Creating Manager Users
Assuming that you are the admin Super User, you may want to create other users with access to the MODX Manager (e.g., clients). It's likely that those users should not have all the rights that you have. User rights are controlled by creating ACL entries for the User Group the users belong to. So that you can also modify the Top Menu for those users and perform certain other operations, we'll include the steps of duplicating a Policy Template and a Policy for those users.
Note that if you want to hide specific resources from the users, that is explained in this tutorial.
If you want to control access to specific resources for the users, that is explained in this tutorial.
This tutorial explains how to create Manager users and control what they can do an see in general in the MODX Manager (e.g., publish resources; create resources; view, edit, save, delete, and/or create certain types of elements, etc.).
Here is a preview of the basic steps necessary to control access for users in a specific User Group:
- Create the users
- Create a Role for the users
- Create a User Group for the users
- Put the users in the group
- Duplicate the appropriate Policy Template
- Duplicate the appropriate Policy
- Create a Context Access ACL entry with a Context of "mgr" and the Policy you duplicated
- Edit the Policy to set the Permissions
Here are the steps for creating Manager users with limited rights. The links in the list below are to other mini-tutorials explaining how to perform each step. We'll assume that the user group is called "Editors", although you can use any name as long as you're consistent. If you have performed the first steps in another tutorial, you can skip those steps and use the groups and roles you created.
- Create the Users
- Create a Role for the users. Call the Role "Editor" and give it an Authority level of 10
- Create a User Group called "Editors" and add the users to it
- Duplicate the standard Administrator Policy Template. Call the new Template "EditorAdminTemplate"
- Duplicate the standard Administrator Policy. Call the new Policy "EditorAdmin" and base it on the EditorAdminTemplate Template
- Create a Context Access ACL Entry for the group:
- Go to Security | Access Controls
- click on the "User Groups" tab if it is not the current tab
- Right-click on the "Editors" User Group
- Select "Update User Group"
- Click on the "Context Access" tab
- Click on the "Add Context" button
- Use the following values in the ACL entry:
- Context: mgr
- Minimum Role: Editor
- Policy: EditorAdmin
- Click on the "Save" button in the dialog
- Click on the "Save" button at the upper right
- Edit the EditorAdmin Policy. Uncheck any Permissions that you don't want the users to have
- Click on the "Save" button to save the Policy
- Under Security in the Top Menu, select "Flush Permissions". You may also need to Flush All Sessions and clear the site cache before your permissions take effect.
- Revolution Permissions
- Evolution Permissions
- Revolution Security Cheatsheet
- Basic Security Tutorials
- Advanced Security Tutorials
- Revolution Default ACL Entries
- Installing MODX
- How MODX Works
- Working with MODX resources and Elements
- Using Git with MODX
- Using common MODX add-on components like SPForm, Login, getResources, and FormIt
- MODX security Permissions
- Customizing the MODX Manager
- Using Form Customization
- Creating Transport Packages
- MODX and xPDO object methods
- MODX System Events
- Using PHP with MODX
It's up to you which Permissions you want to deny the users. One permission you almost certainly want to deny is the access_permissions Permission. Users who have that Permission can change their own security settings (and yours!). In fact, they can lock you out of the Manager. Two other commonly used Permissions are element_tree and file_tree. Without those Permissions, the users can't see the Element tree or the File tree in the Manager, effectively blocking them from performing any actions on elements or files.
Note that there are specific Permissions for creating, duplicating, viewing, editing, saving, publishing and deleting specific types of elements and resources. Only deny these if you want to prevent the users from performing those actions on any resource or element of the type specified. If you want to prevent users from performing actions only on a specific group of resources or elements, or give them different rights to different groups of elements or resources, you need to use a different method (and a different tutorial).
For controlling access to specific groups of Resources, see this tutorial
For hiding specific groups of Resources, see this tutorial
For controlling access to specific groups of Elements, see this tutorial
For hiding specific groups of Elements, see this tutorial
The ContentEditor Policy
We could have used the standard ContentEditor Policy for our users, but that would prevent us from modifying the Top Menu or adding other custom permissions down the road.
Security Resources at Bob's Guides
If you have the book and would like to download the code, you can find it here.
If you have the book and would like to see the updates and corrections page, you can find it here.
MODX: The Official Guide is 772 pages long and goes far beyond this web site in explaining beginning and advanced MODX techniques. It includes detailed information on:
Go here for more information about the book.
Thank you for visiting BobsGuides.com
— Bob Ray