Permissions (ACL)
Defined in etc/acl.xml. Grant via System → Permissions → User Roles → [role] → Role Resources.
Resource tree
Magento_Backend::admin
└── Byte8_Core::byte8 (parent menu)
└── Byte8_SeoSuite::base (parent menu — visibility of "Marketing → SEO Suite")
├── Byte8_SeoSuite::url_relationship_manage
├── Byte8_SeoSuite::meta_suggestion_manage
├── Byte8_SeoSuite::hreflang_health
├── Byte8_SeoSuite::index_budget
└── Byte8_SeoSuite::oos_tracking
Magento_Backend::stores
└── Magento_Backend::stores_settings
└── Magento_Config::config
└── Byte8_SeoSuite::seosuite_conf (Stores → Configuration → SEO Suite section)
Resource reference
| Resource | Title | Controls |
|---|---|---|
Byte8_SeoSuite::base | Byte8 SEO Suite (parent) | Visibility of the Marketing → SEO Suite menu group + the dashboard widget |
Byte8_SeoSuite::url_relationship_manage | Manage URL Relationship | URL Relationship grid + edit/delete actions |
Byte8_SeoSuite::meta_suggestion_manage | Manage AI Meta Suggestions | AI Meta Suggestions grid + per-row actions, in-context button on product/category/CMS forms |
Byte8_SeoSuite::hreflang_health | Manage Hreflang Health | Hreflang Health grid + Run Scan, Auto-Match, Mass-Dismiss |
Byte8_SeoSuite::index_budget | Manage Index Budget Audit | Index Budget grid + Run Audit, Apply Fix, Generate AI Meta, Mass-Dismiss |
Byte8_SeoSuite::oos_tracking | Manage Out-of-Stock Tracking | OOS Tracking grid + Run Now, mass override / delete |
Byte8_SeoSuite::seosuite_conf | SeoSuite Config | All SEO Suite system configuration |
Common role configurations
SEO Manager (full access)
Grant:
Byte8_SeoSuite::base(and all children)Byte8_SeoSuite::seosuite_conf
Catalog Editor (review AI suggestions, no config access)
Grant:
Byte8_SeoSuite::baseByte8_SeoSuite::meta_suggestion_manage- (and existing catalog edit resources)
This gives them the AI Meta Suggestions grid + the in-context Generate with AI button on product/category/CMS forms, but no access to flip API keys, change templates, or run audits.
SEO Auditor (read + run audits, no apply)
Magento ACL doesn't natively distinguish read from write at the resource level — the same resource controls both. For a true read-only role, the cleanest path is to grant the resource and instruct the team not to use the per-row Apply Fix actions, OR fork the controllers into a paid extension layer.
A future v2.9 may split each grid's resource into view vs manage sub-resources for finer control.
CI / DevOps (CLI only)
CLI commands run as the system user, not via ACL. As long as the deployment user can execute bin/magento, they can run all six SEO Suite commands without admin role configuration.
Inheritance
Magento ACL inherits — granting the parent (Byte8_SeoSuite::base) automatically grants all children unless they're explicitly unchecked. For most roles this is what you want.
After installation
The default admin role (Administrators) gets all resources via the universal grant. New custom roles get nothing — explicitly tick what they need.
Frontend ACL
There is no frontend ACL — the storefront is anonymous, and all storefront features (canonical, hreflang, OG, JSON-LD, layered-nav noindex, meta templates) render based on store-level config. The ACL resources here are admin-side only.
GraphQL ACL
GraphQL queries against seo: SeoMetadata are anonymous by default — same as Magento's standard product/category queries. No ACL is enforced. If you need authenticated GraphQL, layer it via Magento's standard auth_required directive in your storefront's GraphQL setup.