Userroles

Userroles represent a functional privilege (aka Functional Role) which can be granted to Users directly or indirectly via Groups they are member of. Userroles, and the functional privilege they represent, are global and granted for the duration of a user's logged in session.

Userrole configuration

Userroles are stored in the repository under path /hippo:configuration/hippo:userroles where the name of the userrole node defines the userrole name.

Node type definitions

hipposys:userrole

[hipposys:userrole] > nt:base
- hipposys:system (boolean)
- hipposys:userroles (string) multiple
- hipposys:description (string)

Name

Type

Required

Description

node name

String

yes

The name of the userrole

hipposys:system

boolean no Indicator if the userrole is protected and not allowed to be modified or deleted.
All standard provided userroles are marked and projected as system userroles. 
hipposys:userroles String no Other userroles implied by this userrole
hipposys:description String no A description of the userrole

hipposys:userrolefolder

[hipposys:userrolefolder] > nt:base
+ * (hipposys:userrole) = hipposys:userrole

Standard provided userroles naming convention

The standard provided userroles are all named with the following convention:

<prefix>.<feature>.<function> 

For brXM the prefix is always xm.

The standard provided userroles furthermore can be classified in three groups:

  1. Userroles representing a privilege required to access a feature within the CMS (aka feature 'toggles') which is independent of or unrelated to specific repository content.
    When these userroles are only used for this purpose, they use the following naming convention: xm.<feature>.user.
    For example xm.cms.user, xm.project.user, etc.
  2. Userroles which primarily are (to be) used for repository domain security authorization, meaning they are used to grant repository (data) specific privileges in the context of specific repository content and functionality.
    These userroles use the following naming convention: xm.<feature>.<repository context specific role>.
    For example: xm.content.editor, xm.channel.admin, xm.project.viewer
  3. Convenient userroles which aggregate (imply) all the userroles needed for the standard provided groups (which thus now by default only are configured with only that corresponding userrole), and can be used as basis for custom groups with the same or further extended (userrole based) privileges, for example for LDAP provided groups or otherwise. 
    These userroles all use the following naming convention: xm.default-user.<group name>.
    For example: xm.default-user.editor, xm.default-user.webmaster, xm-default-user.system-admin.  
    Note the slight deviation for the naming of the xm-default-user.system-admin:  this userrole is actually assigned to the default admin group instead of a (not default provided) system-admin group. This is for legacy and backwards compatibility reasons: the admin group effective means system-admin group.

The default provided userroles listed further below are grouped according to this classification. 

CMS and Console access

Being able to login to the CMS or Console application now (only) requires a user to have a dedicated userrole, either:

  • xm.cms.user: for login to the CMS
  • xm.console.user: for login to the Console

Note: only regular users are allowed to login through these applications, system users (users with property hipposys:system set to true) are not, even if they have been granted one of the above userroles!

CMS Features access

Which CMS features are available (shown) to a user can be restricted by requiring a specific userrole. All (or most) top-level CMS features are configured themselves in the repository through frontend:plugin nodes, which are loaded for a user at (or after) the login. All left-menu entry CMS features and a few deeper nested features now are restricted by requiring a specific "feature toggle" userrole with a hipposys:userrole property, e.g. like:

/hippo:configuration/hippo:frontend/cms/hippo-channel-manager/channel-manager-perspective:
  jcr:primaryType: frontend:plugin
  frontend:appPath: experience-manager
  hipposys:userrole: xm.channel.user

The following CMS features now require a specific userrole:

  • Home: xm.dashboard.user
  • Experience Manager: xm.channel.user
  • Projects: xm.project.user
  • Content: xm.content.user
    • Documents
      • Document Types: xm.system.admin
      • Url Rewriter: xm.urlrewriter.admin (since v14.2) or xm.repository.admin (v14.0-14.1)
  • Document search: xm.advanced-search.user
  • Insights
    • Content reports: xm.report.user

      The xm.report.user userrole is NOT automatically inherited (implied) by any of the default xm.default-user.* userroles,
      nor granted to any of the default provided groups, because it typically is only used/needed for (more) specific users/groups.
      Therefore the xm.report.user userrole needs to be explicity granted by an implementation project to the desired users/groups!
  • Audiences
    • Content audiences: xm.targeting.user
  • Setup
    • System: xm.system.user
      • Users: xm.security.viewer
      • Groups: xm.security.viewer
      • Userroles: xm.security.viewer
      • Permissions: xm.security.viewer
      • Replication: xm.security.admin
      • System Information: xm.system.admin
      • System Properties: xm.system.admin
      • Updater Editor: xm.system.admin
    • Form data: xm.form.user

Example userrole configuration

/hippo:configuration:
  /hippo:userroles:
    /xm.content.user:
      jcr:primaryType: hipposys:userrole
      hipposys:system: true
    /xm.content.viewer:
      jcr:primaryType: hipposys:userrole
      hipposys:system: true 
      hipposys:userroles: [ xm.content.user ]
    /my.content.viewer:
      jcr:primaryType: hipposys:userrole
      hipposys:userroles: [ xm.content.viewer ]

