Roles & Permissions
Roles and Permissions Provide Users the Ability to View, Change and Delete Content, Assets and Settings.
Last updated
Was this helpful?
Roles and Permissions Provide Users the Ability to View, Change and Delete Content, Assets and Settings.
Last updated
Was this helpful?
This documentation is based on the FoodCrunch use case. Please open the link below alongside this page to understand the examples.
Squidex uses a fine-grained permission system. Permissions are defined with a dot-notation as outlined below:
squidex
squidex.apps.{app}.clients
squidex.apps.{app}.clients.read
squidex.apps.{app}.contents
squidex.apps.{app}.contents.{schema}
squidex.apps.{app}.contents.{schema}.read
squidex.apps.{app}.contents.{schema}.create
{app} and {schema} are placeholders that will be replaced with your current App name or schema name.
The full list of permissions can be found here:
The system is expressed as a hierarchy. Visualizing it as a tree, its structure is as follows:
squidex
apps
{app}
clients
reader
contents
{schema}
read
create
The meaning is as follows:
squidex grants you all permissions and makes you an administrator.
squidex.apps.{app} gives you all permissions for a specific App and makes you the App owner.
The permission system also allows wildcards:
squidex.apps.{app}.contents.*.read gives you read access to all schemas in your App, but now write access.
Another example of a wildcard is below:
squidex.apps.{app}.contents.magazine|startups.* which gives you full access to two schemas, magazine and startups.
A third example of a wildcard might be:
squidex.apps.{app}.contents.^settings.* gives you full access to all schemas except to a schema called settings.
This gives you the minimum permission to access an App.
If you create a role that can only view content, the role will need permission to query the configured languages and published schemas for an App. Therefore, all App roles implicity have this permission.
Roles are used to assign one or more permissions to users. You can view the default roles and create custom roles under Roles in the Settings section of the App.
Squidex has four default roles that cannot be deleted.
An Owner is the owner of the app and can do everything, including delete the App.
squidex.apps.{app}
All permissions.
Users with a Developer role can use the API view, edit assets, content, schemas, rules, workflows and settings.The Editor Role allows editing assets, editing content and viewing workflows.
squidex.apps.{app}.api
Can use the API section the Management UI.
squidex.apps.{app}.assets
Can view and manage assets.
squidex.apps.{app}.contents
Can view and manage contents.
squidex.apps.{app}.patterns
Can view and manage patterns.
squidex.apps.{app}.rules
Can view and manage rules.
squidex.apps.{app}.schemas
Can manage schemas (viewing schemas is an implicit permission).
The editor role allows editing assets and contents and viewing workflows
squidex.apps.{app}.assets
Can view and manage assets.
squidex.apps.{app}.contents
Can view and manage content.
A user with a Reader Role can only read assets and content.
squidex.apps.{app}.contents.*.read
Can view content.
You can create custom roles in the Management UI. To create a Custom Role, navigate to Settings (1) and then to Roles (2) in your App. Enter a Name (3) for the role and then click Add Role (4).
For our FoodCrunch use case, we want to create a Custom Role for blog/magazine contributors. In this scenario, the role is named as Contributor.
For our FoodCrunch magazine contributors, we want to provide full access to assets and content only in the App. The default Editor role has these permissions but it also has other permissions that allow reading roles and workflows, which we want to avoid for our use case. Hence, the need for a Custom role.
The following permissions will be added:
assets
contents.*
To start adding permissions, begin by typing a few words for the permission that you want to assign and a drop down list will appear, select the desired permission and click + to add it.
So, for our use case we will search for the word assets (6) and select assets (7) from the list. This is because we want to provide all permissions for assets. Click + (8) to add.
Similarly, search for contents (9) and select contents.* (10) from the list. Click + (11) to add the permission to the custom role and then Save (12) to save changes.
All permissions are automatically prefixed with squidex.apps.{app}, otherwise a user would be able to create Roles that grant permissions to another App.
As an administrator you can also assign permissions to users individually:
There are some limitations to bear in mind:
When you manually assign permissions to a user, the user has to logout and login again for the changes to take effect, as these permissions are stored as claims in a cookie.
Even if a user has admin permission (squidex) or permissions for all Apps (squidex.apps) he or she will not see them in the Apps' overview in the administration UI. A Squidex instance can have thousands of Apps (like our Cloud) but the user interface is not designed for this. So, either assign them explicitly to an App, such as squidex.apps.{app}, or enter the URL manually.
In the list of there is one special permission i.e. squidex.apps.{app}.common.
Next, click on the Gear icon (5) next to the Custom role to start assigning permissions.
