Contao CMS uses a user group-based permission system. Permissions are highly granular, controlling access to backend modules, content elements, allowed HTML tags, page mount points, and file mount points.
User Types
Contao distinguishes between two user types:
| Type | Description | Permission Source |
|---|---|---|
| Administrator | Unrestricted access to all backend functions | Built-in (no group needed) |
| Regular User | Access controlled by user group membership | Assigned groups |
User Group Permissions
Each user group can be configured with:
Backend Modules
Control which admin sections are visible:
| Module | Description |
|---|---|
| Article | Content editing |
| Form Generator | Form management |
| Page Structure | Site tree management |
| File Manager | Media and file uploads |
| User Management | User/group administration |
| System Log | Audit logging |
| Template Editor | Template modification |
Content Element Restrictions
Groups can be restricted to specific content element types (text, image, gallery, HTML, etc.). This controls what type of content blocks a user can add to pages.
Mount Points
# Contao user group configuration (via admin UI)
# Page mount points: Restrict users to specific site tree branches
# File mount points: Restrict users to specific upload directories
#
# Example group: "Analytics Team"
# Page mounts: /analytics-landing-pages/
# File mounts: files/analytics-assets/
# Allowed modules: [article, file_manager]
# Allowed elements: [text, html, code]
Analytics-Relevant Permissions
To install analytics scripts, a user needs access to:
- Template Editor module (to edit
fe_page.html5or layout templates) - Page Layout settings (to add custom JavaScript includes)
- Or HTML content element permission (to add tracking via page content)
<!-- templates/fe_page.html5 (custom template override) -->
<!-- Add before </head> -->
<?php $this->block('head'); ?>
<?php $this->parent(); ?>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-XXXXXXXXXX');
</script>
<?php $this->endblock(); ?>
Custom Groups
Create groups via System > User Groups > New Group with specific module access, mount points, and element restrictions.
Best Practices
- Use mount points to isolate teams to their content areas
- Restrict HTML content element access to prevent script injection by editors
- Create a dedicated group for analytics with only Template Editor module access
- Administrators are exempt from all restrictions -- keep admin accounts minimal
- Use Contao's built-in system log to audit backend actions