Permission Mappings

The permission mappings configuration file allows you to assign permissions to folders and objects in a Site giving specific Roles rights to the object. The permission mappings config file contains the permissions mappings for the roles defined in the role mappings config file. When applying permissions to Roles, rights are granted by adding permissions inside the tag <allowed-permissions>. Absence of permissions means the permission is denied. Rules have a regex expression that govern the scope of the permissions assigned. A list of available permissions that can be granted to Roles is available after the sample configuration file.

Permissions are defined per:

site > role > rule

For example, to grant the role component_author the ability to read/write components and read-only to everything else:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
<role name="component_author">
  <rule regex="/site/website/.*">
    <allowed-permissions>
      <permission>Read</permission>
    </allowed-permissions>
  </rule>
  <rule regex="/site/components/.*">
    <allowed-permissions>
      <permission>Read</permission>
      <permission>Write</permission>
      <permission>Create Content</permission>
      <permission>Create Folder</permission>
    </allowed-permissions>
  </rule>
  <rule regex="/static-assets/.*">
    <allowed-permissions>
      <permission>Read</permission>
    </allowed-permissions>
  </rule>
</role>

A regex of “~DASHBOARD~” governs view access to the publishing workflow related dashboard widgets:

  • Items Waiting For Approval

  • Approved Scheduled Items

  • Recently Published

To grant a role the ability to view these dashboard widgets, simply grant the role the permission Publish to the scope ~DASHBOARD~. For example:

<rule regex="~DASHBOARD~">
  <allowed-permissions>
    <permission>Publish</permission>
  </allowed-permissions>
</rule>

To modify/view the permission mappings for your site in Studio, click on siteConfig at the bottom of the Sidebar, then click on Configurations and select Permissions Mapping from the dropdown list.

Configurations - Open Permission Mappings

Sample

CRAFTER_HOME/data/repos/sites/SITENAME/sandbox/config/studio/permission-mappings-config.xml
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
<?xml version="1.0" encoding="UTF-8"?>
<!-- permission-mappings-config.xml

  This files contains the permissions mappings for the roles defined in
  role-mappings-config.xml.

  Permissions are defined per:
  site > role > rule

  Rules have a regex expression that govern the scope of the permissions assigned.

  Permissions are:
  - add_remote
  - cancel_failed_pull
  - cancel_publish
  - Change Content Type
  - clone_content_cmis
  - commit_resolution
  - Create Content
  - Create Folder
  - Delete
  - delete_content
  - encryption_tool
  - get_publishing_queue
  - list_cmis
  - list_remotes
  - Publish
  - pull_from_remote
  - push_to_remote
  - Read
  - rebuild_database
  - remove_remote
  - resolve_conflict
  - S3 Read
  - S3 Write
  - search_cmis
  - site_diff_conflicted_file
  - site_status
  - upload_content_cmis
  - webdav_read
  - webdav_write
  - Write
  - write_configuration

  Absence of permissions means the permission is denied.

  For example, to grant the role component_author the ability to read/write
  components and read-only to everything else:

      <role name="author">
          <rule regex="/site/website/.*">
            <allowed-permissions>
              <permission>Read</permission>
            </allowed-permissions>
          </rule>
          <rule regex="/site/components/.*">
            <allowed-permissions>
              <permission>Read</permission>
              <permission>Write</permission>
              <permission>Create Content</permission>
              <permission>Create Folder</permission>
            </allowed-permissions>
          </rule>
          <rule regex="/static-assets/.*">
            <allowed-permissions>
              <permission>Read</permission>
            </allowed-permissions>
          </rule>
      </role>

  A regex of "~DASHBOARD~" governs view access to the publishing workflow
  related dashboard widgets:
  - Items Waiting For Approval
  - Approved Scheduled Items
  - Recently Published

  To grant a role the ability to view these dashboard widgets, simple grant
  the role the permission Publish to the scope ~DASHBOARD~. For example:

      <rule regex="~DASHBOARD~">
        <allowed-permissions>
          <permission>Publish</permission>
        </allowed-permissions>
      </rule>

