Roles and Permissions for Compose

Compose relies on the standard Contentful entities: entries and assets, using them as building blocks for its content model. As permission rules are created at the level of entries and assets, Contentful permissions model applies also for Compose. To learn general principles on how roles and permissions work in Contentful, please refer to Creating a custom role.

This guide focuses mainly on Compose-specific use cases and provides best practices on setting up roles for Compose users.

Due to the fact that Compose relies on roles and permissions on an asset and entry level this guide also requires knowledge about the content model used by Compose. Read the content model section of this documentation first.

To learn how to automate your role provisioning, please read the guide on how to manage user roles and permissions via the Content Management API.

Compose roles - use cases

Below are the recommendations on setting up some specific role types for Compose users.

Granting access to a specific page

Granting user an access to a specific page in Compose can be achieved by creating a role that enables the user to access only that specific page entry, the associated SEO entry and all entries that are linked to the page. There are the following ways of achieving this outcome:

1. Limiting access based on the specific entry IDs - You can limit the user to be able to manage a specific page in Compose by providing this user with an access to this specific page, the entries that the page contains and the entries that are linked by it. To achieve this, under the Content tab of the role editor page create a new allow rule, select the required action option and A specific entry as an allowed entry type. Then, in the Add existing entry window, select the entry that the user will be allowed to access. For the user to have access to a specific page in Compose, the allow rules for the following Compose content model elements should be created: "Compose: Page", "Compose: SEO", Page Type and entries referenced by this Page Type.

The screenshot below displays an example role for an Editor that can edit and publish the "Bits & Bytes" video series page of the example Help Center.

2. Limiting access based on tags. Compose itself does not support adding tags, however the web app can be used to add a tag to all entries the user should be able to access. This option is more flexible than option 1 and supports granting access to multiple pages with less overhead. To learn how to create and add tags, please refer to Creating tags. For explanations on how to use tags to restrict access please read Content permissions with tags.

Publishing with limited access

A user can be enabled to publish pages, even if this user does not have access to publishing all entries and assets that this page contains. To be able to publish a page, the user has to have at least access to publish the "Compose: Page" entry of the page. If the user does not have access to publish other entries, these entries will be indicated when publishing the page. The user can then decide if to proceed with publishing.

Best practices

Required read access

To ensure optimal experience in Compose for the users, it is required to grant all user roles a read access to entries of at least the following content types:

• Compose: Page: Content type that serves as a container for Page types. A user should be granted a read access to it to be able to view pages in Compose.
• Compose: SEO: The SEO settings for a page. If a user doesn't have an access to read it, the SEO metadata section in the page settings won't be displayed to the user.
• Page types: If a user doesn't have an access to read a Page type, the user will be able to view it in the list of pages in Compose, but won't be able to open the page in the page editor.
• A user should have access to all entries that are contained in the pages. If a user doesn't have an access to read an entry, the entry won't be displayed or won't be accessible.

Required access to create pages

To enable a user to create a page, it is required to add create permissions to the user's role for at least the following content types:

• Compose: Page: Content type that serves as a container for Page types. A user should be granted a create access to be able to create a page.
• Compose: SEO: The SEO settings for a page. A user should be granted a create access to be able to create a page.
• Page types: A user should be granted an access to create at least a specific page type to be able to create a page.
• Page components: All content types that are part of a page and are created individually for the page.

Known limitations

Below are described the key limitations you might encounter when trying to solve certain governance aspects.

Limiting read access to specific page types

It is not recommended limiting a users read access to a specific page type. The user will still require read access to all "Compose: Page" entries and "Compose: SEO" entries to be able to use the app. The page types the user does not have read access to will be shown in the page list, however they will be displayed without the indication of a page type and the user won't be able to open them in the page editor.

Limiting user access to Compose

It is not possible to restrict user access to Compose only. User permissions are granted for the API, the web app and any other Contentful app.