Deep dive in Roles and Permissions



In this document , basically we will understand about roles and permissions backend process and  its table structure for LR 6.x, but before going further , first we need to understand what is role and permission in Liferay? Here is brief explanation of Roles and Permission.


What are Roles?


Roles are used to collect permissions that define a particular function within the portal, according to a particular scope. Roles can be granted permissions to various functions for example : page management, content management and portlet management etc. A roles is basically just a collection of permissions that defines a function. It can be of 3 types :

  • Regular role: Permissions are defined at the portal level and are applied at the portal level.
  • Site role: Permissions are defined at the site level and are applied to specific site.
  • Organization role: Permissions are defined at the organization level and are applied to specific organization.


What is Permission?


When a role is assigned to a user, the user receives all the permissions defined by the role. So, to use a role, you need to assign members to it and define the permissions.

For more details on Roles and Permission UI details , you can refer :


Backend Process of Liferay permission system:


Liferay 6.x introduced with a new algorithm called Advanced Permission Algorithm 6, which is based on Bitwise Values, we will discuss it further in this article.

Basically Liferay defines two tables to handle permissions on any resource


       resourceaction: This table is used to hold the actions for all the resource available in portal.

     resourcepermission : This table stored  the permissions using bitwise values, portal uses this value to check  if any resource has  proper permission or not.


Now let's talk about resourceaction table in detail :


To understand the permission system better , We have to first understand resourceaction table. Whenever Liferay server starts,  all the entries available in "resource-actions/default.xml" inserted into  resourceaction default.xml file contains the mapping of all the resource available in portal  and Actions are defined in corresponding resource xml files.

Let's take an example of one of the Model resource i.e. Role (com.liferay.portal.model.Role)

Go to your query browser and execute below command :

select * from resourceaction where name ='com.liferay.portal.model.Role';

After executing above command you will get below screen:



Above command will fetch all the actions corresponding to Role, as you can see from above figure there are total 7 actions are available, Now you must be wondering what's the use of  it and where it comes in our Liferay portal.


Now follow below steps :


  •  Go to Control Panel.
  •  Click on Roles.
  •  Click on action button associated with any of the roles.
  •  Click on Permissions.


After that you will get below screen


Now you must be aware that the actions listed in resourceaction table  for corresponding resource would come in permission tab.


Liferay handles its permission system with bitwise operator i.e. by using  bitwise values.

Let's have look again in resourceaction table where you can see one more column as bitwiseValue . These values are defined for each actions corresponding to resources. Bitwise operations are of the lowest level, and the fastest operations you can perform.



Now let's talk about resourcepermission table in detail :

As we are taking example of Model resource com.liferay.portal.model.Role , so let's continue with it.

Execute below command in query browser

select * from resourcepermission where name='com.liferay.portal.model.Role';



  1.   resourcePermissionId : It's a primary key , which is auto generated.
  2.   companyId : Portal Instance Id.
  3.   name : Name of the resource for which permission needs to be defined. It will either be the numeric ID of a  portlet, or the fully qualified class name of a model.
  4.   scope:  The scope of a permission determines how broadly it applies to resources in the portal, By default Liferay provides 4 different types of resource constants, which is responsible to define the scope of permissions ,these constants are :


Ø  SCOPE_COMPANY: Company scope is the broadest, and grants a user with the role permissions for  every resource of the type within the company, Liferay Uses Integer value "1" to  implement it.

Ø  SCOPE_GROUP : Group scope gives users with the role permissions for every resource within the specified group , Liferay Uses Integer value "2" to implement it;

Ø  SCOPE_GROUP_TEMPLATE : Group-template scope is similar to group scope, except that it does not automatically apply to a specific group. A user must be a member of a group (generally either a site or an organization), and they must have been given the role within that group before they are granted its permissions, Liferay Uses Integer value "3" to implement it.

Ø  SCOPE_INDIVIDUAL : Individual scope only applies to a single resource of the type, Liferay Uses Integer value "4" to implement it.

    5. primKey:  It's very important value to manage permission in Liferay, Its values varies from resource to  resource based on the scope. Its different uses are listed below :

     A)  Company scope :- If the scope of resource is at company level then value of  primKey is the primary key of the company.

    B)  Group scope :- If the scope of resource is at group level then value of  primKey is the primary key of the group for which permission is defined.

    C)  Group-template scope :- If the scope of resource is at group template level then value of  primKey will be 0.

    D)  Individual scope :- If the scope of resource is at Individual level then the value again differs from resource to resource.

  • For Model Instance :  If there is Model Instance  for ex : "Role" then primKey will be the primary key of that instance.

  • For Portlets : If there is Portlet then primKey will contain the primary key of the layout,  followed by "_LAYOUT_" and the portlet ID.

For example: After creating, deploying and adding MyTest portlet into page then the value in primKey column would be




 6.   roleId: The id of the role for which permission is defined.

