Managing roles and permissions

  Written by The Jahia Team
 
Sysadmins
   Estimated reading time:

About roles and permissions

The permissions management system relies on combinations of permissions that define a role. For example, permissions allow the ability to access certain pages, to create content, to publish it, and to use certain tools.

You manage permissions in Administration>Server>Users and Roles>Roles and permissions.

Interface for roles and permissions

 

Modules providing additional panels and feature can also come with their own set of permissions. Such permissions will also be available in this screen.

Roles are a combination of several permissions. Jahia comes with predefined roles, but you you can also create your own roles to meet your particular needs.

Roles types

When you add a role you decide which role type to create the role in. The role types define the scope of a role, where it is useful and can be used. There are four role types:

  • Live roles
  • Edit roles
  • Site roles
  • Server roles

Highlight the different roles

Live roles

Live roles are used to define what can a user do in live mode. The most common usage is the ability to access a page or content in live, with the "Read live" permission. The default Reader role has this permission and can be used to allow your authenticated and non-authenticated visitors to see or not a published page/content in a page.

Live roles can be used to grant permissions to user to do specific actions / access specific features: a custom permission can for instance be used to allow or not a user to comment on a blog entry.

Administrators can assign groups and users to these live roles using Content Editor.

Edit roles

Edit roles are used to define how user can interact with content and use the Jahia backoffice.

Jahia provides a set of default edit roles:

  • Editor
    Users with this role can create content in a site, and request their publication (they cannot directly publish the content themselves). Editors do not have access to all Content Editor advanced options.
  • Editor in chief
    This role inherits from Editor, meaning that it provides additional permissions. Editors in chief can create content, but they can also directly publish sites validate publication requests. Editor in chief have access to all advanced options in Content Editor, they can for instance assign users and groups to edit and live roles, they can set restritions on the type of content to create in a list or in a content folder, etc.
  • Reviewer
    A reviewer can only publish or validate publication request. A reviewer cannot create or edit content.
  • Translator roles
    Translator can only edit content in a given language, and request the publication.

You can use these edit roles to give access to your users to the Additional features of jContent.

Administrators can assign groups and users to these edit roles using Content Editor.

Site roles

Site roles have site-wide permission settings, for example access to the site administration panel, or some additional features of jContent.

Jahia provides by default the Site administrator role. Find out more about Site administration and how to assign site roles to your users and groups.

Server roles

Server roles have permission settings on the server itself, including access to the Server Administration panel.

Jahia provides by default two server roles:

  • Server administrator
    This role is used to provide administrator privileges, including access to the different server administration panels
  • Web designer
    User with the Web designer role can access the studio. This is only when Jahia is started in development mode.

You can assign users to these roles in Administration>Users and Roles>Server Roles

For more information about permissions specific to each role type, see Setting permissions for a role.

Creating a role

When you create a role, you select a role type and name and then specify permissions for the role. After specifying permissions, you can optionally create localized role names, restrict the role to specific node types, and create subroles that inherit setting from the parent role.

To create a new role:

  1. Choose a role type (Live, Edit, Site or Server) in the dropdown list and enter a role name. The role name is the system name. The role name is also the default name as long as no specific labels are created. It is recommended to enter a short and descriptive title. You will not be able to change this value later on.
    server-administration-42.png
  2. Click Add role to create the new role.
  3. On the next page, you can now edit the new role’s properties.
    Screenshot to create a new role

Subroles

You can create subroles which inherit from an existing role and its set of permissions. A subrole can only have extended permissions compared to its parent role. Permissions from the parent role are copied and inherited automatically, including subsequent changes made to the parent role’s permissions.

To add a subrole:

  1. Click the Sub-roles tab, and enter a name for the new subrole.
    Screenshot shows how to create a new subrole

    The newly created subrole is visible in the Roles list.
  2. Edit the role by clicking on its name.
    Screenshot shows where the new subrole is created
Permissions inherited from the parent role are greyed out and cannot be edited.

