TYPO3 User Management | Blue Frog Docs

TYPO3 User Management

Govern TYPO3 roles, SSO mappings, and user access.

User Management

TYPO3 projects succeed when access is predictable, documented, and audited. Use this guide to show teams how people enter the platform, how their permissions evolve, and how to close access cleanly when work is done.

How TYPO3 structures people and access

  • Identify the primary container (site, workspace, store, or tenant) the user belongs to and confirm whether invites must start at an organization level or per-site level.
  • Separate roles that influence global settings, billing, and domain management from those that are scoped to content editing or storefront operations.
  • Track which functions rely on service accounts or API tokens versus interactive logins so ownership and rotation responsibilities are clear.

Add or invite users

  1. Capture the requester, justification, and the exact TYPO3 scope they need (which sites/stores, and whether they can publish or only stage changes).
  2. Choose the smallest role that works and confirm if the user needs billing visibility, developer tools, or limited editor-only rights.
  3. Send the invitation from the platform's user/permissions area, aligning them to the right group, team, or role and enforcing SSO + MFA before first login.
  4. Assign ownership of pages, collections, automations, or integrations they must manage, and document any content freeze or approval steps that apply.
  5. Record the invite in the access ticket with date, approver, scope granted, and review date; attach screenshots or exports as evidence.

Update roles and scopes

  • Note the reason (promotion, project escalation, contractor scope change) and time-box elevated roles with a review date.
  • Expand or reduce scopes deliberately: list the sites, stores, or environments they may publish to versus those restricted to draft/staging.
  • Retest dependent automations, tags, or integrations after permission changes to ensure no tracking or operational breakage.
  • Communicate new responsibilities (content approvals, change windows, billing oversight) that come with the updated role.

Remove or offboard users

  1. Suspend or deprovision interactive access first (SSO/SCIM or platform suspension), then revoke API keys, personal tokens, and webhook secrets tied to the user.
  2. Transfer ownership of sites, templates, assets, and integrations to an active owner; reassign scheduled posts or campaigns.
  3. Remove the account from every scope (org, site, store, sandbox) and verify seat removal to prevent lingering access or billing drift.
  4. Export user and role lists after removal and attach to the ticket with notes on asset reassignment and key rotations performed.

Role catalogue for TYPO3

  • Platform Owner / Super Admin: Governs global configuration, domains, security controls, and billing. Requires enforced SSO + MFA.
  • Administrator / Site or Workspace Manager: Manages day-to-day configuration, invites, publishing workflows, and integrations within assigned scopes.
  • Content Editor / Publisher: Creates and updates pages, posts, products, or media. Publishing rights may be limited to staging or production based on governance.
  • Developer / Integrations: Handles templates, theme or code changes, API credentials, and automation connections. Define which environments they may deploy to.
  • Marketing / Analytics: Manages tags, experiments, campaign parameters, and reporting with minimal configuration or billing reach.
  • Billing / Finance: Reviews invoices, payment methods, and plan changes; separated from editorial or developer permissions.
  • Support / Service: Works with forms, orders, tickets, or CRM data with restricted design and billing access; time-box vendor roles.

Governance and evidence

  • Enforce SSO + MFA for privileged roles; enable SCIM where available to automate joins and leaves.
  • Run scheduled access reviews with business owners, capturing approvals and any removals or scope reductions.
  • Store API credentials and backup codes in a secrets manager, not personal vaults; rotate them when owners change or quarterly at minimum.
  • Maintain a ledger of who can publish to production, who controls billing, and who owns key integrations to speed up incident response.

Platform-specific notes to capture

  • Document where invites, roles, and billing contacts are managed inside TYPO3 (settings path, required permissions, and any seat constraints).
  • Note limits on editors, collaborators, or admin seats so teams can plan ahead for campaigns or vendor onboardings.
  • Record data residency, logging, or audit export options so compliance teams know how to gather evidence quickly.
↑ Back to top
// SYS.FOOTER