configure extensions
• Manage file system and database operations
• Full control over all page hierarchies
• No permission restrictions apply

Regular Backend Users

• Access controlled through user groups
• Permissions defined at granular level
• Can be restricted to specific page trees
• Module access can be limited
• File operations can be restricted
• May have read-only access to certain areas

Frontend Users (Website Members)

Frontend users are website visitors with authenticated access:

• Used for member areas and protected content
• Managed through frontend member groups
• Access controlled by page protection settings
• Can have personalized content experiences
• Typically cannot access backend

User Groups and Permissions

Backend User Groups

Contao uses user groups to manage backend permissions efficiently:

Content Editor Group

• Access to content management modules
• Can edit assigned page trees
• Upload and manage media files
• Create and edit articles
• Cannot access system settings
• Cannot manage users or extensions

Design Editor Group

• Access to theme and layout management
• Can modify templates and stylesheets
• Manage page layouts and modules
• Limited or no content editing access
• Cannot access system configuration

SEO Manager Group

• Access to page settings and metadata
• Can modify page titles, descriptions, and URLs
• View and edit robot instructions
• Access to analytics integration settings
• Limited content modification rights

Developer Group

• Access to templates and custom code
• Can modify system configuration
• Install and configure extensions
• Database access through backend
• File system management

Permission Categories

Contao permissions are organized into several categories:

1. Allowed Modules: Which backend sections the user can access
2. Pagemounts: Which page trees the user can see and edit
3. File Mounts: Which directories in the file manager are accessible
4. Forms: Which forms can be managed
5. Image Sizes: Which image size configurations can be used
6. Allowed Fields: Which database fields can be edited
7. Excluded Fields: Which fields are explicitly blocked

Accessing User Management

Backend User Management

1. Log in to Contao backend as an administrator
2. Navigate to System > User Management
3. Or access through System > Users in the navigation
4. Select either:
   • Users: Manage individual backend accounts
   • User Groups: Manage group permissions
   • Members: Manage frontend user accounts
   • Member Groups: Manage frontend access groups

User Management Interface

The interface provides:

• User List: View all backend users with their groups
• Filter Options: Search and filter users
• Bulk Actions: Enable/disable multiple users at once
• Group Assignment: Visual indicators of user group membership
• Last Login: Track user activity
• Account Status: See enabled/disabled accounts

Adding and Inviting Users

Creating Backend Users

1. Navigate to System > Users
2. Click New button to create a user
3. Fill in the Account Settings:
   • Username (unique identifier)
   • Name (full name)
   • Email address
   • Password (must meet complexity requirements)
   • Language preference
4. Assign to User Group(s):
   • Check appropriate groups
   • Multiple group membership is supported
   • Permissions are cumulative
5. Configure Account Settings:
   • Check "Administrator" for full access (bypasses group permissions)
   • Set account active/inactive status
   • Configure login period if needed
6. Set Additional Options:
   • Home directory for file manager
   • Default page for backend start
   • Email notification settings
7. Click Save to create the account

Creating Frontend Members

1. Navigate to System > Members
2. Click New to add a member
3. Enter member information:
   • Username and email
   • Password
   • Personal information (name, address, etc.)
   • Group assignment
4. Configure member settings:
   • Active/inactive status
   • Login settings
   • Account expiration (optional)
5. Save the member account

User Invitation Process

Contao does not have a built-in automated invitation system, but you can implement one:

1. Create the user account with a temporary password
2. Use the "Disable login until" feature for security
3. Send credentials through secure communication
4. Require password change on first login
5. Enable account after user confirms receipt

Role Assignment and Management

Assigning Users to Groups

1. Open the user account in System > Users
2. Scroll to User Groups section
3. Check boxes for appropriate groups
4. Users inherit permissions from all assigned groups
5. Permissions are cumulative (most permissive wins)
6. Save changes

Managing Group Permissions

1. Navigate to System > User Groups
2. Select the group to configure
3. Configure Allowed Modules:
   • Check modules users should access
   • Common modules: Content, Design, Files, Accounts
4. Set Pagemounts (allowed page trees):
   • Select root pages users can access
   • Users see only these page hierarchies
5. Configure Filemounts (file directories):
   • Select accessible directories
   • Restrict uploads and file management
6. Set Form Permissions:
   • Select which forms can be managed
7. Configure Allowed Fields:
   • Granularly control field-level access
   • Useful for restricting sensitive settings
8. Set Excluded Fields:
   • Explicitly block access to specific fields
9. Save group configuration

