Userroles
Userroles represent a functional privilege (aka Functional Role) which can be granted to Users directly or indirectly via Groups they are member of. Userroles, and the functional privilege they represent, are global and granted for the duration of a user's logged in session.
Userrole configuration
Userroles are stored in the repository under path /hippo:configuration/hippo:userroles where the name of the userrole node defines the userrole name.
Node type definitions
hipposys:userrole
[hipposys:userrole] > nt:base - hipposys:system (boolean) - hipposys:userroles (string) multiple - hipposys:description (string)
|
Name |
Type |
Required |
Description |
|---|---|---|---|
|
node name |
String |
yes |
The name of the userrole |
|
hipposys:system |
boolean | no | Indicator if the userrole is protected and not allowed to be modified or deleted. All standard provided userroles are marked and projected as system userroles. |
| hipposys:userroles | String | no | Other userroles implied by this userrole |
| hipposys:description | String | no | A description of the userrole |
hipposys:userrolefolder
[hipposys:userrolefolder] > nt:base + * (hipposys:userrole) = hipposys:userrole
Standard provided userroles naming convention
The standard provided userroles are all named with the following convention:
<prefix>.<feature>.<function>
For brXM the prefix is always xm.
The standard provided userroles furthermore can be classified in three groups:
- Userroles representing a privilege required to access a feature within the CMS (aka feature 'toggles') which is independent of or unrelated to specific repository content.
When these userroles are only used for this purpose, they use the following naming convention: xm.<feature>.user.
For example xm.cms.user, xm.project.user, etc. - Userroles which primarily are (to be) used for repository domain security authorization, meaning they are used to grant repository (data) specific privileges in the context of specific repository content and functionality.
These userroles use the following naming convention: xm.<feature>.<repository context specific role>.
For example: xm.content.editor, xm.channel.admin, xm.project.viewer. - Convenient userroles which aggregate (imply) all the userroles needed for the standard provided groups (which thus now by default only are configured with only that corresponding userrole), and can be used as basis for custom groups with the same or further extended (userrole based) privileges, for example for LDAP provided groups or otherwise.
These userroles all use the following naming convention: xm.default-user.<group name>.
For example: xm.default-user.editor, xm.default-user.webmaster, xm-default-user.system-admin.
Note the slight deviation for the naming of the xm-default-user.system-admin: this userrole is actually assigned to the default admin group instead of a (not default provided) system-admin group. This is for legacy and backwards compatibility reasons: the admin group effective means system-admin group.
The default provided userroles listed further below are grouped according to this classification.
CMS and Console access
Being able to login to the CMS or Console application now (only) requires a user to have a dedicated userrole, either:
- xm.cms.user: for login to the CMS
- xm.console.user: for login to the Console
Note: only regular users are allowed to login through these applications, system users (users with property hipposys:system set to true) are not, even if they have been granted one of the above userroles!
CMS Features access
Which CMS features are available (shown) to a user can be restricted by requiring a specific userrole. All (or most) top-level CMS features are configured themselves in the repository through frontend:plugin nodes, which are loaded for a user at (or after) the login. All left-menu entry CMS features and a few deeper nested features now are restricted by requiring a specific "feature toggle" userrole with a hipposys:userrole property, e.g. like:
/hippo:configuration/hippo:frontend/cms/hippo-channel-manager/channel-manager-perspective: jcr:primaryType: frontend:plugin frontend:appPath: experience-manager hipposys:userrole: xm.channel.user
The following CMS features now require a specific userrole:
- Home: xm.dashboard.user
- Experience Manager: xm.channel.user
- Projects: xm.project.user
- Content: xm.content.user
- Documents
- Document Types: xm.system.admin
- Url Rewriter: xm.urlrewriter.admin (since v14.2) or xm.repository.admin (v14.0-14.1)
- Documents
- Document search: xm.advanced-search.user
- Insights
-
Content reports: xm.report.user
The xm.report.user userrole is NOT automatically inherited (implied) by any of the default xm.default-user.* userroles,
nor granted to any of the default provided groups, because it typically is only used/needed for (more) specific users/groups.
Therefore the xm.report.user userrole needs to be explicity granted by an implementation project to the desired users/groups!
-
- Audiences
- Content audiences: xm.targeting.user
- Setup
- System: xm.system.user
- Users: xm.security.viewer
- Groups: xm.security.viewer
- Userroles: xm.security.viewer
- Permissions: xm.security.viewer
- Replication: xm.security.admin
- System Information: xm.system.admin
- System Properties: xm.system.admin
- Updater Editor: xm.system.admin
- Form data: xm.form.user
- System: xm.system.user
Example userrole configuration
/hippo:configuration:
/hippo:userroles:
/xm.content.user:
jcr:primaryType: hipposys:userrole
hipposys:system: true
/xm.content.viewer:
jcr:primaryType: hipposys:userrole
hipposys:system: true
hipposys:userroles: [ xm.content.user ]
/my.content.viewer:
jcr:primaryType: hipposys:userrole
hipposys:userroles: [ xm.content.viewer ]
Default provided userroles
|
Userrole |
Implied userroles |
Description |
|
xm.repository-browser.user |
Required to login and use the repository servlet for querying and navigating through the repository content |
|
|
xm.cms.user |
xm.frontend-config.reader |
Required to login and use the CMS application |
|
xm.console.user |
xm.frontend-config.reader |
Required to login and use the Console application |
|
xm.dashboard.user |
Required to view and use the Home (dashboard) menu and functionality within the CMS |
|
|
xm.content.user |
xm.advanced-search.user |
Required to view and use the Content menu and functionality within the CMS |
|
xm.report.user |
Required to view and use the Insights > Content Reports menu and functionality within the CMS NOT by default granted or implied, requires explicit configuration. See also marked note above in the CMS Feature Access section.
