Skip to main content

Permissions (ACL)

Defined in etc/acl.xml. Grant via System → Permissions → User Roles → [role] → Role Resources.

Resource tree

Magento_Backend::admin
└── Byte8_Core::byte8 (parent menu)
└── Byte8_SeoSuite::base (parent menu — visibility of "Marketing → SEO Suite")
├── Byte8_SeoSuite::url_relationship_manage
├── Byte8_SeoSuite::meta_suggestion_manage
├── Byte8_SeoSuite::hreflang_health
├── Byte8_SeoSuite::index_budget
└── Byte8_SeoSuite::oos_tracking

Magento_Backend::stores
└── Magento_Backend::stores_settings
└── Magento_Config::config
└── Byte8_SeoSuite::seosuite_conf (Stores → Configuration → SEO Suite section)

Resource reference

ResourceTitleControls
Byte8_SeoSuite::baseByte8 SEO Suite (parent)Visibility of the Marketing → SEO Suite menu group + the dashboard widget
Byte8_SeoSuite::url_relationship_manageManage URL RelationshipURL Relationship grid + edit/delete actions
Byte8_SeoSuite::meta_suggestion_manageManage AI Meta SuggestionsAI Meta Suggestions grid + per-row actions, in-context button on product/category/CMS forms
Byte8_SeoSuite::hreflang_healthManage Hreflang HealthHreflang Health grid + Run Scan, Auto-Match, Mass-Dismiss
Byte8_SeoSuite::index_budgetManage Index Budget AuditIndex Budget grid + Run Audit, Apply Fix, Generate AI Meta, Mass-Dismiss
Byte8_SeoSuite::oos_trackingManage Out-of-Stock TrackingOOS Tracking grid + Run Now, mass override / delete
Byte8_SeoSuite::seosuite_confSeoSuite ConfigAll SEO Suite system configuration

Common role configurations

SEO Manager (full access)

Grant:

  • Byte8_SeoSuite::base (and all children)
  • Byte8_SeoSuite::seosuite_conf

Catalog Editor (review AI suggestions, no config access)

Grant:

  • Byte8_SeoSuite::base
  • Byte8_SeoSuite::meta_suggestion_manage
  • (and existing catalog edit resources)

This gives them the AI Meta Suggestions grid + the in-context Generate with AI button on product/category/CMS forms, but no access to flip API keys, change templates, or run audits.

SEO Auditor (read + run audits, no apply)

Magento ACL doesn't natively distinguish read from write at the resource level — the same resource controls both. For a true read-only role, the cleanest path is to grant the resource and instruct the team not to use the per-row Apply Fix actions, OR fork the controllers into a paid extension layer.

A future v2.9 may split each grid's resource into view vs manage sub-resources for finer control.

CI / DevOps (CLI only)

CLI commands run as the system user, not via ACL. As long as the deployment user can execute bin/magento, they can run all six SEO Suite commands without admin role configuration.

Inheritance

Magento ACL inherits — granting the parent (Byte8_SeoSuite::base) automatically grants all children unless they're explicitly unchecked. For most roles this is what you want.

After installation

The default admin role (Administrators) gets all resources via the universal grant. New custom roles get nothing — explicitly tick what they need.

Frontend ACL

There is no frontend ACL — the storefront is anonymous, and all storefront features (canonical, hreflang, OG, JSON-LD, layered-nav noindex, meta templates) render based on store-level config. The ACL resources here are admin-side only.

GraphQL ACL

GraphQL queries against seo: SeoMetadata are anonymous by default — same as Magento's standard product/category queries. No ACL is enforced. If you need authenticated GraphQL, layer it via Magento's standard auth_required directive in your storefront's GraphQL setup.