Adding & Removing Users on Magnolia CMS

Magnolia CMS manages users through the Security app in the AdminCentral interface. Users are stored in Magnolia's JCR (Java Content Repository) workspace and can be synchronized with external directories via LDAP or JAAS modules.

How Magnolia User Management Works

Magnolia organizes users into three distinct realms:

• system -- Internal system users (e.g., superuser, anonymous). Do not modify these.
• admin -- Users who access the AdminCentral authoring interface
• public -- Front-end users for community or membership features

Each user belongs to one or more groups, and groups are assigned roles. Roles define access to apps, workspaces, and URI patterns.

Adding Users via AdminCentral

1. Log in to AdminCentral at https://your-site.com/.magnolia/admincentral
2. Open the Security app from the app launcher (grid icon)
3. Click the Users tab
4. Select the admin or public realm in the left tree
5. Click Add user in the action bar
6. Fill in the user form:
   • Name (login username, cannot contain spaces)
   • Full name (display name)
   • Password and Password confirmation
   • Email address
   • Language (interface language for AdminCentral)
   • Enabled checkbox (checked by default)
7. Click Save

Assigning Groups and Roles

After creating the user:

1. Open the user record in the Security app
2. Click the Groups tab
3. Click Add group and select from available groups (e.g., editors, publishers)
4. Click the Roles tab to verify inherited roles or add direct role assignments
5. Click Save

Adding Users via Magnolia CLI / REST

Magnolia's REST module exposes endpoints for user management:

# Create a new user via Magnolia REST API
curl -X PUT "https://your-site.com/.rest/nodes/v1/users/admin/jdeveloper" \
  -H "Content-Type: application/json" \
  -u "superuser:password" \
  -d '{
    "name": "jdeveloper",
    "type": "mgnl:user",
    "properties": [
      {"name": "name", "type": "String", "values": ["jdeveloper"]},
      {"name": "fullname", "type": "String", "values": ["Jane Developer"]},
      {"name": "email", "type": "String", "values": ["jane@company.com"]},
      {"name": "enabled", "type": "Boolean", "values": ["true"]},
      {"name": "pswd", "type": "String", "values": ["hashedPassword"]}
    ]
  }'

YAML-Based User Configuration (Light Modules)

For repeatable deployments, define users in a light module's YAML configuration:

# light-modules/my-project/users/admin/content-editor.yaml
name: content-editor
fullname: Content Editor
email: editor@company.com
enabled: true
groups:
  - editors
  - /publishers
language: en

Bootstrap this configuration with the magnolia-resources module during deployment.

Removing and Deactivating Users

Disabling Users (Recommended)

Disabling a user blocks their login without losing content attribution:

1. Open the Security app in AdminCentral
2. Navigate to the user in the Users tree
3. Open the user record
4. Uncheck the Enabled checkbox
5. Click Save

The disabled user cannot log in to AdminCentral or access protected front-end resources. All their authored content (pages, assets, content nodes) remains intact in the JCR workspace with full version history.

Permanent Deletion

1. In the Security app, navigate to the user
2. Select the user in the tree
3. Click Delete user in the action bar
4. Confirm the deletion in the dialog

What happens to their content:

• Content nodes in the JCR workspace retain the mgnl:lastModifiedBy and mgnl:createdBy properties as string values referencing the deleted username
• Workflow tasks assigned to the deleted user become orphaned (reassign before deletion)
• Activation history records preserve the username string
• Versions created by the user remain in the version store
• Audit log entries are immutable and retain the username

Deletion via JCR API (for automation)

import info.magnolia.cms.security.SecuritySupport;
import info.magnolia.cms.security.UserManager;

// Get the user manager for the admin realm
UserManager userManager = SecuritySupport.Factory.getInstance()
    .getUserManager("admin");

// Remove a user
userManager.removeUser("jdeveloper");

Bulk User Management

Groovy Script via AdminCentral

Use the Groovy app (enable the groovy module) for bulk operations:

import info.magnolia.cms.security.SecuritySupport
import info.magnolia.cms.security.UserManager

def userManager = SecuritySupport.Factory.getInstance().getUserManager("admin")

// Bulk disable users who haven't logged in recently
def inactiveEmails = [
    "olduser1@company.com",
    "olduser2@company.com",
    "contractor@agency.com"
]

inactiveEmails.each { email ->
    def user = userManager.getUser(email)
    if (user) {
        user.setEnabled(false)
        println "Disabled: ${user.name}"
    } else {
        println "Not found: ${email}"
    }
}

Bootstrap Import for Multiple Users

Create a bootstrap XML file for importing multiple users at once:

<?xml version="1.0" encoding="UTF-8"?>
<sv:node xmlns:sv="http://www.jcp.org/jcr/sv/1.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         sv:name="team-import">
  <sv:node sv:name="editor1">
    <sv:property sv:name="jcr:primaryType" sv:type="Name">
      <sv:value>mgnl:user</sv:value>
    </sv:property>
    <sv:property sv:name="name" sv:type="String">
      <sv:value>editor1</sv:value>
    </sv:property>
    <sv:property sv:name="fullname" sv:type="String">
      <sv:value>Editor One</sv:value>
    </sv:property>
    <sv:property sv:name="email" sv:type="String">
      <sv:value>editor1@company.com</sv:value>
    </sv:property>
    <sv:property sv:name="enabled" sv:type="Boolean">
      <sv:value>true</sv:value>
    </sv:property>
  </sv:node>
</sv:node>

Import via Tools > Import in AdminCentral.

LDAP and SSO Integration

LDAP Connector

Magnolia integrates with LDAP directories through the magnolia-jaas module:

1. Edit WEB-INF/config/jaas.config to add the LDAP login module:

magnolia {
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite realm=admin;
  com.sun.security.auth.module.LdapLoginModule sufficient
    userProvider="ldap://ldap.company.com:389/ou=People,dc=company,dc=com"
    authIdentity="{USERNAME}"
    useSSL=false
    debug=true;
};

2. Configure user/group mapping in magnolia.properties:

magnolia.ldap.user.search.base=ou=People,dc=company,dc=com
magnolia.ldap.user.search.filter=(uid={0})
magnolia.ldap.group.search.base=ou=Groups,dc=company,dc=com
magnolia.ldap.group.search.filter=(member={0})

3. Restart the Magnolia instance
4. LDAP users can now log in with their directory credentials

SAML SSO (Enterprise Edition)

Magnolia Enterprise supports SAML 2.0 single sign-on:

1. Install the Magnolia SSO module
2. Configure WEB-INF/config/magnolia-sso.yaml:

callbackUrl: https://your-site.com/.auth
postLogoutRedirectUri: https://your-site.com
clients:
  saml:
    clientName: SAML2Client
    cfg: /WEB-INF/config/idp-metadata.xml
    destinationBindingType: POST
    serviceProviderEntityId: magnolia-cms
    serviceProviderMetadataPath: /WEB-INF/config/sp-metadata.xml
userFieldMappings:
  name: nameid
  fullname: displayName
  email: email
groups:
  - editors

Access Audit Checklist

• Review all admin-realm users in the Security app quarterly
• Check the Audit app (Enterprise) for login history and permission changes
• Verify that disabled users cannot access any AdminCentral URLs
• Review group memberships: ensure no user has both editors and publishers roles unless intentional
• Check that LDAP sync is running correctly by reviewing magnolia.log for LdapLoginModule entries
• Document all user changes in your deployment changelog