|
|
|
xm.system.user |
Required to view and use the Setup > System menu and functionality within the CMS |
|
|
xm.channel.user |
Required to view and use the Experience Manager (Channels) menu and functionality within the CMS |
|
|
xm.targeting.user |
Required to view and use the Audiences menu and functionality within the CMS |
|
|
xm.project.user |
Required to view and use the Projects menu and functionality within the CMS |
|
|
xm.advanced-search.user |
Required to view and use the Document Search menu and functionality within the CMS |
|
|
xm.form.user |
Required to view and use the Setup > Form data menu and functionality within the CMS |
|
|
xm.repository.admin |
Allows all repository (jcr:all and hippo:admin) privileges through role admin |
|
|
xm.system.admin |
xm.console.user xm.repository.admin xm.security.user-admin xm.security.application-admin |
Allows administration and use of system functionality and configuration like Document Types, Update Editor, System info, etc. |
|
xm.security.viewer |
xm.system.user |
Allows viewing repository security configuration (users, groups, security domains, roles, userroles) |
|
xm.security.user-admin |
xm.security.viewer |
Allows administration of users and groups; implies xm.security.viewer |
|
xm.security.application-admin |
xm.security.viewer |
Allows administration of security domains, userroles and roles; implies xm.security.viewer |
|
xm.content.viewer |
xm.content.user |
Allows viewing content through role readonly |
|
xm.content.author |
xm.content.viewer |
Allows authoring (create, edit, move, rename, copy, delete) of content through role author |
|
xm.content.editor |
xm.content.author |
Allows (de)publishing of content through role editor; implies xm.content.author |
|
xm.content.admin |
xm.content.editor |
Allows unlocking content locked by another user through role admin; implies xm.content.editor |
|
xm.repository.reader |
Allows repository read access everywhere through role readonly |
|
|
xm.webfiles.reader |
Allows repository read access of webfiles through role readonly |
|
|
xm.form.writer |
Allows reading and writing of delivery tier form data through role readwrite |
|
|
xm.live-documents.reader |
xm.webfiles.reader |
Allows reading of live (published) documents through role readonly |
|
xm.preview-documents.reader |
xm.webfiles.reader |
Allows reading of preview (unpublished) documents through role readonly |
|
xm.channel.admin |
xm.channel.webmaster |
Allows administration of channels through role channel-admin; implies xm.channel.webmaster |
|
xm.channel.webmaster |
xm.channel.viewer |
Allows editing and publishing channels through role channel-webmaster; implies xm.channel.viewer |
|
xm.channel.viewer |
xm.channel.user xm.webfiles.reader |
Allows viewing channels through role channel-viewer; implies xm.webfiles.reader |
|
xm.frontend-config.reader |
Allows reading CMS and Console frontend configuration through role readonly |
|
|
xm.targeting.viewer |
xm.targeting.user |
Allows viewing targeting configuration and data through role targeting-viewer |
|
xm.targeting.editor |
xm.targeting.viewer |
Allows editing targeting configuration and data through role targeting-editor; implies xm.targeting.viewer |
|
xm.project.viewer |
xm.project.user |
Allows viewing projects through role project-viewer |
|
xm.project.editor |
xm.project.viewer |
Allows editing projects through role project-editor; implies xm.project.viewer |
|
xm.project.admin |
xm.project.editor |
Allows administration of projects through role project-admin; implies xm.project.editor |
|
xm.default-user.author |
xm.cms.user xm.dashboard.user xm.content.author xm.channel.viewer xm.project.viewer |
Implies all standard userroles needed for a default author user or group |
|
xm.default-user.editor |
xm.cms.user xm.dashboard.user xm.content.editor xm.channel.viewer xm.project.editor |
Implies all standard userroles needed for a default editor user or group |
|
xm.default-user.webmaster |
xm.cms.user xm.dashboard.user xm.channel.webmaster xm.project.editor xm.targeting.editor |
Implies all standard userroles needed for a default webmaster user or group |
|
xm.default-user.cms-admin |
xm.cms.user xm.dashboard.user xm.content.admin xm.channel.admin xm.project.admin xm.targeting.editor xm.form.user xm.repository.admin xm.security.user-admin xm.security.application-admin |
Implies all standard userroles needed for a default CMS administrator user or group |
|
xm.default-user.system-admin |
xm.cms.user xm.dashboard.user xm.content.admin xm.channel.admin xm.project.admin xm.targeting.editor xm.form.user xm.system.admin xm.security.user-admin xm.security.application-admin |
Implies all standard userroles needed for a default system administrator user or group |