ProcessWire uses a unique page-based permission system where roles, users, and permissions are all represented as pages in the admin tree. This makes the permission system extremely flexible.
Built-in Roles
| Role | Admin Access | Edit Pages | Add Pages | Delete Pages | Manage Users | Superuser |
|---|---|---|---|---|---|---|
| superuser | Yes | Yes | Yes | Yes | Yes | Yes |
| guest | No | No | No | No | No | No |
All other roles are custom-created.
Permission Architecture
Permissions in ProcessWire are pages stored under /processwire/access/permissions/:
// Built-in permissions (stored as pages)
// page-view - View pages on the front-end
// page-edit - Edit pages in the admin
// page-add - Add new child pages
// page-delete - Move pages to trash
// page-sort - Sort/move pages
// page-template - Change a page's template
// user-admin - Administer users
// Custom permissions can be created as pages:
$permission = new Page();
$permission->template = 'permission';
$permission->parent = '/processwire/access/permissions/';
$permission->name = 'analytics-manage';
$permission->title = 'Manage Analytics';
$permission->save();
Template-Level Permissions
Permissions are assigned per role AND per template:
// Assign permissions via the admin:
// Setup > Templates > [template_name] > Access tab
//
// For each role, you can set:
// - View pages using this template
// - Edit pages using this template
// - Add children to pages using this template
// - Create pages using this template
Custom Roles
Create roles via Access > Roles > Add New:
// Create a role programmatically
$role = new Page();
$role->template = 'role';
$role->parent = '/processwire/access/roles/';
$role->name = 'analytics-manager';
$role->title = 'Analytics Manager';
$role->save();
// Add permissions to the role
$role->addPermission('page-view');
$role->addPermission('page-edit');
$role->save();
// Then in template access settings, grant this role
// edit access to the "analytics-settings" template
Analytics-Relevant Permissions
Analytics scripts are typically added in template files, which requires file system access or a custom admin field:
<?php // site/templates/_head.php (included in all templates) ?>
<head>
<meta charset="utf-8">
<title><?= $page->title ?></title>
<?php // Analytics tracking - managed via admin field or template file ?>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-XXXXXXXXXX');
</script>
</head>
Best Practices
- Create purpose-specific roles (e.g., "Content Editor", "Analytics Manager")
- Use template-level access to restrict which content types each role can edit
- Create a custom permission for analytics management rather than granting broad page-edit
- ProcessWire's page-based permissions are very flexible -- leverage template access controls
- Use the
$user->hasPermission()API for custom access control in template files