-->
permissions>
  <version>12</version>
  <role name="author">
    <rule regex="/site/website/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Create Content</permission>
        <permission>Create Folder</permission>
        <permission>list_cmis</permission>
        <permission>search_cmis</permission>
        <permission>clone_content_cmis</permission>
        <permission>upload_content_cmis</permission>
      </allowed-permissions>
    </rule>
    <rule regex="/site/components|/site/components/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Create Content</permission>
        <permission>Create Folder</permission>
        <permission>list_cmis</permission>
        <permission>search_cmis</permission>
        <permission>clone_content_cmis</permission>
        <permission>upload_content_cmis</permission>
      </allowed-permissions>
    </rule>
    <rule regex="/static-assets|/static-assets/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Create Content</permission>
        <permission>Create Folder</permission>
        <permission>list_cmis</permission>
        <permission>search_cmis</permission>
        <permission>clone_content_cmis</permission>
        <permission>upload_content_cmis</permission>
      </allowed-permissions>
    </rule>
    <rule regex=".*">
      <allowed-permissions>
        <permission>S3 Read</permission>
        <permission>S3 Write</permission>
      </allowed-permissions>
    </rule>
  </role>
  <role name="publisher">
    <rule regex="/site/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Create Content</permission>
        <permission>Create Folder</permission>
        <permission>Publish</permission>
        <permission>list_cmis</permission>
        <permission>search_cmis</permission>
        <permission>clone_content_cmis</permission>
        <permission>upload_content_cmis</permission>
      </allowed-permissions>
    </rule>
    <rule regex="^/site/(?!website/index\.xml)(.*)">
      <allowed-permissions>
        <permission>Delete</permission>
        <permission>delete_content</permission>
      </allowed-permissions>
    </rule>
    <rule regex="/(static-assets|templates|scripts)/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Delete</permission>
        <permission>Create Content</permission>
        <permission>Create Folder</permission>
        <permission>Publish</permission>
        <permission>list_cmis</permission>
        <permission>search_cmis</permission>
        <permission>clone_content_cmis</permission>
        <permission>upload_content_cmis</permission>
        <permission>delete_content</permission>
      </allowed-permissions>
    </rule>
    <rule regex="~DASHBOARD~">
      <allowed-permissions>
        <permission>Publish</permission>
      </allowed-permissions>
    </rule>
    <rule regex=".*">
      <allowed-permissions>
        <permission>S3 Read</permission>
        <permission>S3 Write</permission>
      </allowed-permissions>
    </rule>
  </role>
  <role name="developer">
    <rule regex="/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Publish</permission>
        <permission>Create Folder</permission>
        <permission>Create Content</permission>
        <permission>Change Content Type</permission>
        <permission>list_cmis</permission>
        <permission>search_cmis</permission>
        <permission>clone_content_cmis</permission>
        <permission>upload_content_cmis</permission>
        <permission>write_configuration</permission>
        <permission>encryption_tool</permission>
      </allowed-permissions>
    </rule>
    <rule regex="^/(?!site/website/index\.xml)(.*)">
      <allowed-permissions>
        <permission>Delete</permission>
        <permission>delete_content</permission>
        <permission>write_configuration</permission>
      </allowed-permissions>
    </rule>
    <rule regex="~DASHBOARD~">
      <allowed-permissions>
        <permission>Publish</permission>
      </allowed-permissions>
    </rule>
    <rule regex=".*">
      <allowed-permissions>
        <permission>S3 Read</permission>
        <permission>S3 Write</permission>
      </allowed-permissions>
    </rule>
  </role>
  <role name="admin">
    <rule regex="/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Write</permission>
        <permission>Publish</permission>
        <permission>Create Folder</permission>
        <permission>Create Content</permission>
        <permission>Change Content Type</permission>
        <permission>list_cmis</permission>
        <permission>search_cmis</permission>
        <permission>clone_content_cmis</permission>
        <permission>upload_content_cmis</permission>
        <permission>add_remote</permission>
        <permission>list_remotes</permission>
        <permission>pull_from_remote</permission>
        <permission>push_to_remote</permission>
        <permission>rebuild_database</permission>
        <permission>remove_remote</permission>
        <permission>write_configuration</permission>
        <permission>site_status</permission>
        <permission>resolve_conflict</permission>
        <permission>site_diff_conflicted_file</permission>
        <permission>commit_resolution</permission>
        <permission>cancel_failed_pull</permission>
        <permission>encryption_tool</permission>
      </allowed-permissions>
    </rule>
    <rule regex="^/(?!site/website/index\.xml)(.*)">
      <allowed-permissions>
        <permission>Delete</permission>
      </allowed-permissions>
    </rule>
    <rule regex="~DASHBOARD~">
      <allowed-permissions>
        <permission>Publish</permission>
        <permission>add_remote</permission>
        <permission>list_remotes</permission>
        <permission>pull_from_remote</permission>
        <permission>push_to_remote</permission>
        <permission>rebuild_database</permission>
        <permission>remove_remote</permission>
        <permission>write_configuration</permission>
        <permission>site_status</permission>
        <permission>resolve_conflict</permission>
        <permission>site_diff_conflicted_file</permission>
        <permission>commit_resolution</permission>
        <permission>cancel_failed_pull</permission>
        <permission>encryption_tool</permission>
      </allowed-permissions>
    </rule>
    <rule regex=".*">
      <allowed-permissions>
        <permission>S3 Read</permission>
        <permission>S3 Write</permission>
      </allowed-permissions>
    </rule>
  </role>
  <role name="reviewer">
    <rule regex="/.*">
      <allowed-permissions>
        <permission>Read</permission>
        <permission>Publish</permission>
      </allowed-permissions>
    </rule>
    <rule regex="~DASHBOARD~">
      <allowed-permissions>
        <permission>Publish</permission>
      </allowed-permissions>
    </rule>
    <rule regex=".*">
      <allowed-permissions>
        <permission>S3 Read</permission>
      </allowed-permissions>
    </rule>
  </role>
  <role name="*">
    <rule regex="/.*">
      <allowed-permissions>
        <permission>Read</permission>
      </allowed-permissions>
    </rule>
    <rule regex=".*">
      <allowed-permissions>
        <permission>S3 Read</permission>
      </allowed-permissions>
    </rule>
  </role>
</permissions>