Default provided userroles

Userrole

Implied userroles

Description

xm.repository-browser.user

 

Required to login and use the repository servlet for querying and navigating through the repository content 

xm.cms.user

xm.frontend-config.reader

Required to login and use the CMS application

xm.console.user

xm.frontend-config.reader

Required to login and use the Console application

xm.dashboard.user

 

Required to view and use the Home (dashboard) menu and functionality within the CMS

xm.content.user

xm.advanced-search.user

Required to view and use the Content menu and functionality within the CMS

xm.report.user

 

Required to view and use the Insights > Content Reports menu and functionality within the CMS

NOT by default granted or implied, requires explicit configuration. See also marked note above in the CMS Feature Access section.

xm.system.user

 

Required to view and use the Setup > System menu and functionality within the CMS

xm.channel.user

 

Required to view and use the Experience Manager (Channels) menu and functionality within the CMS

xm.targeting.user

 

Required to view and use the Audiences menu and functionality within the CMS

xm.project.user

 

Required to view and use the Projects menu and functionality within the CMS

xm.advanced-search.user

 

Required to view and use the Document Search menu and functionality within the CMS

xm.form.user

 

Required to view and use the Setup > Form data menu and functionality within the CMS

     

xm.repository.admin

 

Allows all repository (jcr:all and hippo:admin) privileges through role admin

xm.system.admin

xm.console.user
xm.repository.admin
xm.security.user-admin
xm.security.application-admin

Allows administration and use of system functionality and configuration like Document Types, Update Editor, System info, etc.

xm.security.viewer

xm.system.user

Allows viewing repository security configuration (users, groups, security domains, roles, userroles) 

xm.security.user-admin

xm.security.viewer

Allows administration of users and groups; implies xm.security.viewer

xm.security.application-admin

xm.security.viewer

Allows administration of security domains, userroles and roles; implies xm.security.viewer

xm.content.viewer

xm.content.user

Allows viewing content through role readonly

xm.content.author

xm.content.viewer

Allows authoring (create, edit, move, rename, copy, delete) of content through role author 

xm.content.editor

xm.content.author

Allows (de)publishing of content through role editor; implies xm.content.author 

xm.content.admin

xm.content.editor

Allows unlocking content locked by another user through role admin; implies xm.content.editor

xm.repository.reader

 

Allows repository read access everywhere through role readonly

xm.webfiles.reader

 

Allows repository read access of webfiles through role readonly

xm.form.writer

 

Allows reading and writing of delivery tier form data through role readwrite  

xm.live-documents.reader

xm.webfiles.reader

Allows reading of live (published) documents through role readonly

xm.preview-documents.reader

xm.webfiles.reader

Allows reading of preview (unpublished) documents through role readonly

xm.channel.admin

xm.channel.webmaster

Allows administration of channels through role channel-admin; implies xm.channel.webmaster

xm.channel.webmaster

xm.channel.viewer

Allows editing and publishing channels through role channel-webmaster; implies xm.channel.viewer 

xm.channel.viewer

xm.channel.user
xm.webfiles.reader

Allows viewing channels through role channel-viewer; implies xm.webfiles.reader

xm.frontend-config.reader

 

Allows reading CMS and Console frontend configuration through role readonly

xm.targeting.viewer

xm.targeting.user

Allows viewing targeting configuration and data through role targeting-viewer

xm.targeting.editor

xm.targeting.viewer

Allows editing targeting configuration and data through role targeting-editor; implies xm.targeting.viewer

xm.project.viewer

xm.project.user

Allows viewing projects through role project-viewer

xm.project.editor

xm.project.viewer

Allows editing projects through role project-editor; implies xm.project.viewer

xm.project.admin

xm.project.editor

Allows administration of projects through role project-admin; implies xm.project.editor

     

xm.default-user.author

xm.cms.user
xm.dashboard.user
xm.content.author
xm.channel.viewer
xm.project.viewer

Implies all standard userroles needed for a default author user or group  

xm.default-user.editor

xm.cms.user
xm.dashboard.user
xm.content.editor
xm.channel.viewer
xm.project.editor

Implies all standard userroles needed for a default editor user or group   

xm.default-user.webmaster

xm.cms.user
xm.dashboard.user
xm.channel.webmaster
xm.project.editor
xm.targeting.editor

Implies all standard userroles needed for a default webmaster user or group

xm.default-user.cms-admin

xm.cms.user
xm.dashboard.user
xm.content.admin
xm.channel.admin
xm.project.admin
xm.targeting.editor
xm.form.user
xm.repository.admin
xm.security.user-admin
xm.security.application-admin

Implies all standard userroles needed for a default CMS administrator user or group

xm.default-user.system-admin

xm.cms.user
xm.dashboard.user
xm.content.admin
xm.channel.admin
xm.project.admin
xm.targeting.editor
xm.form.user
xm.system.admin
xm.security.user-admin
xm.security.application-admin

Implies all standard userroles needed for a default system administrator user or group

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?