Permission Mappings

The permission mappings configuration file allows you to assign permissions to folders and objects in a Site giving specific Roles rights to the object. The permission mappings config file contains the permissions mappings for the roles defined in the role mappings config file. When applying permissions to Roles, rights are granted by adding permissions inside the tag <allowed-permissions>. Absence of permissions means the permission is denied. Rules have a regex expression that govern the scope of the permissions assigned. A list of available permissions that can be granted to Roles is available after the sample configuration file.

Permissions are defined per:

site > role > rule

For example, to grant the role component_author the ability to read/write components and read-only to everything else:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
<role name="author">
    <rule regex="/site/website/.*">
      <allowed-permissions>
        <permission>Read</permission>
      </allowed-permissions>
    </rule>
    <rule regex="/site/components/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Create Content</permission>
        <permission>Create Folder</permission>
      </allowed-permissions>
    </rule>
    <rule regex="/static-assets/.*">
      <allowed-permissions>
        <permission>Read</permission>
      </allowed-permissions>
    </rule>
</role>

A regex of “~DASHBOARD~” governs view access to the publishing workflow related dashboard widgets:

  • Items Waiting For Approval

  • Approved Scheduled Items

  • Recently Published

To grant a role the ability to view these dashboard widgets, simply grant the role the permission Publish to the scope ~DASHBOARD~. For example:

<rule regex="~DASHBOARD~">
  <allowed-permissions>
    <permission>Publish</permission>
  </allowed-permissions>
</rule>

To modify/view the permission mappings for your site in Studio, click on siteConfig at the bottom of the Sidebar, then click on Configurations and select Permissions Mapping from the dropdown list.

Configurations - Open Permission Mappings

Sample

{REPOSITORY_ROOT}/sites/SITENAME/config/studio/permission-mappings-config.xml
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<?xml version="1.0" encoding="UTF-8"?>
<!-- permission-mappings-config.xml

  This files contains the permissions mappings for the roles defined in
  role-mappings-config.xml.

  Permissions are defined per:
  site > role > rule

  Rules have a regex expression that govern the scope of the permissions assigned.

  Permissions are:
  - Read
  - Write
  - Create Content
  - Create Folder
  - Create Content Type
  - Publish

  Absence of permissions means the permission is denied.

  For example, to grant the role component_author the ability to read/write
  components and read-only to everything else:

      <role name="author">
          <rule regex="/site/website/.*">
            <allowed-permissions>
              <permission>Read</permission>
            </allowed-permissions>
          </rule>
          <rule regex="/site/components/.*">
            <allowed-permissions>
              <permission>Read</permission>
              <permission>Write</permission>
              <permission>Create Content</permission>
              <permission>Create Folder</permission>
            </allowed-permissions>
          </rule>
          <rule regex="/static-assets/.*">
            <allowed-permissions>
              <permission>Read</permission>
            </allowed-permissions>
          </rule>
      </role>

  A regex of "~DASHBOARD~" governs view access to the publishing workflow
  related dashboard widgets:
  - Items Waiting For Approval
  - Approved Scheduled Items
  - Recently Published

  To grant a role the ability to view these dashboard widgets, simple grant
  the role the permission Publish to the scope ~DASHBOARD~. For example:

      <rule regex="~DASHBOARD~">
        <allowed-permissions>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>

-->
<permissions>
    <role name="author">
      <rule regex="/site/website/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Write</permission>
          <permission>Create Content</permission>
          <permission>Create Folder</permission>
        </allowed-permissions>
      </rule>
      <rule regex="/site/components/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Write</permission>
          <permission>Create Content</permission>
          <permission>Create Folder</permission>
        </allowed-permissions>
      </rule>
      <rule regex="/static-assets/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Write</permission>
          <permission>Create Content</permission>
          <permission>Create Folder</permission>
        </allowed-permissions>
      </rule>
    </role>
    <role name="publisher">
      <rule regex="/site/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Write</permission>
          <permission>Create Content</permission>
          <permission>Create Folder</permission>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>
      <rule regex="^/site/(?!website/index\.xml)(.*)">
        <allowed-permissions>
          <permission>Delete</permission>
        </allowed-permissions>
      </rule>
      <rule regex="/static-assets/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Write</permission>
          <permission>Delete</permission>
          <permission>Create Content</permission>
          <permission>Create Folder</permission>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>
      <rule regex="~DASHBOARD~">
        <allowed-permissions>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>
    </role>
    <role name="developer">
      <rule regex="/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Write</permission>
          <permission>Publish</permission>
          <permission>Create Folder</permission>
          <permission>Create Content</permission>
          <permission>Change Content Type</permission>
        </allowed-permissions>
      </rule>
      <rule regex="^/(?!site/website/index\.xml)(.*)">
        <allowed-permissions>
          <permission>Delete</permission>
        </allowed-permissions>
      </rule>
      <rule regex="~DASHBOARD~">
        <allowed-permissions>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>
    </role>
    <role name="admin">
      <rule regex="/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Write</permission>
          <permission>Publish</permission>
          <permission>Create Folder</permission>
          <permission>Create Content</permission>
          <permission>Change Content Type</permission>
        </allowed-permissions>
      </rule>
      <rule regex="^/(?!site/website/index\.xml)(.*)">
        <allowed-permissions>
          <permission>Delete</permission>
        </allowed-permissions>
      </rule>
      <rule regex="~DASHBOARD~">
        <allowed-permissions>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>
    </role>
    <role name="reviewer">
      <rule regex="/.*">
        <allowed-permissions>
          <permission>Read</permission>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>
      <rule regex="~DASHBOARD~">
        <allowed-permissions>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>
    </role>
    <role name="*">
      <rule regex="/.*">
        <allowed-permissions>
          <permission>Read</permission>
        </allowed-permissions>
      </rule>
    </role>
</permissions>

Description

List of available permissions

Permission

Description

Read

User is permitted to read content

Write

User is permitted to edit content

Delete

Users is permitted to delete content

Request Delete

User is permitted to submit content for deletion (request delete from approver)

Create Folder

User is permitted to create new folder

Publish

User is permitted to approve submitted content for publishing or publish content

Create Content

User is permitted to create new content

Change Content Type

User is permitted to change content type

/permissions/site/role@name

Role name

/permissions/site/role/rule@regex

Regular expression to filter paths where permission is applied. The value regex=”~DASHBOARD~” is a special regular expression applied for content displayed in dashboard widgets only

/permissions/site/role/rule/allowed-permissions/permission

Allowed permission for role and rule (possible values give in the table above)