Magnolia CMS uses a JCR-based permission system with roles, groups, and workspace-level access control. Permissions are defined per workspace and per path within that workspace.
Built-in Roles
| Role | Pages App | Assets App | Configuration | Security | DAM | AdminCentral |
|---|---|---|---|---|---|---|
| superuser | Full | Full | Full | Full | Full | Full |
| editor | Read/Write | Read/Write | Read | No | Read/Write | Yes |
| publisher | Read/Write/Publish | Read/Write | Read | No | Read/Write | Yes |
| travel-demo-editor | Demo content only | Demo assets | No | No | Demo | Yes |
Workspace Permissions
Each role defines access per JCR workspace:
# Role definition (YAML format for light modules)
# /magnolia-home/modules/my-module/roles/analytics-manager.yaml
analytics-manager:
workspace:
website:
path: /
permissions: read
config:
path: /modules/google-analytics
permissions: read, write
dam:
path: /
permissions: read
apps:
- pages
- assets
Permission Matrix
| Permission | superuser | editor | publisher | Custom: analytics-mgr |
|---|---|---|---|---|
| Read pages | Yes | Yes | Yes | Yes |
| Edit pages | Yes | Yes | Yes | No |
| Publish pages | Yes | No | Yes | No |
| Access configuration | Yes | Read | Read | Analytics config only |
| Manage users | Yes | No | No | No |
| Edit templates/components | Yes | No | No | No |
Custom Roles
Create roles via the Security app or YAML light modules:
# light-module/roles/analytics-manager.yaml
analytics-manager:
description: "Manages analytics integration configuration"
workspace:
config:
rules:
- path: /modules/google-analytics
permissions: [read, write]
- path: /server/rendering
permissions: [read]
website:
rules:
- path: /
permissions: [read]
Analytics-Relevant Permissions
Analytics scripts are added via Magnolia templates (FreeMarker):
[#-- In your page template: /templates/pages/main.ftl --]
<head>
[@cms.page /]
[#-- Google Analytics --]
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-XXXXXXXXXX');
</script>
</head>
Template editing requires superuser access or a custom role with write access to the resources workspace.
Best Practices
- Use YAML-based light module roles for version-controlled, repeatable configuration
- Create a dedicated analytics-manager role with config workspace access only
- Use the publisher role for content managers who need to push content live
- Restrict superuser accounts -- most tasks can be handled by editor or publisher
- Audit role assignments via the Security app in AdminCentral