Permissions Terminology and Glossary

Now that you have some concept of how the permissions request flow works, lets delve into the common terminology.


The Permissions Checker is the global "Permissions" object in the root namespace. This is the starting point for every Permissions request.

Permission Object

A permission object is the subject of a Permissions request. In a typical request, this will be the particular Page or File object that you wish to test permissions against.


A permission category is a way to group permissions that all work with the same type of object. For example, the following permissions are all used against pages:

  • view_page
  • edit_page_contents
  • edit_page_properties

These are all different permissions, but since they all work with the Concrete\Core\Page\Page object, they all fall within the "Page" permission category.


A permission key is a single permission in Concrete CMS. A permission key can either use the general functionality of its category to check to see if its valid, or implement custom functionality used by it and only it, for maximum flexibility.


The assignment of a key to a particular permission object and a particular Access object is called its permission Assignment.


A permission Access contains one or more List Item objects

Access List Items

An Access List Item is responsible for keeping track of included or excluded Access Entities, along with the optional duration information (for permissions that are only in effect at certain times.)

Access Entities

An access entity is a user, group or other entity meant to represent a class of users attached to an Access List Item. Permission Access List Items aren't assigned Users or Groups directly; they are assigned access entities. This opens the door to greater complexity and power when working for permissions. For example, here are some of the access enitities available to various Concrete permissions:

  • Group
  • User
  • Group Set
  • Combination Group (User must be in Group A AND Group B)
  • File Uploader
  • Page Owner
  • Workflow Starter

Permission Duration

If an access entity is either included or explicitly excluded from a particular permission, this list item may also contain an optional Duration object, which determines when the affected permission is meant to take effect (e.g. User "aembler" can edit the page only Monday-Friday, 9:00 AM - 5:00PM)