Squidex uses a fine granular permission system. Permissions are defined with a dot-notation:
squidex
squidex.apps.{app}.clients
squidex.apps.{app}.clients.read
squidex.apps.{app}.contents
squidex.apps.{app}.contents.{schema}
squidex.apps.{app}.contents.{schema}.read
squidex.apps.{app}.contents.{schema}.create
{app}
and {schema}
are placeholder that will be replaced with your current app name or schema name.
The full list of permissions can be found here: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/Permissions.cs​
The system is expressed as a hierarchy. If you visualize them as a tree you get the following structure
squidex
apps
{app}
clients
reader
contents
{schema}
read
create
This means...
That squidex
gives you all permissions and makes you an adminstrator.
That squidex.apps.{app}
gives you all permissions for a specific app and makes you the app owner.
The permission system also allows wildcards:
squidex.apps.{app}.contents.*.read
gives you read access to all schemas in your app, but now write access.
It also it allows alternatives:
squidex.apps.{app}.contents.pages|posts|articles.*
gives you full access to the three schemas pages, posts and articles.
And furthermore exceptions (not implemented yet):
squidex.apps.{app}.contents.^settings.*
gives you full access to all schemas except to the settings schema.
If you have a look to the list of available permissions the meaning should be obvious, but there is one exception:
squidex.apps.{app}.common
gives you the minimum permissions to access and app. If you create a role that can view content only, this role also needs the permissions to query the configured languages and published schemas for an app. Therefore all app roles have this permissions implicitly.
Roles are used to assign permissions to users.
Squidex defines four default roles that cannot be deleted. {app}
is your app name.
squidex.apps.{app}
: All permissions
squidex.apps.{app}.api
: Can use the api section the Management UI
squidex.apps.{app}.assets
: Can view and manage assets
squidex.apps.{app}.contents
: Can view and manage contents.
squidex.apps.{app}.patterns
: Can view and manage patterns.
squidex.apps.{app}.rules
: Can view and manage rules.
squidex.apps.{app}.schemas
: Can manage schemas (Viewing schemas is an implicit permission).
squidex.apps.{app}.assets
: Can view and manage assets
squidex.apps.{app}.contents
: Can view and manage content.
squidex.apps.{app}.contents.*.read
: Can view content.
You can define custom roles in the Management UI by choosing a name first and then assigning the permissions to this role. All permissions will be prefixed with squidex.apps.{app}
automatically, otherwise you would be able to create roles that give you permissions to another app.
As an administrator you can also assign permissions to users individually:
There are some restrictions to the system:
When you assign permissions to a user manually, this user has to logout and login again, because these permissions are stored as claims in the cookie.
Even if a user has the admin permission (squidex
) or permissions for alls apps (squidex.apps
) he will not see them in the apps overview in the administration UI. A squidex can have have thousands of apps (like our cloud) and the user interface is not designed for that. Either assign him an explicit to an app, like squidex.apps.{app}
or enter the url manually.