Access Control

FoxNose CMS offers a robust role-based access control system to manage user permissions at various levels across the organization, project, and environment. This approach helps secure content while providing team members with the specific permissions needed to perform their roles effectively.

For more details on access control for the Delivery API, refer to the relevant article in the Content Delivery section.

Available Roles

Access control in FoxNose CMS is organized by roles that assign specific permissions across the organization’s hierarchy. These roles define access within organizational, project, and environment contexts.

  1. Organization Owner:
    • Permissions: Full access to manage the entire organization, including all projects and data.
    • Capabilities:
      • Manage organization administrators.
      • Create, modify, and delete projects.
      • Access all environments and data within the organization.
  2. Organization Administrator:
    • Permissions: Extensive control within the organization, excluding managing other admins.
    • Capabilities:
      • Manage projects and access project-level data.
      • Cannot add or remove other organization administrators.
  3. Project Administrator:
    • Permissions: Comprehensive control over a specific project.
    • Capabilities:
      • Manage project environments.
      • Assign roles to users within environments.
      • Create and manage API keys specific to the project.
  4. Environment Administrator:
    • Permissions: Full access within a specific environment.
    • Capabilities:
      • Manage and access all content and configuration settings within the environment.
  5. Granular Role:
    • Permissions: Configurable, limited to specific entities within an environment. This is the only role available for API keys but also accessible to users.
    • Capabilities:
      • Granular control over:
        • Locales (specific languages or regions).
        • Folders (defined content sections).
        • Data Schemas (access to specified data structures).
        • Delivery APIs (control over custom Delivery API configurations created within FoxNose).
        • Resources (direct content management within folders).
      • Role-based actions (Create, Read, Update, Delete) for each entity.

Assigning Roles

FoxNose CMS allows roles to be assigned to both users and API keys, though with distinct limitations:

  • Users can hold any role within an organization, project, or environment, enabling high-level and environment-specific control.
  • API keys are restricted to the Granular Role, granting targeted permissions for service-based interactions while limiting actions to specified entities.

Granular Permissions

The Granular Role offers fine-tuned access to specific entities within an environment. It is available to both users and API keys, making it ideal for scenarios where restricted, focused access is needed.

Accessible Entities

Roles with granular permissions can manage the following entities:

  • Folders: Control access to designated folders, enabling specific content management.
  • Schemas: Define which data schemas the role can view and modify.
  • Locales: Manage access to specific languages within the environment.
  • Delivery APIs: Control access to custom APIs created for content distribution from folders.
  • Resources: Interact with content items within folders, enabling role-specific actions (CRUD).

Actions (CRUD)

Each entity within the Granular Role can be assigned specific actions:

  • Create: Add new items within the allowed scope.
  • Read: View existing items.
  • Update: Modify existing items.
  • Delete: Remove items from the environment.

Limitations of the Granular Role

  • No User or Role Management: Granular roles lack permissions to manage other roles or users, limiting these actions to administrators.
  • No API Key Management: The Granular Role does not grant permission to create or modify API keys, ensuring centralized API access control.

Object-Level Access Control

The Granular Role enables precise control through object-level permissions within folders, locales, and Delivery APIs. This flexibility supports secure, focused management of content in large environments, with access limited to a maximum of 100 objects per entity.

Locale Access

  • Locale Permissions: Locale permissions do not grant full capabilities; they must be combined with resource access.
  • Locale Read/Write Access: Users with access to specific locales can read and modify content in those locales.
  • Non-Localizable Fields: If a user lacks locale permissions, they can still access non-localizable fields, providing limited content visibility without locale-specific data.

Folder and Delivery API Access

  • API Inclusion: Roles with access to specific folders can reference only those folders in a custom Delivery API.
  • Folder Removal: Roles can remove folders from a custom Delivery API even if they lack direct access, ensuring API flexibility while securing folder access.

Key Points to Remember

  • User Roles: Users can hold any role within the organization, with the Granular Role offering entity-specific control.
  • API Key Roles: API keys are limited to the Granular Role, ensuring restricted access based on specified entities.
  • Object-Level Access: The Granular Role allows up to 100 object-level permissions per entity, supporting fine-grained access.
  • Locale Permissions: Locale access is effective only when combined with resource permissions, and users without locale access can only see non-localizable fields.
  • Access Flexibility: Folder and locale access permissions provide flexible, specific access within custom Delivery APIs.

Authentication and Role Alignment

FoxNose CMS uses two primary authentication methods that align with its role-based access structure:

  1. JWT Authentication:
    • Suited for user interactions, especially in administrative tasks within the Manage API.
    • Allows access tokens and refresh tokens for user-specific, session-based interactions.
  2. API Key Authentication:
    • Ideal for service-based interactions, enabling API keys to securely access both the Manage API and Delivery API.
    • API keys are restricted to the Granular Role, limiting access based on designated entities and actions.

By combining these authentication methods with a flexible, role-based access structure, FoxNose CMS supports secure and efficient access management tailored to both user-based and service-based interactions.

Was this page helpful?