DEV Community

Cover image for Advanced Permissions for Umbraco: Advanced Control for Complex Scenarios
Luuk Peters
Luuk Peters

Posted on • Edited on

Advanced Permissions for Umbraco: Advanced Control for Complex Scenarios

#umbraco #webdev

Quick note: I write these blogs myself, AI only redacts them.

I'm excited to announce that I just released my very first open source Umbraco community package: Advanced Permissions for Umbraco! In this post, I'll explain why I created this package, what it adds to Umbraco's permission system, and when you'd want to use it.

Why This Package Exists

I've been working with Umbraco since version 4, mostly in an agency context where projects often involve multiple editors, multiple user groups, and more complex content structures. That experience shaped what I value: features that give teams enough control without making day-to-day editing harder.

I wrote about these scenarios in a GitHub discussion a while back. The current permission system works fine for many use cases, but I do think it becomes too limited once projects grow in complexity. In my opinion, this is an area where Umbraco could — and should — offer more flexibility.

For now, this package is my attempt to solve that problem in a practical way. Advanced Permissions for Umbraco is designed for situations where the built-in permission model does not give you enough control.

The Current Permission System (In a Nutshell)

To really understand the benefits of Advanced Permissions, you first need to understand the default Umbraco permission system. Here's how it works:

You assign default permissions to a User Group by toggling a list of verbs: Create, Delete, Cultures and Hostnames, Publish, and so on. Users with that group inherit those permissions.

Umbraco's default permission system

You can also override these permissions on specific nodes, and those overrides apply to that node and all its descendants. It's straightforward and handles most workflows well.

Where It Reaches Its Limits

Grant Types and Inheritance

In Umbraco, you set default permissions on a User Group, and then you can override those on specific nodes. But here's the catch—when you override permissions on a node, those node-specific permissions completely replace the defaults. There's no inheritance.

So if you want to change just one permission on a node (say, disallow Delete), you have to specify every single permission at that node level. You can't say "inherit everything from the default and only change this one thing." You end up copying all the default permissions to the node level just to tweak one, which is error-prone and a maintenance nightmare.

And because permissions are just toggles—allow (checked) or deny (unchecked)—there's really only "allow" and a sort of implicit "not-allow." There's no way to explicitly deny something. This matters when you have multiple User Groups on a single user: all their permissions just stack up. You can only gain permissions, never restrict them.

Scope

Node permissions always apply to a node and its descendants. You can't set permissions on just the node itself, or just on descendants.

Take an employee directory: an overview page with employee pages underneath. Ideally, you'd want editors to leave the overview page alone but be able to delete individual employee pages as they leave. The current system doesn't support that directly.

Multiple User Groups

When a user has multiple groups, their effective permissions are the combined list of everything allowed across those groups. There's no way to say "this group can do X, but that specific group cannot delete content." You get the union of all their permissions.

What Advanced Permissions Adds

The package introduces three capabilities for when you need more control:

Three Grant Types (Allow, Deny, Inherit)

Instead of just allow/deny, you get:

  • Allow: explicitly permit something
  • Deny: explicitly forbid something
  • Inherit: use whatever the ancestor nodes specifies

This means you only need to set the permissions you want to change and let everything else inherit from above. No more duplicating every permission just to tweak one.

Flexible Scopes

Choose where permissions apply:

  • Node + Descendants (the standard Umbraco behavior)
  • Node Only (children inherit from ancestors above)
  • Descendants Only (the node itself isn't affected)

You can combine node-only and descendants-only permissions on the same node to set different rules for a parent and its children.

Smart Permission Resolution

Advanced Permissions includes a resolver that calculates your actual permissions based on priority:

  1. Explicit deny (takes precedence)
  2. Explicit allow
  3. Implicit deny
  4. Implicit allow

It handles multiple User Groups intelligently across all of them.

Apply Permissions to Everyone

There's a virtual "All Users" group for permissions that should apply to everyone. Useful for nodes that should never be deleted, for example. It works like any other group from the resolver's perspective.

The Access Viewer

To understand your actual permissions when things get complex, there's an Access Viewer that shows your effective permissions for any user or group. Click on any permission and see the resolver chain that determined it.

When You'd Use This

You'd reach for Advanced Permissions when the built-in permission model starts to feel too restrictive—multiple teams with overlapping responsibilities, permissions that need to vary significantly across your content tree, or content structures that don't fit neatly into the standard model.

For simple scenarios, Umbraco's built-in permissions may be enough. But when you need more control over how permissions are inherited, combined, allowed, or denied, Advanced Permissions gives you a more flexible model to work with.

You can find the package on the Umbraco marketplace today!

Top comments (0)