Last updated Dec 7th, 2019 | Page history | Improve this page | Report an issue
Support the team building MODX with a monthly donation.
The budget raised through OpenCollective is transparent, including payouts, and any contributor can apply to be paid for their work on MODX.
$400 per month—let's make that $500!Learn more
What is an Access Policy?¶
An Access Policy is a set of Permissions containing one or many Permissions, as defined in the manager. By default MODX comes with pre-configured Access Policies:
- Administrator: Context administration policy with all default permissions.
- Context Editor: Context administration policy with limited, content-editing related Permissions, but no publishing Permissions.
- Context: A standard Context policy that you can apply when creating Context ACLs for basic read/write and view_unpublished access within a Context.
- Element: MODX Element policy with all attributes.
- Load Only: A minimal policy with permission to load an object.
- Load, List and View: Provides load, list and view permissions only.
- Media Source Admin: Media Source administration policy.
- Media Source User: Media Source user policy, with basic viewing and using - but no editing - of Media Sources.
- Object: An Object policy with all permissions.
- Resource: MODX Resource Policy with all attributes.
If you customize any of the above default Access Policies, duplicate (and rename) them before customizing! If you don't do that all customizations will be lost when updating MODX to a newer version as they get overridden by the setup script.
Creating and Editing¶
To create an Access Policy in the manager, navigate to
Security -> Access Controls -> Access Policies
From there you can add new policies. To edit an Access Policy in the manager, simply right-click the Policy you want to edit.
Policies can be used in a myriad of different ways. Here are 3 example usages that come by default in MODX:
Access Policies can be assigned as Access Control Lists (ACLs) to a Context and User Group, with a specified Minimum Role. When done, this means that all the Users in that User Group with at least the Role specified as the Minimum Role can use the Permissions in the Policy in the Context specified in the ACL.
MODX comes with a default "Administrator" Policy that contains all the Permissions one would use in a Context ACL. It's best to duplicate this policy when creating a custom access policy for restricting manager users.
Resource Group Access¶
They can also be Resource ACLs, that limit access to Resources based on Roles and Resource Groups. MODX comes packaged with a default "Resource" Policy that contains all the basic Permissions one would use in a Resource Group ACL.
An example would be to assign the "Resource" policy to a Resource Group called 'HR Documents'. Then, you would give a User Group called "HR Department" access to this Resource Group via the Resource ACL:
This would restrict all Resources in the "HR Documents" Resource Group to Users only in the "HR Department" group.
Element Category Access¶
Elements can be restricted from view by ACLs on Categories. For example, if you had a User Group called 'Developers', and wanted Users in that group to be the only Group that could see Elements in the Category 'Gallery', you would create an ACL like such, in the "Element Category Access" tab when editing the User Group:
This would allow only Users in the "Developers" User Group access to see Elements in the "Gallery" Category.
Here's an example custom policy:
and its permissions:
Any User that had access to this Policy would have the permissions 'view_accounts' and 'save_accounts'.
- User Groups
- Resource Groups
- Security Tutorials
- Hardening MODX Revolution
- Troubleshooting Security