1.7. Permissions and Privileges

Most CMS permissions are controlled via the com.arsdigita.cms.SecurityManager class. This class serves as an abstraction layer between the CMS UI and domain layers and the underlying WAF Permissions service. There are two basic types of permissions in CMS — section-level permissions and item-level permissions.

The CMS administration UI creates permissions via the Roles tab. For a given role, a permission record is created for each privilege assigned the role. Then any user added to the role will inherit these permissions by being added to the internal role group (which is the actual assignee of the permissions).

Privileges assigned to roles may include section-level permissions (such as Content Type Administration, Role Administration, etc.) or item-level permissions (such as Create Items, Publish Items, etc.). Section-level privileges always apply to the Content Section as a whole. Item-level privileges assigned to roles define the default permissions which may be overridden at the folder level.

By default, item-level permissions inherit to an item from its containing folder, to a folder from its parent folder, and to the root folder from the section roles. Although the API allows customization at the level of the individual content item, the current UI only allows for folder-level control of permissions.

NoteNote
 

There is a distinction made between the terms permission and privilege. A privilege is a named ability to perform certain actions, such as read, write, delete, etc. A permission is a triple consisting of (a) a party (user or group), (b) a privilege, and (c) an object. A permission record basically says that party X has privilege P on object O.