Documentation Center

Rights, Permissions and Privileges for Users and Groups

The combination of the rights and permissions assigned to users or groups, together with the privileges assigned to one or more groups, determine the actions that users can perform on items. For example, to create a Component, a user requires Component Management rights and write permissions for a Folder in which they can create the Component.

Publication-specific rights

Rights define the types of tasks that users or groups can perform for a specific Publication. You assign rights to users or groups for an entire Publication.

Rights typically convey the security definition of a role in an organization. For example, the role of authors typically involves working with Components but not with Schemas, so users that are authors should have Component Management rights but not Schema Management rights. The system default user Groups therefore have default rights but not default permissions.

The following table describes the operations that are allowed within a Publication by members of the Group that has that right. The rights are grouped according to the types of users who typically require the right.

UsageRightAllowed operations
For users who create and manage contentComponent ManagementCreating, modifying and deleting Components
Page ManagementCreating, modifying and deleting Pages
Translation ManagementSending translatable items for translation
Publish to Content DistributorPublishing content to a defined publishing environment
For users who create and manage organizational items Structure Group ManagementCreating and deleting Structure Groups and changing Structure Group properties
Folder ManagementCreating and deleting Folders and changing folder properties other than Folder permission settings (this requires Permission Management rights)
Virtual Folder ManagementCreating and deleting Virtual Folders (search Folders)
Bundle ManagementCreating and deleting Bundles and modifying Bundle properties
Category ManagementCreating new Categories, modifying Categories properties and deleting Categories
For administrators and users with elevated rightsPublication AdministrationAdministrator-level rights within a Publication (but not the right to create or delete it)
This right allows the user to read and update the Publication, and to perform any operation on any item within the Publications, including but not limited to:
  • Creating, reading, updating or deleting any item in the Publication
  • Publishing any item in the Publication
  • Checking in any versioned item in the Publication that another user had checked out
  • Undoing the check-out by another user of any versioned item in the Publication
  • Reading, unlocalizing or deleting non-checked-in items
Workflow ManagementVarious operations with Workflow
Lock ManagementResolving locks on items that are locked or and checked out by another user without being a System Administrator.
Users with Lock Management rights will be able to:
  • Check-in or undo the check-out or versioned items that are currently checked out by another user. The exception is when the item is in workflow.
  • Unlock organizational items that are locked by another user. This function is currently available only through the Content Manager APIs (TOM.NET, WCF Core Service, or Core Service.REST).

An example of when this right can be helpful is when working on a large or distributed team. Perhaps a checked-out item is blocking publishing but, for whatever reason, it cannot be resolved by the person who has it checked out. Another user with this right, like a team lead or lead editor, could resolve checked out item without the need to involve a System Administrator.

Permission ManagementModifying security settings to grant Groups and Users with Rights for Publications and Permissions for Organizational items
Customer ManagementVarious operations with Target Groups
For implementersPublication ManagementChanges to Publication settings and Blueprint relationships
Business Process Type ManagementCreating and managing the Business Process Types for the organization
Translation ConfigurationConfiguring Publications, Folders, Structure Groups, and Categories for translation
For content designersSchema ManagementVarious operations with Schemas
Page Template ManagementVarious operations with Page Templates
Component Template ManagementVarious operations with Component Templates

Component Templates and Template Building Blocks are used only in the legacy, template-based publishing framework.

Template Building BlockVarious operations with Template Building Blocks

Component Templates and Template Building Blocks are used only in the legacy, template-based publishing framework.

Permissions on organizational items

Permissions are set on an organizational item in Content Manager and are also specific to a Group. Similar to folder-level permissions in an operating system, Permissions determine the general types of actions that Group members perform on that organizational item.

For Structure Groups, Folders, Virtual Folders and Categories, you can set the following Permissions:
  • Read—view items in the organizational item
  • Write—create or edit items in the organizational item
  • Delete—delete items from the organizational item
  • Localize—create local copies of shared BluePrint items
For Bundles, the Permissions are a little different and are as follows:
  • Read—view items in the Bundle
  • Add items—add items to the Bundle
  • Remove items—-remove items from the Bundle

System-wide Privileges

Privileges are granted to one or more Groups to allow a User of one or more of those Groups to manage parts of the system that are not inside a Publication.

The following table summarizes the system-wide Privileges.
PrivilegeAllowed operations
System Administrator PrivilegePerforming all operations
System Privilege Management PrivilegeGranting or revoking system privileges; excluding the following capabilities:
  • Grant or revoke the Privilege Management Privilege itself and the System Administration Privilege
  • Change other Group properties or Group membership
Group Management PrivilegeCreating, viewing, updating and deleting Groups

The operations permitted include managing Group scope and membership, getting a list of Users, editing a User and changing the Group membership of a User.

Approval Status Management PrivilegeCreating, viewing, editing and deleting Approval Statuses
Multimedia Type Management PrivilegeCreating, viewing, editing and deleting Multimedia Types
Publish Transaction Management PrivilegeViewing, editing, deleting and undoing Publish Transactions, including those not initiated by the User
Child Publication Creation PrivilegeCreating Child Publications of Publications to which the User has access

Typically, you would use this privilege to manage who can or cannot create Publications intended to be used as websites, either using the Site Wizard or in the Publication BluePrint hierarchy.

Topology Manager Read PrivilegeViewing the Topology Management slide-out navigation screen in Content Manager Explorer and in Experience Manager, and reading Topology Manager data