Documentation >
Permissions >
Policies

Policies¶

Policies are the main building block of the permissions system. Each Role you assign to user or user group consists of Policies which define, which parts of the application or website the user has access to.

Available Policies¶

Access to all functions¶

Module	Function	Effect	Possible Limitations
`*`	`*`	all modules, all functions: grant all available permissions

Tip

For each module, all functions can be given without limitation. For example, content/* gives access to all functions of the content module, even future ones.

Administration and user management¶

Activity log¶

Module	Function	Effect	Possible Limitations
`activity_log`	`read`	access activity list	ActivityLogOwner

Customer groups¶

Module	Function	Effect
`customer_group`	`create`	create a customer group
	`delete`	delete a customer group
	`edit`	edit a customer group
	`view`	view customer groups

Personalization¶

Module	Function	Effect	Possible Limitations
`personalization`	`edit`	modify scenario configuration for selected SiteAccesses	Personalization access
	`view`	view scenario configuration and results for selected SiteAccesses	Personalization access

Roles¶

Module	Function	Effect
`role`	`assign`	assign Roles to Users and User Groups
	`create`	create new Roles
	`delete`	delete Roles
	`read`	view the Roles list in Admin. Required for all other role-related Policies
	`update`	modify existing Roles

Setup¶

Module	Function	Effect
`setup`	`administrate`	access Admin
	`install`	unused
	`setup`	unused
	`system_info`	view the System Information tab in Admin

Sites ¶

Module	Function	Effect
`site`	`change_status`	change status of the public accesses of sites to `Live` or `Offline` in the Site Factory
	`create`	create sites in the Site Factory
	`delete`	delete sites from the Site Factory
	`edit`	edit sites in the Site Factory
	`update`	update sites in the Site Factory
	`view`	view the "Sites" in the top navigation

Users¶

Module	Function	Effect
`user`	`activation`	unused
	`invite`	create and send invitations to create an account
	`login`	log in to the application
	`password`	unused
	`preferences`	access and set user preferences
	`register`	register using the `/register` route
	`selfedit`	unused

Commerce¶

Cart ¶

Module	Function	Effect	Possible Limitations
`cart`	`create`	create a cart	CartOwner
	`delete`	delete cart, for example, after successful checkout	CartOwner
	`edit`	change cart metadata (name, currency, owner), add/remove cart items	CartOwner
	`view`	view a cart	CartOwner

Checkout ¶

Module	Function	Effect
`checkout`	`create`	create new checkout, for example, after workflow fails to complete
	`delete`	delete checkout, for example, after workflow completes successfully
	`update`	change currency, quantity
	`view`	access checkout

Currencies and regions¶

Module	Function	Effect	Possible Limitations
`commerce`	`currency`	manage currencies
	`region`	manage regions

Orders ¶

Module	Function	Effect	Possible Limitations
`order`	`cancel`	cancel an order	OrderOwner
	`create`	create an order	OrderOwner
	`update`	change status of an order	OrderOwner
	`view`	view orders	OrderOwner

Payments ¶

Module	Function	Effect	Possible Limitations
`payment`	`create`	create a payment	PaymentOwner
	`delete`	delete a payment	PaymentOwner
	`edit`	modify a payment	PaymentOwner
	`view`	view payments	PaymentOwner

Payment methods ¶

Module	Function	Effect
`payment_method`	`create`	create a payment method
	`delete`	delete a payment method
	`edit`	modify a payment method
	`view`	view payment methods

Segments ¶

Module	Function	Effect	Possible Limitations
`segment`	`assign_to_user`	assign Segments to Users	Segment Group
	`create`	create Segments	Segment Group
	`read`	load Segment information	Segment Group
	`remove`	remove Segments	Segment Group
	`update`	update Segments	Segment Group

Segment groups ¶

Module	Function	Effect
`segment_group`	`create`	create Segment Groups
	`read`	load Segment Group information
	`remove`	remove Segment Groups
	`update`	update Segment Groups

Shipments ¶

Module	Function	Effect	Possible Limitations
`shipment`	`create`	create a shipment	ShipmentOwner
	`delete`	delete a shipment	ShipmentOwner
	`update`	change status of a shipment	ShipmentOwner
	`view`	view shipments	ShipmentOwner

