Part Five - Security

Working with Users


Working with MODX users can be hard. Since Revolution doesn't distinguish between "manager" users and "front-end" users, there are several things the admin has to be aware of.

Everybody has his job


Each user group has to be given access to the contexts its users will need. A new MODX installation has two contexts, "mgr" and "web". Your Manager users will need to be put in groups that have "mgr" access and "web" access. This is not only to let them access the front-end at all, but because the File Manager is actually part of the "web" context. (there may be other Manager functions that require access to the "web" context; I will update this as I find out about them.)

Access Policies

Revolution's permissions use what is called ACL - Access Control Lists. There are two parts to MODX's implementation of ACLs, Policy Templates and Access Policies. These really aren't as scary as they look. Really, all they are are named lists of permissions.

Policy templates are only to simplify your job of controlling what a user can do. These will almost entirely refer to Manager users, as front-end user really can only look at pages on the front-end. The easiest way to create a new Policy Template is to duplicate the Administrator template, which includes all possible permissions. Then just righ-click and remove any permissions your users will never need.

Access policies are nothing more than a list of permissions the group's users will have. You can simply duplicate the Administrator policy, then un-check permissions you don't want your users to have. But a better way is to use an applicable Policy Template, which will offer only a limited number of permissions. Again, you can uncheck any permissions you don't want these users to have.

See, that wasn't so bad, was it?

Do what???


Groups are where you put your users. Users can have more than one group. And groups get assigned an Access Policy, so they can only do what the list of permissions in the Access Policy allows. If you look at the default groups, you'll see that there is an (anonymous) group. These are for site visitors - every visitor has a default group of "(anonymous)". It has "load" permission for the "web" context, otherwise nobody would be able to even see your pages on the front-end!


Roles are wierd. At this point, I'd say the best thing to do is just ignore them. Assign your Manager users the Super User role, your web users the Member role and leave it at that.

Susan Ottwell
March 2016