Skip to content

Policies

Policies are the main building block of the permissions system. Each role you assign to user or user group consists of policies which define, which parts of the application or website the user has access to.

Available policies

Access to all functions

Module Function Effect Possible limitations
* * all modules, all functions: grant all available permissions

Tip

For each module, all functions can be given without limitation. For example, content/* gives access to all functions of the content module, even future ones.

Administration and user management

Activity log

Module Function Effect Possible Limitations
activity_log read access activity list ActivityLogOwner

AI actions

Module Function Effect Possible Limitations
action_configuration view view AI Action
create create a new AI action
edit edit an AI action
delete delete an AI action
execute execute an AI action

Customer groups

Module Function Effect Possible limitations
customer_group create create a customer group
delete delete a customer group
edit edit a customer group
view view customer groups

Personalization

Module Function Effect Possible limitations
personalization edit modify scenario configuration for selected SiteAccesses Personalization access
view view scenario configuration and results for selected SiteAccesses Personalization access

Roles

Module Function Effect Possible limitations
role assign assign roles to users and user groups
create create new roles
delete delete roles
read view the roles list in Admin. Required for all other role-related policies
update modify existing roles

Setup

Module Function Effect Possible limitations
setup administrate access Admin
install unused
setup unused
system_info view the System Information tab in Admin

Sites

Module Function Effect Possible limitations
site change_status change status of the public accesses of sites to Live or Offline in the Site Factory
create create sites in the Site Factory
delete delete sites from the Site Factory
edit edit sites in the Site Factory
update update sites in the Site Factory
view view the "Sites" in the top navigation

Users

Module Function Effect Possible limitations
user activation unused
invite create and send invitations to create an account
login log in to the application
password unused
preferences access and set user preferences
register register using the /register route
selfedit unused

Commerce

Cart

Module Function Effect Possible limitations
cart create create a cart CartOwner
delete delete cart, for example, after successful checkout CartOwner
edit change cart metadata (name, currency, owner), add/remove cart items CartOwner
view view a cart CartOwner

Checkout

Module Function Effect Possible limitations
checkout create create new checkout, for example, after workflow fails to complete
delete delete checkout, for example, after workflow completes successfully
update change currency, quantity
view access checkout

Currencies and regions

Module Function Effect Possible limitations
commerce currency manage currencies
region manage regions

Orders

Module Function Effect Possible limitations
order cancel cancel an order OrderOwner
create create an order OrderOwner
update change status of an order OrderOwner
view view orders OrderOwner

Payments

Module Function Effect Possible limitations
payment create create a payment PaymentOwner
delete delete a payment PaymentOwner
edit modify a payment PaymentOwner
view view payments PaymentOwner

Payment methods

Module Function Effect Possible limitations
payment_method create create a payment method
delete delete a payment method
edit modify a payment method
view view payment methods

Segments

Module Function Effect Possible limitations
segment assign_to_user assign segments to users Segment Group
create create segments Segment Group
read load segment information Segment Group
remove remove segments Segment Group
update update segments Segment Group

Segment groups

Module Function Effect Possible limitations
segment_group create create segment groups
read load segment group information
remove remove segment groups
update update segment groups

Shipments

Module Function Effect Possible limitations
shipment create create a shipment ShipmentOwner
delete delete a shipment ShipmentOwner
update change status of a shipment ShipmentOwner
view view shipments ShipmentOwner

Shipping methods

Module Function Effect Possible limitations
shipping_method create create a shipping method
delete delete a shipping method
update modify a shipping method
view view shipping methods

Content management

Content

Module Function Effect Possible limitations
content cleantrash empty the Trash (even when the User doesn't have access to individual content items)
create create new content. Note: even without this policy the user is able to enter edit mode, but cannot finalize work with the content item. Content type
Section
Location
Subtree
Language
Owner of Parent
Content type Group of Parent
Content type of Parent
Parent Depth
Field Group
Change Owner
diff unused
edit edit existing content Content type
Section
Owner
Content type Group
Location
Subtree
Language
Object State
Workflow Stage
Field Group
Version Lock
Change Owner
hide hide and reveal content locations Content type
Section
Owner
Content type Group
Location
Subtree
Language
manage_locations remove locations and send content to Trash Content type
Section
Owner
Subtree
Object State
pendinglist unused
publish publish content. Without this Policy, the User can only save drafts or send them for review (in Ibexa Experience) Content type
Section
Owner
Content type Group
Location
Subtree
Language
Object State
Workflow Stage
read view the content both in front and back end Content type
Section
Owner
Content type Group
Location
Subtree
Object State
remove remove locations and send content to Trash Content type
Section
Owner
Location
Subtree
Object State
Language
restore restore content from Trash
reverserelatedlist see all content that a content item relates to (even when the User isn't allowed to view it as an individual content items) Content type
Section
translate unused Content type
Section
Owner
Location
Subtree
Language
translations manage the language list in Admin
unlock unlock drafts locked to a user for performing actions Owner
Content type Group
Subtree
Language
Version Lock
urltranslator manage URL aliases of a content item
versionread view content after publishing, and to preview any content in the Site mode Content type
Section
Owner
Status
Location
Subtree
Object State
versionremove remove archived content versions Content type
Section
Owner
Status
Location
Subtree
Object State
view_embed view content embedded in another content item (even when the User isn't allowed to view it as an individual content item) Content type
Section
Owner
Location
Subtree

Content types

Module Function Effect Possible limitations
class create create new content types. Also required to edit exiting content types
delete delete content types
update modify existing content types. Also required to create new content types

Sections

Module Function Effect Possible limitations
section assign assign Sections to content content type
Section
Owner
New Section
edit edit existing Sections and create new ones
view view the Sections list in Admin. Required for all other section-related policies

Object States

Module Function Effect Possible limitations
state assign assign object states to content items Content type
Section
Owner
Content type Group
Location
Subtree
Object State
New State
administrate view, add and edit object states

Taxonomy

Module Function Effect Possible limitations
taxonomy assign tag or untag content
manage create, edit, and delete tags
read view the Taxonomy interface

Workflow and version comparison

Module Function Effect Possible limitations
comparison view view version comparison
workflow change_stage change stage in the specified workflow Workflow Transition

PIM

Catalogs

Module Function Effect Possible limitations
catalog create create a catalog
delete delete a catalog
edit edit a catalog
view view catalogs

Products

Module Function Effect Possible limitations
product create create a product Product Type
Language
delete delete a product Product Type
edit edit a product Product Type
Language
view view products listed in the product catalog Product Type

Product types

Module Function Effect Possible limitations
product_type create create a product type, a new attribute, a new attribute group, and add translation to product type and attribute
delete delete a product type, attribute, attribute group
edit edit a product type, attribute, attribute group
view view product types, attributes and attribute groups

Combining policies

Policies on one role are connected with the and relation, not or, so when policy has more than one limitation, all of them have to apply.

If you want to combine more than one limitation with the or relation, not and, you can split your policy in two, each with one of these limitations.