Permission Inheritance

• Permissions from multiple groups combine
• Most permissive permission applies
• Administrator status overrides all group restrictions
• Pagemounts and Filemounts are additive
• Module access is cumulative

Security Recommendations

Authentication Security

1. Password Requirements

   • Enforce minimum 12-character passwords
   • Require complexity (letters, numbers, symbols)
   • Implement password expiration policies
   • Prevent password reuse
   • Use Contao's built-in password validation

2. Account Protection

   • Enable automatic logout after inactivity
   • Implement login failure lockout (via extension)
   • Use HTTPS for all backend access
   • Configure secure session management
   • Set appropriate session timeout values

3. Two-Factor Authentication

   • Install 2FA extension for backend users
   • Require 2FA for administrator accounts
   • Provide recovery codes for users
   • Document 2FA setup procedures

Access Control Best Practices

1. Administrator Accounts

   • Limit to 2-3 trusted individuals
   • Use admin status sparingly
   • Create separate admin accounts (no sharing)
   • Regularly audit administrator access
   • Disable unused admin accounts

2. Backend User Security

   • Use user groups instead of custom permissions
   • Regularly review group memberships
   • Implement principle of least privilege
   • Remove access for departed team members immediately
   • Monitor user login activity

3. File System Security

   • Restrict filemounts to necessary directories
   • Prevent access to system directories
   • Monitor file upload activity
   • Implement file type restrictions
   • Use Contao's secure download feature for sensitive files

4. Frontend Member Security

   • Use strong password requirements for members
   • Implement CAPTCHA for registration
   • Enable email verification for new accounts
   • Configure account approval workflow
   • Monitor for suspicious member activity

System Hardening

1. Backend Access

   • Use custom backend URL (not /contao)
   • Implement IP whitelist for admin accounts
   • Enable Contao's maintenance mode during updates
   • Configure .htaccess protection
   • Use VPN for remote administration

2. Audit Logging

   • Enable activity logging extensions
   • Monitor user actions and changes
   • Review logs regularly for anomalies
   • Track failed login attempts
   • Document security incidents

Common Issues and Solutions

Users Cannot Access Backend

Symptoms: Login fails or backend not accessible

Solutions:

• Verify account is enabled (not disabled)
• Check "Login from" and "Login until" date restrictions
• Confirm user is assigned to at least one group or is administrator
• Clear Contao cache (System > System Maintenance)
• Check .htaccess configuration
• Verify database connection
• Review error logs for specific issues

Missing Permissions or Modules

Symptoms: Users cannot see expected modules or pages

Solutions:

• Verify user group has required modules enabled
• Check pagemounts include necessary page trees
• Confirm filemounts include required directories
• Review excluded fields settings
• Remember: non-administrators need explicit permissions
• Clear cache after permission changes
• Check if user is in correct groups

Permission Conflicts

Symptoms: Unexpected access or restrictions

Solutions:

• Review all groups user belongs to
• Remember permissions are cumulative
• Administrator status overrides all restrictions
• Check for conflicting pagemounts
• Verify allowed vs. excluded fields
• Remove user from unnecessary groups

File Upload Issues

Symptoms: Users cannot upload files to specific directories

Solutions:

• Verify filemounts include target directory
• Check directory write permissions on server
• Confirm file size limits in php.ini
• Review allowed file extensions
• Check disk space availability
• Verify user has file upload permissions in group

Frontend Member Login Problems

Symptoms: Members cannot log in to protected pages

Solutions:

• Verify member account is enabled
• Check member group assignments
• Confirm page protection settings match member groups
• Clear frontend cache
• Check for browser cookie issues
• Verify member table database integrity

Analytics Tool Access

Google Analytics 4

Manage GA4 access in Admin > Account/Property Access Management:

• Administrator: Full control over account and all properties
• Editor: Can modify configurations and create/edit reports
• Analyst: Can create reports and configure shared assets, no config changes
• Viewer: Read-only access to reports and data

Best practices for GA4 access:

