This section describes features that are coming in 3.3.

Access Control Policy documents are JSON documents that live at the Platform level. They provide a recipe that describes the access control that should be granted to any policy holder that is assigned the policy. Users may be assigned the policy directly, via a group or via a Team.

Policy Document

The Access Control Policy document provides a series of Statements that declare truths about what authority rights the policy holder should have over resources in the system.

Each Statement must define the following:

  • action - either grant or revoke
  • roles - an array of roles that are either granted or revoked
  • conditions - an array of conditions that must be met in order for the statement to apply

Here is a sample Access Control Policy document that has a single statement. This statement grants the manager role to any content nodes that are within the /products folder. It uses a regular expression to have this statement apply to the /products folder as well as all sub-folders.

    "title": "Product Manager",
    "statements": [{
        "action": "grant",
        "roles": ["manager"],
        "conditions": [{
            "type": "path-matches",
            "config": {
                "path": "^/products.*"

Note that the Access Control Policy above has the name Product Manager. This makes sense because we're granting the Manager role to everything that falls under the /products folder in our taxonomy. There may be additional rights that we want to confer upon a Product Manager and we could add those to this policy. This policy could then be assigned to all users who we want to act as Product Managers within the system.

You can create as many Access Control Policies as you would like.


Cloud CMS provides a large number of conditions that you can use to make your Access Control Policies both powerful and interesting.


Access Control Policies can be assigned to Users, Groups or Teams.