Role management

Xperience uses a role-based system to manage the permissions of user accounts. Roles define permissions that determine what users can and cannot do within individual administration UI applications. The number of roles assignable to each user account is not limited; permissions of a given account are determined by the union of permissions granted by individual roles. 

The system by default provides the Administrator role that grants full permissions to all features and applications in the product. Initially, the administrator account created during the installation process is the only user with this role. As one of the requirements when inviting new users to the system is assigning a role to their account, we strongly recommend setting up additional roles with restricted access (such as Editor or Contributor) to prevent any misuse of granted privilege.

You can grant four main types of permissions for most applications in the system:

Permission

Description

View

The most basic permission required to interact with an application in Xperience. Without the View permission, users cannot see the corresponding application in the administration, access it via direct URLs, or use it in any other way.

Create

Grants permission to create objects in the corresponding application. 

Update

Grants permission to modify existing objects in the corresponding application.

Delete

Grants permission to delete existing objects in the corresponding application.

Not every application needs all permissions. For example, Create, Update, and Delete are not relevant for the Event Log application, which only displays events that occurred in the system.

In addition to the permissions summarized in the table above, applications may also have permissions related to their specific functionality.

Application

Permission

Description

Website channel applications

Access channel

Allows users to see and access the website channel application in the administration.

Manage permissions

Allows users to grant page permissions to other roles.

Roles with this permission always have full privileges for all pages in the website channel.

Email channel applications

Send email

Allows users to send or schedule emails of the Regular type.

Media libraries

Manage media library

Allows users to perform file operations within media libraries, e.g., upload and delete media files.

Channel management

Manage headless channel API keys

Allows users to create, enable or disable API keys for headless channels.

Developers can also define suitable feature-specific permissions when creating custom applications and UI pages for the administration.

Manage roles

You manage roles in the Role management application.

Create roles

  1. In the Role management application, select New role.
  2. Enter the role:
    1. Role name – used when working with the role in the administration interface.
    2. (Optional) Identifiers – specify the code name if you wish to use a code name different than the pre-filled value.
    3. (Optional) Description – information about the role.
  3. Save the changes.

The role is created in the system. You can now:

Assign permissions to roles

You assign permissions via a role’s Permissions tab. Open the Role management application and select a role. Then, switch to the role’s Permissions tab.

Each application groups all permissions that can be granted under a Permission set. Use the assignment interface to define permissions for the selected role.

Permissions assignment overview

Selecting Add permission set creates a new item in the main workspace. Use the application selector to choose the application for which to define permissions. You can only add each application once. After, the application remains in the selector but becomes disabled.

The selector on the right lists the permissions available for the application. View is always preselected and non-removable – other permissions are redundant if the role cannot access the application in the first place. Applications without explicitly defined permission sets are inaccessible and hidden from the administration interface for all users in the given role.

Assign users to roles

Users are assigned to roles on the Assigned users tab.

  1. Open the Role management application and select a role.
  2. Switch to the Assigned users tab.
  3. Add users to the role via Add user.

The users are now assigned to the role.

Assign roles to users

You can also assign roles to individual users via the Users application.

  1. Open the Users application.
  2. Select a user.
  3. Assign roles using the Role dropdown on the General tab.

Assign roles when inviting new users

Assigning a role is also necessary when inviting new users to the system via New user in the Users application.

Assigning roles when inviting new users