Shipping methods ¶

Module	Function	Effect
`shipping_method`	`create`	create a shipping method
	`delete`	delete a shipping method
	`update`	modify a shipping method
	`view`	view shipping methods

Content management¶

Content¶

Module	Function	Effect	Possible Limitations
`content`	`cleantrash`	empty the Trash (even when the User does not have access to individual content items)
	`create`	create new content. Note: even without this Policy the User is able to enter edit mode, but cannot finalize work with the content item.	Content type Section Location Subtree Language Owner of Parent Content type Group of Parent Content type of Parent Parent Depth Field Group Change Owner
	`diff`	unused
	`edit`	edit existing content	Content type Section Owner Content type Group Location Subtree Language Object State Workflow Stage Field Group Version Lock Change Owner
	`hide`	hide and reveal content Locations	Content type Section Owner Content type Group Location Subtree Language
	`manage_locations`	remove Locations and send content to Trash	Content type Section Owner Subtree Object State
	`pendinglist`	unused
	`publish`	publish content. Without this Policy, the User can only save drafts or send them for review (in Ibexa Experience)	Content type Section Owner Content type Group Location Subtree Language Object State Workflow Stage
	`read`	view the content both in front and back end	Content type Section Owner Content type Group Location Subtree Object State
	`remove`	remove Locations and send content to Trash	Content type Section Owner Location Subtree Object State Language
	`restore`	restore content from Trash
	`reverserelatedlist`	see all content that a content item relates to (even when the User is not allowed to view it as an individual content items)	Content type Section
	`translate`	unused	Content type Section Owner Location Subtree Language
	`translations`	manage the language list in Admin
	`unlock`	unlock drafts locked to a user for performing actions	Owner Content type Group Subtree Language Version Lock
	`urltranslator`	manage URL aliases of a content item
	`versionread`	view content after publishing, and to preview any content in the Site mode	Content type Section Owner Status Location Subtree Object State
	`versionremove`	remove archived content versions	Content type Section Owner Status Location Subtree Object State
	`view_embed`	view content embedded in another content item (even when the User is not allowed to view it as an individual content item)	Content type Section Owner Location Subtree

Content types¶

Module	Function	Effect
`class`	`create`	create new content types. Also required to edit exiting content types
	`delete`	delete content types
	`update`	modify existing content types. Also required to create new content types

Sections¶

Module	Function	Effect	Possible Limitations
`section`	`assign`	assign Sections to content	content type Section Owner New Section
	`edit`	edit existing Sections and create new ones
	`view`	view the Sections list in Admin. Required for all other section-related Policies

Object States¶

Module	Function	Effect	Possible Limitations
`state`	`assign`	assign Object states to content items	Content type Section Owner Content type Group Location Subtree Object State New State
	`administrate`	view, add and edit Object states

Taxonomy¶

Module	Function	Effect
`taxonomy`	`assign`	tag or untag content
	`manage`	create, edit, and delete tags
	`read`	view the Taxonomy interface

Workflow and version comparison¶

Module	Function	Effect	Possible Limitations
`comparison`	`view`	view version comparison
`workflow`	`change_stage`	change stage in the specified workflow	Workflow Transition

PIM¶

Catalogs¶

Module	Function	Effect
`catalog`	`create`	create a catalog
	`delete`	delete a catalog
	`edit`	edit a catalog
	`view`	view catalogs

Products¶

Module	Function	Effect	Possible Limitations
`product`	`create`	create a product	Product Type Language
	`delete`	delete a product	Product Type
	`edit`	edit a product	Product Type Language
	`view`	view products listed in the product catalog	Product Type

Product types¶

Module	Function	Effect
`product_type`	`create`	create a product type, a new attribute, a new attribute group and add translation to product type and attribute
	`delete`	delete a product type, attribute, attribute group
	`edit`	edit a product type, attribute, attribute group
	`view`	view product types, attributes and attribute groups

Combining Policies¶

Policies on one Role are connected with the and relation, not or, so when Policy has more than one Limitation, all of them have to apply.

If you want to combine more than one Limitation with the or relation, not and, you can split your Policy in two, each with one of these Limitations.