• Assign Viewer role by default for content editors
• Grant Editor access to marketing team members
• Limit Administrator access to 2-3 trusted individuals
• Use Google Groups for team-based access management
• Regularly review and audit user access quarterly

Google Tag Manager

Manage GTM access in Admin > User Management:

• Administrator: Full control over container and user management
• Publish: Can publish container changes to production
• Approve: Can approve changes but not publish
• Edit: Can edit tags, triggers, and variables but not approve/publish
• Read: View-only access to container configuration

GTM access workflow:

• Use Read access for stakeholders and content editors
• Grant Edit access to developers and marketers
• Limit Approve access to team leads or senior marketers
• Restrict Publish to 2-3 senior team members
• Implement container versioning and testing procedures

Meta Business Manager

Manage access in Business Settings > People:

• Admin: Full control over Business Manager and all assets
• Employee: Limited access based on assigned assets and roles

Additional Meta pixel and conversion API considerations:

• Assign asset-specific roles rather than full admin access
• Use partner access for agency relationships
• Regularly audit connected accounts and integrations
• Remove access for former employees immediately
• Document all third-party access grants

Best Practices

User Management Strategy

1. Principle of Least Privilege: Grant minimum required access

   • Start with minimal permissions
   • Add permissions incrementally as needed
   • Use user groups instead of individual permissions
   • Regularly review and reduce excessive permissions

2. Regular Access Audits: Review access quarterly

   • Identify and disable inactive accounts
   • Verify group memberships are still appropriate
   • Confirm permission levels match current job roles
   • Document audit findings and remediation actions
   • Check for orphaned or duplicate accounts

3. Separate Accounts: Don't share login credentials

   • Create individual accounts for each team member
   • Avoid generic "admin" or "webmaster" accounts
   • Use service accounts for automated processes
   • Maintain clear accountability for all actions
   • Track who made what changes

4. Document Access: Maintain a record of who has access to what

   • Keep spreadsheet of all user accounts and groups
   • Document purpose for elevated permissions
   • Track when access was granted and by whom
   • Include contact information for each user
   • Note access expiration dates where applicable

Group Management Strategy

1. Standardize Groups: Create consistent group structures

   • Define groups by job function, not individual needs
   • Limit total number of groups (5-10 is typical)
   • Document the purpose and permissions of each group
   • Create naming conventions for groups
   • Maintain a permission matrix

2. Group Permissions Review

   • Review group permissions when adding new modules
   • Test group permissions with test accounts
   • Document permission rationale
   • Update permissions as platform evolves
   • Communicate changes to affected users

Onboarding New Team Members

1. Identify appropriate user group(s) for their role
2. Create account with minimal initial permissions
3. Provide Contao training materials and documentation
4. Set up temporary elevated access for training if needed
5. Configure pagemounts and filemounts for their work area
6. Schedule follow-up review after 30 days
7. Adjust permissions based on actual needs

Offboarding Departing Team Members

1. Disable account immediately upon departure notification
2. Review and transfer ownership of content/pages if needed
3. Change any shared passwords or access codes
4. Remove from all external tool access (GA4, GTM, etc.)
5. Document the access removal in audit logs
6. Keep account disabled for 30-90 days before deletion
7. Archive or reassign their work as appropriate

Content Workflow Management

1. Implement Approval Workflows

   • Use Contao workflow extensions where needed
   • Require peer review for critical content
   • Separate content creation from publishing rights
   • Maintain staging environments for testing

2. Version Control and Backups

   • Use Contao's version control features
   • Implement regular backup schedules
   • Test restoration procedures
   • Document rollback processes

3. Training and Documentation

   • Create internal documentation for common tasks
   • Provide role-specific training materials
   • Document custom permissions and workflows
   • Maintain contact list for support escalation

Frontend Member Management

1. Registration Process

   • Implement email verification for new members
   • Consider approval workflow for sensitive sites
   • Use CAPTCHA to prevent automated signups
   • Configure welcome emails with instructions

2. Member Data Management

   • Comply with GDPR and privacy regulations
   • Provide data export and deletion capabilities
   • Implement data retention policies
   • Regularly clean up inactive accounts

By implementing these user management practices, you can maintain a secure, efficient, and well-organized Contao installation while ensuring appropriate access control for your team, members, and analytics tools.