Editing an existing role

To change the permissions for an existing role, click on the role’s name in the Roles list to edit its properties.

Screenshot where to edit an exisinting role

The screen displayed is the same as the properties screen shown after a new role is created. See "Creating a New Role" for more details. Click "Save" to reflect any changes.

Specifying localized role names

A role is first defined by a system name, but can have an internationalized title. This title will be used in most screens preferrably to the system-name. You can add a description for this role in multiple languages.

To specify localized role names:

  1. Click the Labels tab, choose a language and click the add icon.
  2. Provide a title and description to define how the role displays in this locale. You can also edit existing labels.
    server-administration-44.png
  3. Click Save.

Setting permissions for a role

You can define permissions for a role when creating or editing it.

To set permissions for a role:

  1. Select the Permissions tab. The summary view shows current permissions for this role.
    server-administration-46.jpg
  2. In the dropdown list, specify whether to the set permissions for the current node, site, or server. Note that server permissions are only available for Server roles. The permission sets that are available differ depending on what you selected in the dropdown. Each permission set contains its own specific categories of rights.
    permissions-current-node.png
  3. Click on the plus sign (+) beside a permission to show its subpermissions. Selecting the checkbox next to a parent permission also selects all its subpermissions, which can then be unchecked on an individual basis.
  4. To set permissions on current node, specify permissions in one of the following tabs. Permissions apply to content items, pages, and more, as opposed to permissions global to a site.
    • Basic permissions
      Permissions include read, write and system-related, node-specific access control list (ACL) on the default workspace. Basic permission apply mainly to editing interfaces.
    • Workflow tasks
      Permissions define the steps in the workflow that are allowed for this role.
    • Permissions on modules
      Permissions grant access to specific modules and their features, for example, Blog, Forum, and Wiki.
    • Other permissions
      All permissions including permissions that are usually not relevant for the current role on the current scope. Typically you do not need to assign permissions here, unless you have a unique use case.
  5. To setting permissions on current site, specify permissions in one of the following tabs. Permissions apply to site level.
    • User Interface
      Permissions manage access to sections of the editing interface, for example, editing and management interfaces.
    • Templates and Components
      Permissions allow creating content using certain content types (for example basic, social, and multimedia content) and creating pages using specific layout templates.
    • Site administration
      Permissions grant access to the administration panels of the Site Settings menu, for example Groups, Languages, and HTML settings. For more information about Site Settings, please see the features described in section two.
      Note: This tab is only visible to roles that have been created as Site roles.
    • Other permissions
      All permissions including permissions that are usually not relevant for the current role on the current scope. Typically you do not need to assign permissions here, unless you have a unique use case.
  6. To set permissions on entire server, specify permissions in one of the following tabs.  (only accessible to Server roles). These are the permissions global to the server.
    • Basic permissions
      Permissions define simple read, write and system-related ACL permissions on the default workspace.
    • Server administration
      Permission grant access to the different panels in Server Administration settings.
    • Other permissions
      All permissions including permissions that are usually not relevant for the current role on the current scope. Typically you do not need to assign permissions here, unless you have a unique use case.
  7. When you are finished setting permissions, click Save.

 

Restricting a role to a node type

You can define the node types (content types) in which a role applies. By default, a role can be granted to a user or group on any type of content type. By selecting specific types of content, the role appears in the access rights management interfaces for these types of content and is not available for others types. This prevents Access Rights management interfaces from being overloaded and from confusing users by making available roles that would have strictly no effects on the targeted object.

To restrict a role to a node type:

  1. Select the Nodetypes affected tab.
  2. Select one or more node types in the list. For example, for an Article editor role, only grant permissions to edit content items with the article type.
    server-administration-45.jpg
  3. Click Save.

Deleting a role

Select one or more roles by checking the box next to them, then click on the "Delete Role(s)" button:

The next screen asks you for confirmation. Deleting a role cannot be undone; please proceed with caution.

If the role that is to be deleted has sub-roles, they will be deleted as well.