Assigning Permissions

Last Updated: Jan 15, 2020
documentation for the dotCMS Content Management System

Object Permissions

You may assign permissions to objects in dotCMS in in dotCMS in four different ways:

These are two different views of the same permissions. Although the way the permissions are displayed and assigned using each method is different, the permissions are the same, and the permissions you assign using one method will display (and can be changed) when you view the permissions using the other method.

Assigning Permissions to Users and Roles

You may assign permissions to users via the Users screen and you may assign permissions to Roles via the Roles & Tools screen.

When you apply permissions to a user or Role, rights are granted by selecting a Site or folder, and then applying permissions to the Site or folder itself, and specific types of objects within and below the Site or folder.

User and Role Permissions Matrix

Each object rights are granted for is displayed in a highlighted row. When you click on any object row, the view expands to show a matrix of permissions for different object types within the parent object (the selected row).

User and Role permissions are assigned via an object “matrix” that allows you to assign specific rights to specific objects and/or types of objects.

When assigning Permissions, the level of rights granted to a user or role are displayed in columns, and the objects the rights are granted to are in rows. Checking a box grants the user or Role only the rights in the matching column for only the objects in the matching row.

Assigning Permissions to Sites, Folders, and Objects

You may assign permissions directly to individual Sites, folders, and objects by accessing the object(s) in the Site Browser or the Content Search screen.

When you apply permissions to a Site, folder, or object, rights are granted by selecting a user or Role, and then applying permissions to the selected user or Role for the object (Site, folder, etc.) whose permissions are being viewed.

Object Permission Matrix

Each user or Role that has rights to the object being viewed is displayed in a highlighted row.

  • Sites and folders: When you click a row, the view expands to show a matrix of permissions that the selected user or Role has for different object types within the Site or folder being viewed.
  • Other Objects: You may apply permissions for each user or Role to the object by selecting the appropriate check boxes within the highlighted row.

Rights to Grant

The following lists all the possible rights that may be granted to different objects, regardless of the method used. Note, however, that not all rights are available for all types of objects; checkboxes will be displayed next to a row only when the rights in that column can be applied to that type of object.

Rights ColumnPermissions Granted
ViewView the Site or folder in the Site Browser, or when selecting from a Site or Folder field on content.
Add ChildrenAdd objects within a Host (at the top level) or folder.
EditModify an object (but not publish “live” changes to the Site).
PublishPublish objects so that they appear on the live (front-end) Site.
Edit PermissionsChange the Permissions settings for the object(s) (both for their own user account and for other users and Roles).
Content Types only: Add, Edit, and Delete Content Types themselves (as opposed to content items of the Content Types).
Vanity URLs
(only on All Sites)
Add and edit Vanity URLs (for all Sites on your dotCMS instance).

Object Type(s) to Grant Rights for

When you are assigning rights to a user or Role, or when assigning rights to an object which can contain other objects (such as a Site or folder), you may assign permissions for specific types of objects within the object whose permissions are being assigned. The following table lists all the object types that you can grant a user or Role rights to, and where these rights apply (which levels of the Site and folder hierarchy allow you to assign rights to these types of objects).

Object TypeAll
SitesFoldersObjects Rights are Applied To
SitesYesSites (Permissions)
FoldersYesYesYesFolders (Permissions)
both top-level folders (directly under a Site) and sub-folders
TemplatesYesYesAdvanced Templates (Permissions)
Template-LayoutsYesYesStandard (Template Designer) Templates (Permissions)
PagesYesYesYesPages (Permissions)
LinksYesYesYesMenu Links (Permissions)
Content TypesYesYesYesContent Types (Permissions)
Content/FilesYesYesYesContent items (Permissions)
CategoryYesCategories (Permissions)
All Hosts

Permissions set on All Hosts apply to all objects of the specified type(s) on all Sites hosted on your dotCMS instance. These are the default Permissions that will be applied unless Permissions are set for the same objects on a lower level object (such as an individual Site or a folder within a Site).

In the example below, the user selected may create Templates and Containers on all Sites hosted on the dotCMS instance. However this user can not publish Templates or Containers on ANY Site.

All Sites Permissions

Cascade Changes

The Cascade Changes option applies the Permissions changes you've made to both the object whose permissions were changed and all objects below that object in the dotCMS Site and folder hierarchy. This includes child objects (top-level folders of a Site or Pages, files, folders, and content within a folder), grandchild objects (all objects within subfolders), etc.


Do not select the Cascade Changes option unless you are sure you know what you're doing, and you're sure you need it in order for your Permissions to work as expected.

  • This option will remove any individually set permissions on all objects below the selected object (including child objects, grand-child objects, etc.), and should only be used when necessary.
  • For example, changing permissions for “All Hosts” and cascading changes will overwrite permission settings on every Site.

If you are unsure whether or not you need to cascade changes, update Permissions first without setting the Cascade Changes option and check to see if your users have the access they need. If your users can't access objects as needed, you can later go back and re-apply the permissions with the Cascade Changes selected (after verifying that cascading changes will not remove any individually applied lower level obect permissions).

Action Permissions

In addition, there are two additional types of permissions you can assign in dotCMS that grant rights to perform certain types of actions at a level separate from objects:

  • Assign permissions to a Workflow Action, granting specific users or Roles rights to perform the action.
  • Assign permissions to a Push Publishing Endpoint, granting specific users rights to push to the Endpoint.

Each of these permissions is assigned in a slightly different way, as appropriate for the type of action rights are being granted to, but in both cases rights are granted for a user or Role to perform a specific type of action on multiple objects

For more information about granting permissions for these actions, please see the documentation links above.

On this page


We Dig Feedback

Selected excerpt: