In MODX, access policies are sets of permissions that can be assigned to a user group. There are a number of different access policies that come with MODX but the ones we want to look at here are the Administrator policy and the Content Editor policy. These are the default policies for users who can use the manager.
The Administrator is pretty much all-powerful so you would only assign that policy to user groups who you trust absolutely to not damage your site. The Content Editor policy is pretty limiting. Content editors can create new resources but not in the root of the site and they can't publish resources.
If you are like our team you will probably want an access policy that is somewhere in the middle. We let our publishers create resources wherever they like and also publish, un-publish, delete, or move them. We also let the publishers upload and manage files. We don't allow them any access to elements (templates, template variables, chunks, snippets, or plugins) or to create or manage other users. It's also not all about limiting our publishers; we want to give them access to everything they need without overwhelming them with the parts of MODX that they don't need.
There are two steps to setting up a user role like this. The first step is creating an access policy for the role. The second step is creating a user group and assigning the policy to it.
Find out how to edit, duplicate, and create access policies in the official MODX documentation. Duplicate one of the access policies that comes with MODX, rather than editing one of the defaults; according to Bob Ray's detailed post on MODX Revolution Permissions:
Always remember that you should never modify the standard Policies or Policy Templates provided in the basic MODX install. If, for example, you modify the standard Administrator Policy to uncheck some permissions, you will be taking those permissions away from the Admin super user. If you remove Permissions from the standard Administrator Policy Template, you will also be taking away those Permissions from the Admin super user. That goes for the other standard Policies and Policy Templates as well. Always duplicate Policies or Policy Templates and alter the duplicates.
We started with a duplicate of the Content Editor policy and added some permissions so that the publishers can publish resources and create new documents in the root of the site and some other things like uploading files. You could start with the Administrator policy and take permissions away.
All of the permissions that come with the administrator policy are also listed in the documentation with brief – very brief – descriptions. You are going to need to use your judgement as to what permissions to bestow upon your users but the permissions we give to our publishers are all the permissions of a content editor plus "publish_document", since they are publishers, and you might also like:
The next step is to create a user group, or edit one you already created, to use the new access policy. This is the official documentation about user groups in MODX but here are some quick instructions to create a user group and a user to go with it:
Next, you'll probably want to create a test user in the user group you just created so that they have the access you expect. Here's a quick list of steps:
You'll probably have different specific needs for your MODX manager users but hopefully, this gives an idea about the flexibility that is available for MODX user groups.