DEV Community

Cover image for Advanced Permissions for Umbraco: Advanced Control for Complex Scenarios
Luuk Peters
Luuk Peters

Posted on

Advanced Permissions for Umbraco: Advanced Control for Complex Scenarios

#umbraco #webdev

Quick note: I write these blogs myself, AI only redacts them.

I'm excited to announce that I just released my very first open source Umbraco community package: Advanced Permissions for Umbraco. In this post, I'll explain why I created this package, what it adds to Umbraco's permission system, and when you'd want to use it.

Why This Package Exists

I've been working with Umbraco since version 4, mostly in an agency context working with enterprise clients. That experience shaped what I value: features that matter at scale. Many of our clients have marketing departments with multiple users and multiple user groups—and eventually they reach scenarios where Umbraco's built-in permissions don't quite fit.

I wrote about these scenarios in a GitHub discussion a while back. The current permission system works fine for many use cases. But when your organizational structure gets more complex, you hit some constraints. This package is designed for those situations where you need more granular control.

The Current Permission System (In a Nutshell)

To really understand the benefits of Advanced Permissions, you first need to understand the default Umbraco permission system. Here's how it works:

You assign default permissions to a User Group by toggling a list of verbs: Create, Delete, Cultures and Hostnames, Publish, and so on. Users with that group inherit those permissions.

Umbraco's default permission system

You can also override these permissions on specific nodes, and those overrides apply to that node and all its descendants. It's straightforward and handles most workflows well.

Where It Reaches Its Limits

Grant Types and Inheritance

In Umbraco, you set default permissions on a User Group, and then you can override those on specific nodes. But here's the catch—when you override permissions on a node, those node-specific permissions completely replace the defaults. There's no inheritance.

So if you want to change just one permission on a node (say, disallow Delete), you have to specify every single permission at that node level. You can't say "inherit everything from the default and only change this one thing." You end up copying all the default permissions to the node level just to tweak one, which is error-prone and a maintenance nightmare.

And because permissions are just toggles—allow (checked) or deny (unchecked)—there's really only "allow" and a sort of implicit "not-allow." There's no way to explicitly deny something. This matters when you have multiple User Groups on a single user: all their permissions just stack up. You can only gain permissions, never restrict them.

Scope

Node permissions always apply to a node and its descendants. You can't set permissions on just the node itself, or just on descendants.

Take an employee directory: an overview page with employee pages underneath. Ideally, you'd want editors to leave the overview page alone but be able to delete individual employee pages as they leave. The current system doesn't support that directly.

Multiple User Groups

When a user has multiple groups, their effective permissions are the combined list of everything allowed across those groups. There's no way to say "this group can do X, but that specific group cannot delete content." You get the union of all their permissions.

What Advanced Permissions Adds

The package introduces three capabilities for when you need more control:

Three Grant Types (Allow, Deny, Inherit)

Instead of just allow/deny, you get:

  • Allow: explicitly permit something
  • Deny: explicitly forbid something
  • Inherit: use whatever the ancestor nodes specifies

This means you only need to set the permissions you want to change and let everything else inherit from above. No more duplicating every permission just to tweak one.

Flexible Scopes

Choose where permissions apply:

  • Node + Descendants (the standard Umbraco behavior)
  • Node Only (children inherit from ancestors above)
  • Descendants Only (the node itself isn't affected)

You can combine node-only and descendants-only permissions on the same node to set different rules for a parent and its children.

Smart Permission Resolution

Advanced Permissions includes a resolver that calculates your actual permissions based on priority:

  1. Explicit deny (takes precedence)
  2. Explicit allow
  3. Implicit deny
  4. Implicit allow

It handles multiple User Groups intelligently across all of them.

Apply Permissions to Everyone

There's a virtual "All Users" group for permissions that should apply to everyone. Useful for nodes that should never be deleted, for example. It works like any other group from the resolver's perspective.

The Access Viewer

To understand your actual permissions when things get complex, there's an Access Viewer that shows your effective permissions for any user or group. Click on any permission and see the resolver chain that determined it.

When You'd Use This

You'd reach for Advanced Permissions when your permission requirements get complex—multiple teams with overlapping responsibilities, permissions that need to vary significantly across your content tree, or organizational structures that don't fit neatly into the standard model.

For straightforward scenarios, Umbraco's built-in permissions work great and you probably don't need this. But when you're managing access across a large, complex organization, Advanced Permissions gives you the control you need.

You can find the package on the Umbraco marketplace.

Top comments (0)