ExpressionEngine Roles & Permissions | OpsBlu Docs

ExpressionEngine Roles & Permissions

ExpressionEngine role groups -- Super Admin, member groups, channel permissions, and template access control.

ExpressionEngine (EE) uses a member group system with granular permissions. EE7+ calls these "Roles" while earlier versions use "Member Groups."

Built-in Roles

Role CP Access Manage Members Edit All Channels Manage Templates System Settings Add-ons
Super Admin Yes Yes Yes Yes Yes Yes
Members No No No No No No
Pending No No No No No No
Banned No No No No No No

Super Admin is the only built-in role with control panel (CP) access. Additional roles must be created.

Creating Custom Roles

Navigate to Members > Roles > New Role in the Control Panel:

// Common custom roles for ExpressionEngine:
// "Content Editor"  - CP access, channel entry editing, file upload
// "Designer"        - CP access, template editing, file upload
// "Analytics Admin" - CP access, template editing (for head scripts)
// "Moderator"       - CP access, comment moderation
  1. Go to Members > Roles > New Role
  2. Name: "Analytics Manager"
  3. Under Control Panel Access: Enable
  4. Under Template Manager: Enable "Can access Template Manager"
  5. Under Channel Assignment: Leave unchecked (no content editing needed)
  6. Save

Permission Matrix (Custom Roles)

Permission Super Admin Content Editor Designer Analytics Mgr
Control Panel access Yes Yes Yes Yes
Edit entries (assigned channels) Yes Yes No No
Manage templates Yes No Yes Yes
Access file manager Yes Yes Yes No
Manage members Yes No No No
Access system settings Yes No No No
Install add-ons Yes No No No

Analytics-Relevant Permissions

Template editing permission is required to add analytics scripts:

{!-- In your EE template group, edit the _layout template --}
{!-- Templates > Template Manager > [group] > _layout --}
<head>
  {exp:channel:entries channel="site_settings" limit="1"}
    {if tracking_enabled == "yes"}
      <script async src="https://www.googletagmanager.com/gtag/js?id={ga_measurement_id}"></script>
      <script>
        window.dataLayer = window.dataLayer || [];
        function gtag(){dataLayer.push(arguments);}
        gtag('js', new Date());
        gtag('config', '{ga_measurement_id}');
      </script>
    {/if}
  {/exp:channel:entries}
</head>

Best Practices

  1. Never give Super Admin to non-technical users -- create appropriate custom roles
  2. Use channel-specific permissions to restrict editors to their content areas
  3. Create a dedicated Analytics Manager role with only template access
  4. Use EE's built-in CP log (Developer > Logs > Control Panel) to audit changes
  5. Restrict template editing to minimize accidental script removal
Back to top