Description

List of available permissions

Permission

Description

add_remote

User is permitted to add a remote repository

cancel_failed_pull

User is permitted to cancel a failed pull from a repository

cancel_publish

User is permitted to cancel a publish request

Change Content Type

User is permitted to change content type

clone_content_cmis

User is permitted to clone content from a CMIS repository

commit_resolution

User is permitted to commit resolution

Create Content

User is permitted to create new content

Create Folder

User is permitted to create new folder

Delete

User is permitted to delete content

delete_content

User is permitted to delete content using API v2

encryption_tool

User is permitted to encrypt a text value

get_publishing_queue

User is permitted to get the list of packages in the publishing queue

list_cmis

User is permitted to list files and folders in a CMIS repository with an optional range for pagination

list_remotes

User is permitted to list remote repositories for a site

Publish

User is permitted to approve submitted content for publishing or publish content

pull_from_remote

User is permitted to pull content from remote repository to site content repository

push_to_remote

User is permitted to push content to remote repository from site content repository

Read

User is permitted to read content

rebuild_database

User is permitted to rebuild Crafter Studio’s database and object state with the underlying repository

remove_remote

User is permitted to remove remote repository from site content repository

resolve_conflict

User is permitted to resolve a conflict for a file by accepting ours or theirs

S3 Read

User is permitted to get a list of items from an S3 bucket

S3 Write

User is permitted to upload a file to an S3 bucket

search_cmis

User is permitted to search files and folders in a CMIS repository with an optional range for pagination

site_diff_conflicted_file

User is permitted to get the difference between ours and theirs for a conflicted file for a site

site_status

User is permitted to get status of repository for a site

upload_content_cmis

User is permitted to upload an asset file to CMIS repository

webdav_read

User is permitted to get a list of items from a WebDAV server

webdav_write

User is permitted to upload a file to a WebDAV server

Write

User is permitted to user is permitted to edit content

write_configuration

User is permitted to write configuration content for site

/permissions/site/role@name

Role name

/permissions/site/role/rule@regex

Regular expression to filter paths where permission is applied. The value regex=”~DASHBOARD~” is a special regular expression applied for content displayed in dashboard widgets only

/permissions/site/role/rule/allowed-permissions/permission

Allowed permission for role and rule (possible values given in the table above)