What is a Permission?¶
A Permission in Revolution is a single access control that allows or denies execution of a single task. You can think of a permission as a checkbox: can a user perform an action or not?
An example Permission is "content_types" - if a user's Policy does not contain this Permission, then the user will not be able to perform that action. In this case, the user can not view the Content Types page.
Normally you don't deal with permissions individually, but in groups called Access Policies. An Access Policy is a list of individual permissions (also called an Access Control List or ACL). For example, if you need to grant users the permissions necessary to edit content in the manager, you can assign them to use the "Content Editor" policy.
MODX permissions are always additive: if a permission exists on "Access Policy A" and not on "Access Policy B" and you add both policies to a user, the effective policy is a collection of all the permissions defined in both policies. Adding more policies will never remove permissions for a user. For example, if you add a limited "Load Only" policy to an administrator user, the administrator user will still be able to do all the things defined in the Administrator policy.
In practice, Access Policies are associated with User Groups (not with individual users). Access Policies are associated with a User Group, and users may be added to the group.
Access Policies (ACLs) define lists of permissions (see Menu --> Access Controls). These lists contain groups of permissions that belong together.
- User Groups
- Resource Groups
- Security Tutorials
- Hardening MODX Revolution
- Troubleshooting Security
There are also "Policy Templates" -- these help organize the lists of permission in the Access Policies. An Access Policy is a list of checkboxes, the Policy Templates define which checkboxes are available for an Access Policy. Because the full list of permissions may be quite long, it's not efficient to define Access Policies while having to wade through hundreds of checkboxes. Policy Templates allow you to narrow down the options available to an Access Policy.