Last updated May 17th, 2019 | Page history | Improve this page | Report an issue
Support the team building MODX with a monthly donation.
The budget raised through OpenCollective is transparent, including payouts, and any contributor can apply to be paid for their work on MODX.
$292 per month—let's make that $500!Learn more
What is a Role?¶
A role is a position or status held within a certain situation. In MODX, it can be used to group Users into a position or status within a User Group, e.g. "Editor" or "Front-end Read Only".
Roles in MODX use an integer value called "Authority". Lower numbers represent a stronger authority. E.g. a Role with Authority 10 will inherit any and all Group Policies assigned to itself and to any roles defined with Authority 11, but a user Role with Authority 11 does NOT inherit any of the Group Policies from Role 10.
Be sure you clarify your language when talking about Authority because this inverse relationship can lead to some confusing sentences.
It helps to think of "Authority" as ordinal numbers: first, second, third, etc. Authority=1 is the first authority and trumps Authority=2 (i.e. the second authority).
You should generally avoid duplicate authority numbers.
One common example is to create Roles that mimic a basic employee position structure. Let's say we create the following Roles and Authority levels:
- Administrator - 0
- Director - 1
- Coordinator - 2
- Supervisor - 3
- Employee - 9999
We can then create a User Group called "HR Department". Within that User Group, we'll assign Users to those Roles (you can have multiple Users per Role, as well).
Now, let's say John has a Role of Coordinator. Mark has a Role of Supervisor. We're going to give Mark's "HR Deparment" User Group an Access Policy (which is a set of Permissions) called "AccountPolicy" that has the following Access Permissions in it:
We've assigned this Policy to the "web" context for our User Group "HR Department". We then set its Minimum Role value to "Supervisor":
This means that Mark has these Permissions, since he's in the User Group, and has at least the Role of "Supervisor" (which is the Role he has, specifically).
But this also means that John has these Permissions as well, since he is a "Coordinator" which has a stronger Authority level than "Supervisor". So, John as Coordinator has "inherited" the Permissions than Mark had as Supervisor.
- User Groups
- Resource Groups
- Security Tutorials
- Hardening MODX Revolution
- Troubleshooting Security