Concrete CMS (formerly Concrete5) uses a group-based permission system where users are assigned to groups, and groups are granted access to specific pages, file areas, and administrative functions. The platform supports two permission modes: Simple and Advanced.
Permission model overview
Concrete CMS has two permission modes, configured under System & Settings > Permissions & Access:
- Simple Permissions -- Users are assigned to groups, and each group gets one of three page-level access types: View, Edit, or Admin. Suitable for small teams.
- Advanced Permissions -- Enables granular control over individual pages, blocks, file folders, and system tasks. Permissions can be assigned to groups or individual users at any level of the content tree.
Most production sites should use Advanced Permissions for proper access control.
Built-in user groups
Concrete CMS ships with these default groups:
- Administrators -- Full access to all CMS functionality including Dashboard, system configuration, user management, and file management. Members can access Dashboard > System & Settings and all administrative areas.
- Site Editors -- Can edit page content in-context using the toolbar, add blocks, and manage pages they have permission to access. Cannot access system settings or user management.
- Guest -- Represents unauthenticated visitors. Used to control what anonymous users can see.
- Registered Users -- Any logged-in user. Used as a baseline for authenticated access without specific editorial privileges.
You can create custom groups under Dashboard > Members > Groups > Add Group.
Admin UI paths
User and group management is located in the Dashboard:
- Users -- Dashboard > Members > User Search (
/dashboard/users/search). Add, edit, deactivate, or delete user accounts. - Groups -- Dashboard > Members > Groups (
/dashboard/users/groups). Create, edit, and nest groups. - Permissions (Simple) -- Set per-page via the page properties panel under the Permissions tab in the sitemap.
- Permissions (Advanced) -- Per-page at Page Settings > Permissions, per-area and per-block via the in-context editor, system-wide at Dashboard > System & Settings > Permissions & Access.
- Task Permissions (Advanced) -- Under Dashboard > System & Settings > Permissions & Access > Task Permissions, control who can: access the dashboard, install packages, edit user accounts, use the sitemap, manage file manager, send email, etc.
Adding a new user
- Go to Dashboard > Members > User Search > Add User
- Enter username, email, and password
- Assign the user to one or more groups
- Optionally set the user as validated/active immediately
- Save -- the user can log in at
/login
Concrete CMS also supports public registration (configurable under Dashboard > System & Settings > Login & Registration) where visitors self-register and are placed into the Registered Users group.
API and programmatic access
Concrete CMS provides a REST API (v2, enabled as a package/feature):
- API endpoints are documented at
/ccm/api/v1/docwhen enabled - Authentication uses OAuth 2.0 with API integrations configured under Dashboard > System & Settings > API Integrations
- Each API integration (client) is created with a name, redirect URI, and client credentials
- API clients inherit the permissions of the authenticated user -- there are no separate API-level scopes
- For server-to-server integration, use the client credentials grant type
Legacy versions use a simpler API approach with token-based authentication.
Analytics and tracking permissions
Installing analytics on a Concrete CMS site involves different permission levels:
- Header/Footer code injection -- Managed under Dashboard > System & Settings > SEO & Statistics > Tracking Codes. Requires Administrator group or a custom group with Task Permission for "Access the dashboard" and "Manage SEO & Statistics."
- Google Analytics -- Concrete CMS has a built-in GA integration under Dashboard > System & Settings > SEO & Statistics > Analytics. Requires admin-level access.
- Theme template editing -- For custom data layer implementation or advanced tag placement, edit theme files via Dashboard > Pages & Themes > Themes or directly on the filesystem. Requires developer/admin access.
- Built-in statistics -- Page view counts are tracked natively and visible under Dashboard > Reports > Statistics. Any user with dashboard access and report viewing permissions can see this data.
- Block-level tracking -- In Advanced Permissions mode, custom blocks can be restricted by group, which affects which analytics-related blocks (e.g., custom tracking snippets) appear on pages.
A Site Editor can manage page content but cannot add tracking scripts. Analytics installation requires Administrator access or specific task permissions for SEO & Statistics.
Security features
- Concrete CMS supports LDAP/Active Directory integration for enterprise SSO (via community packages or custom code)
- Password requirements are configured under Dashboard > System & Settings > Login & Registration > Password Requirements
- IP-based login throttling is built in to prevent brute-force attacks
- Session settings (timeout, cookie configuration) are under Dashboard > System & Settings > Basics > Session
- User activity is partially logged -- page edits are tracked in version history, but there is no comprehensive admin audit log by default
Sub-pages in this section
- Roles and Permissions -- Advanced permissions configuration, task permissions reference, and group nesting strategies
- Adding and Removing Users -- User creation, group assignment, deactivation, and account cleanup procedures