Permission Mappings¶
The permission mappings configuration file allows you to assign permissions to folders and objects in a Site giving specific Roles rights to the object. The permission mappings config file contains the permissions mappings for the roles defined in the role mappings config file. When applying permissions to Roles, rights are granted by adding permissions inside the tag <allowed-permissions>
. Absence of permissions means the permission is denied. Rules have a regex expression that govern the scope of the permissions assigned. A list of available permissions that can be granted to Roles is available after the sample configuration file.
- Permissions are defined per:
site > role > rule
For example, to grant the role component_author the ability to read/write components and read-only to everything else:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | <role name="component_author">
<rule regex="/site/website/.*">
<allowed-permissions>
<permission>Read</permission>
</allowed-permissions>
</rule>
<rule regex="/site/components/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Create Content</permission>
<permission>Create Folder</permission>
</allowed-permissions>
</rule>
<rule regex="/static-assets/.*">
<allowed-permissions>
<permission>Read</permission>
</allowed-permissions>
</rule>
</role>
|
A regex of “~DASHBOARD~” governs view access to the publishing workflow related dashboard widgets:
Items Waiting For Approval
Approved Scheduled Items
Recently Published
To grant a role the ability to view these dashboard widgets, simply grant the role the permission Publish to the scope ~DASHBOARD~. For example:
<rule regex="~DASHBOARD~">
<allowed-permissions>
<permission>Publish</permission>
</allowed-permissions>
</rule>
To modify/view the permission mappings for your site in Studio, click on at the bottom of the Sidebar, then click on Configurations and select Permissions Mapping from the dropdown list.

Sample¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 | <?xml version="1.0" encoding="UTF-8"?>
<!-- permission-mappings-config.xml
This files contains the permissions mappings for the roles defined in
role-mappings-config.xml.
Permissions are defined per:
site > role > rule
Rules have a regex expression that govern the scope of the permissions assigned.
Permissions are:
- add_remote
- cancel_failed_pull
- cancel_publish
- Change Content Type
- clone_content_cmis
- commit_resolution
- Create Content
- Create Folder
- Delete
- delete_content
- encryption_tool
- get_publishing_queue
- list_cmis
- list_remotes
- Publish
- pull_from_remote
- push_to_remote
- Read
- rebuild_database
- remove_remote
- resolve_conflict
- S3 Read
- S3 Write
- search_cmis
- site_diff_conflicted_file
- site_status
- upload_content_cmis
- webdav_read
- webdav_write
- Write
- write_configuration
Absence of permissions means the permission is denied.
For example, to grant the role component_author the ability to read/write
components and read-only to everything else:
<role name="author">
<rule regex="/site/website/.*">
<allowed-permissions>
<permission>Read</permission>
</allowed-permissions>
</rule>
<rule regex="/site/components/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Create Content</permission>
<permission>Create Folder</permission>
</allowed-permissions>
</rule>
<rule regex="/static-assets/.*">
<allowed-permissions>
<permission>Read</permission>
</allowed-permissions>
</rule>
</role>
A regex of "~DASHBOARD~" governs view access to the publishing workflow
related dashboard widgets:
- Items Waiting For Approval
- Approved Scheduled Items
- Recently Published
To grant a role the ability to view these dashboard widgets, simple grant
the role the permission Publish to the scope ~DASHBOARD~. For example:
<rule regex="~DASHBOARD~">
<allowed-permissions>
<permission>Publish</permission>
</allowed-permissions>
</rule>
-->
permissions>
<version>12</version>
<role name="author">
<rule regex="/site/website/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Create Content</permission>
<permission>Create Folder</permission>
<permission>list_cmis</permission>
<permission>search_cmis</permission>
<permission>clone_content_cmis</permission>
<permission>upload_content_cmis</permission>
</allowed-permissions>
</rule>
