Access Control

eZ publish comes with an inbuilt permissions system that is similar to the users & groups systems that you find in a standard operation system. The flexibility and depth of the access control system means you have a great deal of control over who does what within the system, both on the front end eg. for members accessing the site, and for providing different levels of administration, eg. people that can add content to the entire site or just one section.

Like a normal user/group system, permissions are set and associated with a particular group, users and then assigned to a group and inherit those permissions. The control of permissions can be quite fine grained, but boil down to read, create, edit & delete.

The access control system in eZ publish uses the following elements.

  • Users

  • User groups

  • Policies

  • Roles

A user is a valid user in the system. A user group consists of users and can contain other user groups A policy is a rule that provides access to content or functionality. A role is a collection of policies. A role can be assigned directly to users or to user groups.


A user is a special type of content object that contains information about the user and is associated with at least one group.

The default ”User” class allows the storage of the following elements:

  • First name

  • Last Name

  • Email

  • Username

  • Password

The last three elements are provided by the ”User account” datatype

User Account Datatype

The user account datatype is a special datatype that has special functionality within eZ publish. Any content classes that includes the user account datatype will be considered valid users within the system.

When a user is created, it is enabled by default, however you can disable the account via the administration interface. The account will still be in the system but the user won’t be able to log-in. This is particularly useful for editors that have worked on the site but have left the business – by disabling the account, all information regarding their activity is still in the system but that person no longer has access.

User Details

Like any content object, a user has a unique ID which is the same ID as the object.

This ID is used internally by eZ publish and other objects within the system. For instance, an content object created will contain the ID of the user that initially created the object.

This is why you shouldn’t remove any users from the system, if you were to do so, then the details of the original user who created the object would be lost. It’s much better to simply disable the account.