# Roles & Permissions This documentation is based on the *FoodCrunch* use case. Please open the link below alongside this page to understand the examples. {% content-ref url="../introduction-and-use-case" %} [introduction-and-use-case](https://docs.squidex.io/id-02-documentation/introduction-and-use-case) {% endcontent-ref %} ## Permissions in Squidex Squidex uses a fine-grained permission system. Permissions are defined with a dot-notation as outlined below: * `squidex` * `squidex.apps.{app}.clients` * `squidex.apps.{app}.clients.read` * `squidex.apps.{app}.contents` * `squidex.apps.{app}.contents.{schema}` * `squidex.apps.{app}.contents.{schema}.read` * `squidex.apps.{app}.contents.{schema}.create` `{app}` and `{schema}` are placeholders that will be replaced with your current App name or schema name. The full list of permissions can be found here: The system is expressed as a hierarchy. Visualizing it as a tree, its structure is as follows: * squidex * apps * {app} * clients * reader * contents * {schema} * read * create The meaning is as follows: * `squidex` grants you all permissions and makes you an administrator. * `squidex.apps.{app}` gives you all permissions for a specific App and makes you the App owner. ### Defining Permissions The permission system also allows wildcards: `squidex.apps.{app}.contents.*.read` gives you read access to all schemas in your App, but now write access. Another example of a wildcard is below: `squidex.apps.{app}.contents.magazine|startups.*` which gives you full access to two schemas, `magazine` and `startups`. A third example of a wildcard might be: `squidex.apps.{app}.contents.^settings.*` gives you full access to all schemas except to a schema called `settings`. ### Special Permission In the list of [available permissions](https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/PermissionIds.cs) there is one special permission i.e. `squidex.apps.{app}.common`. This gives you the minimum permission to access an App. If you create a role that can only view content, the role will need permission to query the configured languages and published schemas for an App. Therefore, all App roles implicity have this permission. ## Roles Roles are used to assign one or more permissions to users. You can view the default roles and create custom roles under **Roles** in the **Settings** section of the App.

### Default Roles Squidex has four default roles that cannot be deleted. {% hint style="info" %} `{app}` is your App name. {% endhint %} ### Owner An Owner is the owner of the app and can do everything, including delete the App. | | | | -------------------- | ---------------- | | `squidex.apps.{app}` | All permissions. | ### Developer Users with a Developer role can use the API view, edit assets, content, schemas, rules, workflows and settings.The Editor Role allows editing assets, editing content and viewing workflows. | Permission | Description | | ----------------------------- | --------------------------------------------------------------- | | `squidex.apps.{app}.api` | Can use the API section the Management UI. | | `squidex.apps.{app}.assets` | Can view and manage assets. | | `squidex.apps.{app}.contents` | Can view and manage contents. | | `squidex.apps.{app}.patterns` | Can view and manage patterns. | | `squidex.apps.{app}.rules` | Can view and manage rules. | | `squidex.apps.{app}.schemas` | Can manage schemas (viewing schemas is an implicit permission). | ### Editor The editor role allows editing assets and contents and viewing workflows | Permission | Description | | ----------------------------- | ---------------------------- | | `squidex.apps.{app}.assets` | Can view and manage assets. | | `squidex.apps.{app}.contents` | Can view and manage content. | ### Reader A user with a Reader Role can only read assets and content. | | | | ------------------------------------ | ----------------- | | `squidex.apps.{app}.contents.*.read` | Can view content. | ### Custom Roles You can create custom roles in the Management UI. To create a Custom Role, navigate to **Settings** (1) and then to **Roles** (2) in your App. Enter a **Name** (3) for the role and then click **Add Role** (4). For our *FoodCrunch* use case, we want to create a Custom Role for blog/magazine contributors. In this scenario, the role is named as **Contributor**.

Next, click on the **Gear** icon (5) ![](https://2730255609-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LrL94QfeasZ0wF6YAvB%2Fuploads%2FAKwZ7A53DOxCrqRfVwdC%2F2022-11-22_19-23.png?alt=media\&token=d37d9caa-8496-4ad0-bcad-79a0e0e7e183) next to the Custom role to start assigning permissions.

For our *FoodCrunch* magazine contributors, we want to provide *full access to assets and content* only in the App. The default Editor role has these permissions but it also has other permissions that allow reading roles and workflows, which we want to avoid for our use case. Hence, the need for a Custom role. The following permissions will be added: * `assets` * `contents.*` To start adding permissions, begin by typing a few words for the permission that you want to assign and a drop down list will appear, select the desired permission and click + to add it. So, for our use case we will search for the word **assets** (6) and select **assets** (7) from the list. This is because we want to provide all permissions for assets. Click **+** (8) to add.

Adding permissions to a customer role - 1

Similarly, search for **contents** (9) and select **contents.\*** (10) from the list. Click **+** (11) to add the permission to the custom role and then **Save** (12) to save changes.

Adding permissions to a customer role - 2

All permissions are automatically prefixed with `squidex.apps.{app}`, otherwise a user would be able to create Roles that grant permissions to another App. ## Administration As an administrator you can also assign permissions to users individually: ![Custom permissions](https://2730255609-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LrL94QfeasZ0wF6YAvB%2Fuploads%2Fgit-blob-e2647f3abaf34b833e0537c22d0c453d01df8505%2Fadministration.png?alt=media\&token=b12de5f5-73ab-4bb9-8736-99965c7e5472) There are some limitations to bear in mind: * When you manually assign permissions to a user, the user has to logout and login again for the changes to take effect, as these permissions are stored as claims in a cookie. * Even if a user has admin permission (`squidex`) or permissions for all Apps (`squidex.apps`) he or she will not see them in the Apps' overview in the administration UI. A Squidex instance can have thousands of Apps (like our Cloud) but the user interface is not designed for this. So, either assign them explicitly to an App, such as `squidex.apps.{app}`, or enter the URL manually.