<rule regex="/site/components|/site/components/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Create Content</permission>
<permission>Create Folder</permission>
<permission>list_cmis</permission>
<permission>search_cmis</permission>
<permission>clone_content_cmis</permission>
<permission>upload_content_cmis</permission>
</allowed-permissions>
</rule>
<rule regex="/static-assets|/static-assets/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Create Content</permission>
<permission>Create Folder</permission>
<permission>list_cmis</permission>
<permission>search_cmis</permission>
<permission>clone_content_cmis</permission>
<permission>upload_content_cmis</permission>
</allowed-permissions>
</rule>
<rule regex=".*">
<allowed-permissions>
<permission>S3 Read</permission>
<permission>S3 Write</permission>
</allowed-permissions>
</rule>
</role>
<role name="publisher">
<rule regex="/site/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Create Content</permission>
<permission>Create Folder</permission>
<permission>Publish</permission>
<permission>list_cmis</permission>
<permission>search_cmis</permission>
<permission>clone_content_cmis</permission>
<permission>upload_content_cmis</permission>
</allowed-permissions>
</rule>
<rule regex="^/site/(?!website/index\.xml)(.*)">
<allowed-permissions>
<permission>Delete</permission>
<permission>delete_content</permission>
</allowed-permissions>
</rule>
<rule regex="/(static-assets|templates|scripts)/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Delete</permission>
<permission>Create Content</permission>
<permission>Create Folder</permission>
<permission>Publish</permission>
<permission>list_cmis</permission>
<permission>search_cmis</permission>
<permission>clone_content_cmis</permission>
<permission>upload_content_cmis</permission>
<permission>delete_content</permission>
</allowed-permissions>
</rule>
<rule regex="~DASHBOARD~">
<allowed-permissions>
<permission>Publish</permission>
</allowed-permissions>
</rule>
<rule regex=".*">
<allowed-permissions>
<permission>S3 Read</permission>
<permission>S3 Write</permission>
</allowed-permissions>
</rule>
</role>
<role name="developer">
<rule regex="/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Publish</permission>
<permission>Create Folder</permission>
<permission>Create Content</permission>
<permission>Change Content Type</permission>
<permission>list_cmis</permission>
<permission>search_cmis</permission>
<permission>clone_content_cmis</permission>
<permission>upload_content_cmis</permission>
<permission>write_configuration</permission>
<permission>encryption_tool</permission>
</allowed-permissions>
</rule>
<rule regex="^/(?!site/website/index\.xml)(.*)">
<allowed-permissions>
<permission>Delete</permission>
<permission>delete_content</permission>
<permission>write_configuration</permission>
</allowed-permissions>
</rule>
<rule regex="~DASHBOARD~">
<allowed-permissions>
<permission>Publish</permission>
</allowed-permissions>
</rule>
<rule regex=".*">
<allowed-permissions>
<permission>S3 Read</permission>
<permission>S3 Write</permission>
</allowed-permissions>
</rule>
</role>
<role name="admin">
<rule regex="/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Write</permission>
<permission>Publish</permission>
<permission>Create Folder</permission>
<permission>Create Content</permission>
<permission>Change Content Type</permission>
<permission>list_cmis</permission>
<permission>search_cmis</permission>
<permission>clone_content_cmis</permission>
<permission>upload_content_cmis</permission>
<permission>add_remote</permission>
<permission>list_remotes</permission>
<permission>pull_from_remote</permission>
<permission>push_to_remote</permission>
<permission>rebuild_database</permission>
<permission>remove_remote</permission>
<permission>write_configuration</permission>
<permission>site_status</permission>
<permission>resolve_conflict</permission>
<permission>site_diff_conflicted_file</permission>
<permission>commit_resolution</permission>
<permission>cancel_failed_pull</permission>
<permission>encryption_tool</permission>
</allowed-permissions>
</rule>
<rule regex="^/(?!site/website/index\.xml)(.*)">
<allowed-permissions>
<permission>Delete</permission>
</allowed-permissions>
</rule>
<rule regex="~DASHBOARD~">
<allowed-permissions>
