User Permissions

Skip to end of metadata
Go to start of metadata

In pimcore there are two levels of user permissions. Firstly the permissions on system components and secondly permissions on website elements, which are assets, objects and documents. Permissions can be granted to user groups or individual users. The following paragraphs describe how and where permissions can be set and how they will or will not affect eachother.

The precondition of setting user permissions is that the desired users and groups have been created in the system / users section. It is advised to group users with the same permissions into a user group. Directly in the user settings tab it can be decided which permissions are granted to that user or user group. By checking the admin checkbox, all permissions on all system components are granted. The following  list outlines what the different system permission mean

  • documents: defines whether the documents accordion is visible to a user
  • assets: defines whether the assets accordion is visible to a user
  • objects: defines whether the objects accordion is visible to a user
  • system settings: specifies accesibility to the system settings
  • users: defines whether a user may manage other users settings and system permissions
  • classes: defines accesibility to object classes
  • routes: specifies whether a user may create and edit static routes
  • clear cache: defines if a user may clear pimcore cache (internal cache and response cache if configured)
  • clear temporary files: defines if user may delete temporay system files ( e.g thumbnails)
  • thumbnails: specifies if a user may create thumbnail templates
  • translations: defines wheter a user may view and edit website translations
  • plugins: specifies if a user is allowed to download install and manage plugins
  • seemode: seemode available/not available for user
  • predefined properties: specifies wheter a user may create predefined properties
  • document types: specifies whether a user may create and edit document types

When new system components are introduced by the pimcore developer team, these permissions might be enhanced to include new components

As far as inheritance is concerned, it has to be kept in mind, that a permission granted to a user group can not be rescinded for individual users within that user group. Granted permissions can not be overridden on a lower level. On he other hand, rescinding a permission on group level does not mean that it is rescinded for all users within that group. Only granting is inherited.

Beyond the permissions mentioned above, a user's access can be restricted on element basis. Provided that a user may generally access documents, it can be specified what a user/user group may do or not do with each document or entire document folders. The same is true for objects and assets. These settings are manipulated in the tabs added to the general user settings. However, there are a few general rules on element permissions which need to be regarded:

  • by default all element permissions are granted to a user unless otherwise specified
  • a permission granted to a user group can not be rescinded on user level within that group
  • if a user does not have the right to list an element, all other permissions are obsolete and can not be edited
  • if a user does not have the list permission on an element, all permissions on this element's children are obsolete and can not be edited
  • rescinding a permission on group level does not mean that it is automatically rescinded for all users within that group, because users within that group might have their own extended permission settings! Only granting permissions results in obligatory inheritance.
  • if an element's children do no have their own permissions set, they automatically inherit permissions from their parent

A specialty with elements permissions is that a user does not need to have the "users" permission to manage element access of other users. He can manage element permissions  of other users on all elements on which he himself has the "permissions" permission. This architecture allows editors without user administation rights to manage access on certain elements.

The user permissions on element basis are summed up as follows:

  • list: element can be listed in tree
  • view: element can be openend
  • save: element can be saved (save button visible)
  • publish: element can be published (publish button visible)
  • unpublish: element can be unpublished (unpublish button visible); does not exist for assets
  • create: new child elements can be created (does not exist for assets)
  • delete: element can be deleted
  • rename: name of the element can be changed
  • settings: element's settings can be managed i.e. the settings tab is visible; the settings permission also the path and thereby he right to move the element in tree
  • versions: versions tab available
  • properties: properties tab availabe and can be managed
  • permissions: permission to grant element permissions of this element to other users
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.