Access Rights and Content Security
The problem: editors who can change everything
Section titled “The problem: editors who can change everything”A content tree with hundreds of pages and a team of twenty editors is a recipe for accidental changes. Without granular permissions, a blog editor can accidentally modify the homepage. A regional contributor can overwrite content owned by another market. Worse, sensitive pages like legal disclaimers or pricing tables sit exposed to anyone with edit access.
Optimizely CMS addresses this with an access rights model that controls permissions at every level of the content tree. You decide exactly who can read, create, edit, publish, and delete content — and where.
How access rights work
Section titled “How access rights work”The permission levels
Section titled “The permission levels”Optimizely CMS defines five distinct permission levels. Each builds on the previous:
| Permission | What it grants |
|---|---|
| Read | View the content item in the editor |
| Create | Add child content items below this item |
| Edit | Modify the content item’s properties |
| Publish | Move content from draft to published state |
| Delete | Remove the content item |
| Administer | Change access rights on the content item |
You assign these permissions to roles, individual users, or the special “Everyone” principal.
Inheritance: permissions flow downward
Section titled “Inheritance: permissions flow downward”Access rights in Optimizely CMS follow an inheritance model. Permissions set on a parent page apply to all its children automatically. This means you can set access rights at a high level in the tree and have them cascade down without configuring each page individually.
For example, if you grant the “Blog Editors” role Edit and Publish rights on the /blog page, every page underneath /blog inherits those permissions. New pages created under /blog also inherit them automatically.
Breaking inheritance
Section titled “Breaking inheritance”Sometimes a child page needs different permissions than its parent. You break inheritance by setting explicit access rights on a specific content item. When you do this, the item stops inheriting from its parent and uses only its own permissions.
Be careful with inheritance breaks. Each break creates a maintenance point. If you break inheritance on fifty pages, you have fifty places to audit when roles change. Keep breaks to a minimum and apply them at section boundaries.
Role-based vs content-based permissions
Section titled “Role-based vs content-based permissions”Optimizely CMS supports two complementary permission strategies:
Role-based permissions
Section titled “Role-based permissions”Assign broad capabilities through CMS roles. A user with the CmsEditors role can edit content wherever they have access. This approach works well for small teams where everyone edits everything.
Content-based permissions
Section titled “Content-based permissions”Restrict access at specific points in the content tree. A user might have the CmsEditors role but only have Edit rights on the /products subtree. This approach works for larger organizations with content ownership boundaries.
The most effective setups combine both. Roles define what a user can do in general. Content-tree permissions define where they can do it.
Common access patterns
Section titled “Common access patterns”Pattern 1: Departmental ownership
Section titled “Pattern 1: Departmental ownership”Set up your content tree with top-level sections per department. Assign each department’s editors Edit and Publish rights on their section. Break inheritance at the section level.
Root /marketing -> Marketing Editors (Read, Create, Edit, Publish) /products -> Product Team (Read, Create, Edit, Publish) /support -> Support Team (Read, Create, Edit, Publish) /legal -> Legal Team only (Read, Create, Edit, Publish)All other roles get Read-only access to sections they do not own.
Pattern 2: Approval workflow
Section titled “Pattern 2: Approval workflow”Give contributors Edit rights but not Publish rights. Give senior editors both Edit and Publish rights. This creates a natural approval flow — contributors draft content, and senior editors review and publish.
Pattern 3: Protected pages
Section titled “Pattern 3: Protected pages”Some pages should rarely change — the homepage, legal pages, or navigation structures. Grant Edit access on these pages only to a small “Core Editors” group. Everyone else gets Read access.
Pattern 4: Multi-market isolation
Section titled “Pattern 4: Multi-market isolation”For organizations serving multiple markets, create market-specific subtrees. Grant each market’s team full editing rights on their subtree and Read-only access to other markets. Shared assets live in a common area with broader access.
SaaS vs PaaS differences
Section titled “SaaS vs PaaS differences”Auditing and troubleshooting
Section titled “Auditing and troubleshooting”When a user reports they cannot access content, check these things in order:
- Does the user have a CMS role? Without a role, they have no CMS permissions at all.
- Does the role have rights on that content node? Check the access rights on the specific page and its ancestors.
- Is inheritance broken? A broken inheritance somewhere up the tree may exclude the user’s role.
- Are explicit denials in place? An explicit “no access” overrides inherited permissions.
Review access rights periodically, especially after team changes. An annual audit prevents permission drift — the gradual accumulation of unnecessary access over time.
1. Your organization has 50 editors across five departments. Each department should only edit their own section of the site. You need to minimize ongoing maintenance. Which access pattern is most appropriate?
Breaking inheritance at section boundaries (e.g., /marketing, /products) and assigning department-specific roles at those points provides clean ownership boundaries with minimal maintenance points.
Breaking inheritance at section boundaries (e.g., /marketing, /products) and assigning department-specific roles at those points provides clean ownership boundaries with minimal maintenance points.
Review this topic →2. An editor reports they cannot edit a page under /blog/announcements, even though the Blog Editors role has Edit rights on /blog. What should you check first after confirming the user has the Blog Editors role?
When a user has the correct role and the role has rights on a parent node, the most likely cause is a broken inheritance on a child node that excludes their role. Each inheritance break creates an independent permission set.
When a user has the correct role and the role has rights on a parent node, the most likely cause is a broken inheritance on a child node that excludes their role. Each inheritance break creates an independent permission set.
Review this topic →3. You want contributors to draft content but require senior editors to approve and publish it. Which permission setup creates this workflow?
Separating Edit from Publish permissions creates a natural approval workflow: contributors can draft and save content, but only senior editors with Publish rights can make it live.
Separating Edit from Publish permissions creates a natural approval workflow: contributors can draft and save content, but only senior editors with Publish rights can make it live.
Review this topic →