<permission>Publish</permission>
<permission>add_remote</permission>
<permission>list_remotes</permission>
<permission>pull_from_remote</permission>
<permission>push_to_remote</permission>
<permission>rebuild_database</permission>
<permission>remove_remote</permission>
<permission>write_configuration</permission>
<permission>site_status</permission>
<permission>resolve_conflict</permission>
<permission>site_diff_conflicted_file</permission>
<permission>commit_resolution</permission>
<permission>cancel_failed_pull</permission>
<permission>encryption_tool</permission>
</allowed-permissions>
</rule>
<rule regex=".*">
<allowed-permissions>
<permission>S3 Read</permission>
<permission>S3 Write</permission>
</allowed-permissions>
</rule>
</role>
<role name="reviewer">
<rule regex="/.*">
<allowed-permissions>
<permission>Read</permission>
<permission>Publish</permission>
</allowed-permissions>
</rule>
<rule regex="~DASHBOARD~">
<allowed-permissions>
<permission>Publish</permission>
</allowed-permissions>
</rule>
<rule regex=".*">
<allowed-permissions>
<permission>S3 Read</permission>
</allowed-permissions>
</rule>
</role>
<role name="*">
<rule regex="/.*">
<allowed-permissions>
<permission>Read</permission>
</allowed-permissions>
</rule>
<rule regex=".*">
<allowed-permissions>
<permission>S3 Read</permission>
</allowed-permissions>
</rule>
</role>
</permissions>
|
Description¶
List of available permissions
Permission |
Description |
---|---|
add_remote |
User is permitted to add a remote repository |
cancel_failed_pull |
User is permitted to cancel a failed pull from a repository |
cancel_publish |
User is permitted to cancel a publish request |
Change Content Type |
User is permitted to change content type |
clone_content_cmis |
User is permitted to clone content from a CMIS repository |
commit_resolution |
User is permitted to commit resolution |
Create Content |
User is permitted to create new content |
Create Folder |
User is permitted to create new folder |
Delete |
User is permitted to delete content |
delete_content |
User is permitted to delete content using API v2 |
encryption_tool |
User is permitted to encrypt a text value |
get_publishing_queue |
User is permitted to get the list of packages in the publishing queue |
list_cmis |
User is permitted to list files and folders in a CMIS repository with an optional range for pagination |
list_remotes |
User is permitted to list remote repositories for a site |
Publish |
User is permitted to approve submitted content for publishing or publish content |
pull_from_remote |
User is permitted to pull content from remote repository to site content repository |
push_to_remote |
User is permitted to push content to remote repository from site content repository |
Read |
User is permitted to read content |
rebuild_database |
User is permitted to rebuild Crafter Studio’s database and object state with the underlying repository |
remove_remote |
User is permitted to remove remote repository from site content repository |
resolve_conflict |
User is permitted to resolve a conflict for a file by accepting ours or theirs |
S3 Read |
User is permitted to get a list of items from an S3 bucket |
S3 Write |
User is permitted to upload a file to an S3 bucket |
search_cmis |
User is permitted to search files and folders in a CMIS repository with an optional range for pagination |
site_diff_conflicted_file |
User is permitted to get the difference between |
site_status |
User is permitted to get status of repository for a site |
upload_content_cmis |
User is permitted to upload an asset file to CMIS repository |
webdav_read |
User is permitted to get a list of items from a WebDAV server |
webdav_write |
User is permitted to upload a file to a WebDAV server |
Write |
User is permitted to user is permitted to edit content |
write_configuration |
User is permitted to write configuration content for site |
/permissions/site/role@name
Role name
/permissions/site/role/rule@regex
Regular expression to filter paths where permission is applied. The value regex=”~DASHBOARD~” is a special regular expression applied for content displayed in dashboard widgets only
/permissions/site/role/rule/allowed-permissions/permission
Allowed permission for role and rule (possible values given in the table above)