Ghost uses a fixed set of five staff roles with clearly defined permission boundaries. The role system is intentionally simple -- there are no custom roles, no per-post permissions, and no granular toggles. Each role is a strict superset of the one below it.
Permission model overview
Ghost's access control is straightforward:
- Staff Users -- People who log into the Ghost admin panel (
yourdomain.com/ghost). Each is assigned one of five fixed roles. - Members -- Subscribers to your publication (free or paid). Members do not have admin access. They are managed separately through the membership system.
- Integrations -- Automated API access using Content API keys or Admin API keys. Not tied to staff user accounts.
Staff roles are hierarchical: each higher role can do everything the lower roles can, plus additional capabilities.
The five staff roles
- Contributor -- Can create and edit their own draft posts. Cannot publish. Cannot edit other people's posts. Cannot access settings, members, or integrations. Useful for guest writers who need editorial review.
- Author -- Everything a Contributor can do, plus: can publish their own posts, manage their author profile, and view their own post analytics. Cannot edit or publish other people's posts.
- Editor -- Everything an Author can do, plus: can create, edit, and publish any post (including other authors' work). Can manage tags. Cannot access settings, integrations, or staff management.
- Administrator -- Everything an Editor can do, plus: can manage staff users, configure integrations, edit navigation, change themes, manage members and subscriptions, and access all site settings. Cannot change the site owner or billing.
- Owner -- Everything an Administrator can do, plus: can manage billing (on Ghost(Pro)), transfer ownership, and delete the site. Only one Owner per Ghost installation.
Managing staff users
Staff users are managed under Settings > Staff in the Ghost admin panel (/ghost/#/settings/staff).
Inviting a staff user:
- Go to Settings > Staff
- Click Invite people (at the top)
- Enter the email address and select a role
- Click Send invitation -- the user receives an email with a setup link
- The invitation appears in the "Invited" section until accepted
Changing a user's role:
- Go to Settings > Staff
- Click the user's name
- Change the Role dropdown
- Scroll down and click Save
Removing a staff user:
- Go to Settings > Staff
- Click the user's name
- Scroll to the bottom and click Delete user
- Choose whether to also delete their posts or reassign them to another author
- Confirm deletion
Integrations and API keys
Ghost has two API types, each with separate keys:
- Content API -- Read-only access to published content (posts, pages, tags, authors, settings). Keys are generated per-integration under Settings > Integrations. Content API keys are safe to use in frontend JavaScript.
- Admin API -- Full read-write access to all Ghost data including drafts, members, and settings. Uses JWT authentication with a secret key. Admin API keys must be kept server-side.
Creating a custom integration:
- Go to Settings > Integrations
- Scroll to the bottom and click Add custom integration
- Name the integration (e.g., "Analytics Pipeline," "CI/CD Publishing")
- Ghost generates a Content API key and an Admin API key
- Use the Content API key for read-only frontends, the Admin API key for content management automation
Each integration also gets a set of webhooks that can trigger on content events (post.published, page.deleted, etc.).
Built-in integrations (Zapier, Slack, etc.) are pre-configured and available under Settings > Integrations with their own API keys.
Analytics and tracking permissions
- Built-in analytics -- Ghost provides post-level analytics (views, email open rates, member signups) visible in the post editor and under Dashboard. Authors can see analytics for their own posts. Editors and above can see all post analytics.
- Members analytics -- Member growth, retention, and revenue data is visible under Members and Dashboard. Requires Administrator or Owner role.
- Google Analytics / external tracking -- Implemented by injecting code via Settings > Code Injection (Header and Footer fields). Only Administrators and the Owner can access Code Injection.
- Theme-level tracking -- For custom data layer implementation, edit the theme's
default.hbsfile. This requires developer access to the theme files (via Settings > Design > Change theme > upload, or direct file access on self-hosted instances). - Ghost(Pro) analytics -- On Ghost(Pro) hosting, additional traffic analytics may be available in the hosting dashboard, accessible only to the Owner.
Contributors and Authors cannot install or modify tracking code. Editors can manage content but cannot access Code Injection or settings. Only Administrators and the Owner can set up analytics tracking.
Member management vs. staff management
Ghost draws a clear line between staff (content creators/admins) and members (audience):
- Staff -- Manage under Settings > Staff. Limited by plan (Ghost(Pro) Starter: 1 staff; Creator: 2; Team: 5; Business: unlimited)
- Members -- Managed under the Members section. Unlimited on all plans. Members have tiers (free, paid) and can be imported/exported in CSV format. Member management requires Administrator role.
Security features
- Ghost supports Staff 2FA via TOTP apps (Google Authenticator, Authy, etc.) -- enabled per-user in their profile settings
- Password-protected sites -- Enable a simple site-wide password under Settings > General > Make this site private (separate from member authentication)
- Self-hosted Ghost supports custom authentication via reverse proxy headers or custom integrations, but the admin panel always uses Ghost's built-in auth
- Ghost(Pro) provides automatic SSL and DDoS protection
- There is no SSO, SCIM, or LDAP support for staff accounts
- Admin login attempts are rate-limited with progressive lockout
Sub-pages in this section
- Roles and Permissions -- Detailed capability matrix for each role and integration API scope reference
- Adding and Removing Users -- Staff invitation workflow, role changes, and secure offboarding procedures