 7.   actionIds: Its value is very important in permission system because it holds the bitwise values, If there are multiple permissions are defined on same resource them this column holds the sum of bitwiseValue.


Now let's have a look at data stored, while Creating Role:


  • While creating role the entries goes to "role_" and "resourcepermission" table.
  • While defining permissions to role , entries goes to "resourcepermission" table.
  • In "role_" table roleId column acts as a primary key.


For an instance : Suppose I am creating a regular role called "MyRole"

then role name goes to "role_" table , below is the screen shot of the table where the  primary key is roleId which is auto generated in this case its 10702 .


Now let's focus what happens on resourcepermission table , first question is what type of entries it will contain. Now imagine this case and think about the values of column scope, primKey, name. 

let's study it one by one.  

  • Scope: Created role means, its scope would be Individual i.e. 4 
  • PrimKey: As discussed , scope defines the value of primKey column and  here "Role" is Model instance So  primKey would be the primary key of "role_" table ( i.e. roleId )  in this case its 10702
  • Name: Its value would be the Class name of role i.e. com.liferay.portal.model.Role


Now question is what is actionIds ? and why its value is 127?

Logically from any business point of view, If any user creates anything then that user should have all the access to that because that user is the owner of it. In context of Liferay If any user creating any role that user should have access to all the actions associated to it. In this case "com.liferay.portal.model.Role" has following actions : 'ASSIGN_MEMBERS', 'DEFINE_PERMISSIONS', 'DELETE', 'MANAGE_ANNOUNCEMENTS', 'PERMISSIONS', 'UPDATE', 'VIEW', So when role is created all these actions would be accessible to that user , which is defined by Sum of bitWiseValue. For all these actions sum of bitwise value is 127, that's the reason 127 is entered as actionIds in resourcepermission table for owner 10201 (userId of user who created the role).

Now let me move forward and define the permission to this role.

To do that go to Control panel-->Roles-->MyRole-->Define Permissions, click on General Permission and check "Go to Control Panel" and save it. It means user would be able to see the Control Panel Option if assigned to this role.

After saving it , you will see a new entry in resourcepermission table.

Execute below query :

select name,scope,primkey,ownerid,actionIds from resourcepermission where roleId='10702';



While defining permissions to this role a new line entry is created with name as 90, scope as 1 (company scope) , primKey would be company Id and actionIds would be 32768 (It is bitwiseValue for  action : Go to Control Panel , which is defined in resourceaction table) see below


select * from resourceaction where bitwisevalue=32768 and name=90;

Now let me go again on define permission page and check "View" permission.

Then database structure would be

Here everything is same except actionIds. This time actionIds becomes 32769. Now let's  focus why it is 32769? as initially it was 32768. To understand , have a look at below figure :


Above figure shows the bitwiseValue for all the actions corresponding to name =90. So let's do some mathematics here, Add bitwiseValue for action "VIEW_CONTROL_PANEL" and "VIEW" (because these two actions were added while defining permission for role) i.e. 32768 + 1 =32769 (Which is the same  as value of actionIds) . Now you must got that actionIds nothing but the sum of bitwiseValues.

Now let's go again to define permission, This time add "Add to Page" permission.


So according to our understanding Add to page is also at portal level, whose bitwiseValue is 65536, So my actionIds in resourcepermission should be the addition of bitwisevalue of following actions :

ADD_TO_PAGE (65536) +VIEW_CONTROL_PANEL (32768) +VIEW (1)= 98305.


So let's check the same in resourcepermission table.

select name,scope,primkey,ownerid,actionIds from resourcepermission where roleId='10702';


Now let's go to define permission page and click on Users and Organizations and check "Access in Control Panel" permission.



Now according to our understanding we should add the bitwise value of action "Access in Control Panel" but this time it's not. The reason behind this is , Users and Organization comes under portlet-name 125 (see liferay-portlet.xml) , so here a new line entry will be introduced :



For portlet name 125,  bitwiseValue for action "ACCESS_IN_CONTROL_PANEL" is 2.

Same is the case with Sites: Access in Control Panel , In this case name would be 134 and rest of the details are based on the actions.


Thank You!!!!



Hi Mohit,

Thank you for the deep info. This does great help to me!

Amazing have explained it beautifully with examples and screenshots...very good read.
Hi Mohit,

This is blog gives us a very good insight on backend implementation of Roels and permissions in Liferay. It would be great if you could provide answer to two of my questions on this
1. How does Liferay store mapping of roles and Users, roles and User Groups etc.
2. I understand that in RESOURCEPERMISSION table in the column actionids, it stores the sum of bitwise values obtained from the resourceaction for that resource name. In our local system here we have seen that there are many records in resourcepermission table which have actionids=0. What is the significance of actionids=0 and in what scenario does liferay put actionids=0?

Thanks and Regards,
Piyush Singh
Awesome blog post, it really helped in lot of areas with respect role, permissions, layouts etc... Thank you very much for sharing the information.
Can you explain more about what is scope in ResourcePermission table basically the mentioned 4 types ?