Role management
Xperience uses a role-based system to manage the permissions of user accounts. Roles define permissions that determine what users can and cannot do within individual administration UI applications. The number of roles assignable to each user account is not limited; permissions of a given account are determined by the union of permissions granted by individual roles.
The system by default provides the Administrator role that grants full permissions to all features and applications in the product. Initially, the administrator account created during the installation process is the only user with this role. As one of the requirements when inviting new users to the system is assigning a role to their account, we strongly recommend setting up additional roles with restricted access (such as Editor or Contributor) to prevent any misuse of granted privilege.
You can grant four main types of permissions for most applications in the system:
Permission | Description |
View | The most basic permission required to interact with an application in Xperience. Without the View permission, users cannot see the corresponding application in the administration, access it via direct URLs, or use it in any other way. |
Create | Grants permission to create objects in the corresponding application. |
Update | Grants permission to modify existing objects in the corresponding application. |
Delete | Grants permission to delete existing objects in the corresponding application. |
Not every application needs all permissions. For example, Create, Update, and Delete are not relevant for the Event Log application, which only displays events that occurred in the system.
In addition to the permissions summarized in the table above, applications may also have permissions related to their specific functionality.
Application | Permission | Description |
Website channel applications | Access channel | Allows users to see and access the website channel application in the administration. |
Manage permissions | Allows users to grant page permissions to other roles. Roles with this permission always have full privileges for all pages in the website channel. | |
Email channel applications | Send email | Allows users to send or schedule emails of the Regular type. |
Media libraries | Manage media library | Allows users to perform file operations within media libraries, e.g., upload and delete media files. |
Channel management | Manage headless channel API keys | Allows users to create, enable or disable API keys for headless channels. |
Scheduled tasks | Run tasks | Allows users to run non-system scheduled tasks. |
Developers can also define suitable feature-specific permissions when creating custom applications and UI pages for the administration.
Manage roles
You manage roles in the Role management application.
Create roles
- In the Role management application, select New role.
- Enter the role:
- Role name – used when working with the role in the administration interface.
- (Optional) Identifiers – specify the code name if you wish to use a code name different than the pre-filled value.
- (Optional) Description – information about the role.
- Save the changes.
The role is created in the system. You can now:
Assign permissions to roles
You assign permissions via a role’s Permissions tab. Open the Role management application and select a role. Then, switch to the role’s Permissions tab.
Each application groups all permissions that can be granted under a Permission set. Use the assignment interface to define permissions for the selected role.
Selecting Add permission set creates a new item for the role. Use the application selector to choose the application for which to define permissions. For workspace-scoped applications, you define the permission set for the application in a specific workspace. For example, you can grant all permissions for Content hub in workspace A and only the View permission for Content hub in workspace B.
The selector on the right lists the permissions available for the application. View is always preselected and non-removable – other permissions are redundant if the role cannot access the application in the first place. Applications without explicitly defined permission sets are inaccessible and hidden from the administration interface for all users in the given role.
Assign users to roles
Users are assigned to roles on the Assigned users tab.
- Open the Role management application and select a role.
- Switch to the Assigned users tab.
- Add users to the role via Add user.
The users are now assigned to the role.
Assign roles to users
You can also assign roles to individual users via the Users application.
- Open the Users application.
- Select a user.
- Assign roles using the Role dropdown on the General tab.
Assign roles when inviting new users
Assigning a role is also necessary when inviting new users to the system via New user in the Users application.