Creating a Second Super Admin User
Last updated Apr 30th, 2019 | Page history | Improve this page | Report an issue
Support the team building MODX with a monthly donation.
The budget raised through OpenCollective is transparent, including payouts, and any contributor can apply to be paid for their work on MODX.
Backers
Budget
$301 per month—let's make that $500!
Learn moreThe Problem¶
You want another MODX Revolution User to have full manager access, with all the Permissions of an Administrator user. Perhaps it's your colleague or your client, but by creating another Administrator, you are handing over the keys to the entire site. This is a simplistic scenario: the other admin would be able to modify or delete your user, so it may not be a viable solution for what you need to do. In the process of walking users through this task, this page gives a brief introduction to roles and access policies.
The Solution¶
After logging into your site's manager, do the following:
- Create a new user: Manage -> Users -> New User (Button)
- Be sure you give the new user a unique username, password, and email.
- Before saving the user, click the tab marked Access Permissions and click the button marked Add User Group to User
-
User Group:
Administrator
-
Role:
Super User
-
User Group:
- Save the user. (You can always return to Security -> Manage Users and right-click the user to update the properties).
- Try logging in to the manager using a different browser to verify that the login works.
Why can't I add another Administrator with a different Role, e.g. a "Member"?¶
Try it. When you try to login using the other username with only a "Member" role, permission will be denied. But why? It has to do with Context Access and Access Policies, which get a lot more complicated in a hurry. If you have a look at Security -> Access Controls and then right-click the Administrator User Group -> Update User Group, then click on the Context Access tab. You'll see something like this:
By default, MODX Revolution has 2 contexts: web (the front-end) and mgr (the back-end). From this table, we can learn 2 things: that the minimum role is the Super-User role, and the "Access Policy" in use for this context is "Administrator". Even if you don't understand what all of that means, this is a good place to start educating you about permissions.
Minimum Role¶
From the Context Access screen, you can see that you have to be at least a "Super User". Merely being a "Member" won't cut it. So that's why logging in fails for Admins with only "Member" roles.
Roles¶
While we're at it, why would you want to give another user another role if he or she was going to have the exact same privileges as you? Technically speaking, if they have the exact same privileges, then their role is equivalent to yours. In other words, you don't need a new role.
When thinking about roles, think about that access policy there. The access policy says what your user can and can't do if you are assigned a particular role.
See Also¶
See the other tutorial about Giving a User Manager Access for an example of how to create a user with a permission level of less than you.
Shaun McCormick's video on Understanding MODX Revolution Security gives a detailed walk-through of setting up some complex permission schemes.