Joomla 1.7. Access Control List explained

User Groups

User Groups are used to control what your user can do on the website; for instance, create, edit, and delete articles or categories on the website, work with the menu system, configure extensions, and so on.

Joomla 1.5.x

The ACL in Joomla 1.5 is hierarchical, each User Group inherits permissions from the group below it. There are only 4 groups available for Public Front–end users and 3 groups for Public Back–end users. The customization of users' groups wasn't possible if you wanted to create a special group for your customers. Each user can be assigned to only 1 defined User Group.

Assign 1 User Group to a new user

Joomla 1.7.x

The ACL in Joomla 1.7 is not hierarchical; you can build unlimited user–defined groups. A user can be assigned to multiple User Groups with unlimited user–defined Access Levels. User Groups are assigned to Access Levels. Any combination of User Groups can be assigned to any Access Level.

In Joomla 1.7 the User Manager has been extended to 3 sections: Users, User Groups and Viewing Access Levels.

Configure the user's settings with User Manager

Manage user groups easily

As you can see the user can be assigned to several User Groups. Joomla 1.7 allows you to create unlimited User Groups for various needs.

Edit User screenshot

Access Levels

Access Levels control what your user can see on the website. You might restrict the user to see certain categories, articles, menus or components on the website.

Joomla 1.5.x

Access Levels are fixed and restricted to 3 levels: Public, Registered and Special. The Access Level covers all your articles, component, modules and plugins. Each Access Level belongs to a defined User Group.

Choose predefined Access Level for an article

Joomla 1.7.x

In Joomla 1.7 you can build unlimited Access Levels with any combination of User Groups can be assigned to them. These settings are located in the menu item Users of the menu toolbar.

Create, edit or delete an Access Level

Let's say we create a new Access Level and name it "Customer Access Level" with assigned groups Manager, Author and Customer Group. Check the necessary box for each User Group and click "Save".

Assign specific User Groups to the Access Level

After creating a new Access Level you can apply it to any articles or categories on the website. Below is the example of setting up the Access Level for an article.

Choose a pre–customized Access Level for an article

Permissions and Actions

The main purpose of Permissions is allowing or denying access to the functionality of your website. For instance, you can allow a User Group to create and edit content only, but restrict access to the components.

Joomla 1.5.x

Permissions in Joomla 1.5.x has a fixed value and is assigned to defined User Groups. You cannot change or create a new User Groups with preferred permission settings. The permission concept isn't flexible and the customization of user groups is seriously limited.

The permission table of Joomla 1.5

Joomla 1.7.x

Below you can see the screenshot of a typical interface for Permission Settings. The settings include all created User Groups on your website. For each User Group you can set the Actions and Permission Level.

Action and Permission settings

A User Group has 9 Actions:

• Site Login – Allows users in the group to login to the front - end site.
• Admin Login - Allows users in the group to login to the backend administrator site.
• Super Admin – Allows users in the group to perform any action over the whole site regardless of any other permission settings.
• Access Component – Allows users in the group to access all areas on the backend administrator site except Global Configuration.
• Create – Allows users in the group to create any content in any extension.
• Delete - Allows users in the group to delete any content in any extension.
• Edit - Allows users in the group to edit any content in any extension.
• Edit State – Allows users in the group to edit the state of any content in any extension.
• Edit Own – Allows users in the group to edit any content they own in any extension.

The Action has 4 Permissions:

• Not Set – No permission. (Available only in the Public User Group).
• Inherited – The permission from the parent group will be used.
• Denied – No matter what the parent group's setting is, the group being edited cannot take this action.
• Allowed - The group being edited will be able to take this action

The Joomla 1.7 ACL defines 4 permission levels which can override one another. The low permission level uses the permission from parent level.

• Level 1: Global Configuration
• Level 2: Component Options
• Level 3: Category
• Level 4: Article

Global Configuration

Defines the default permission for each user group and actions.

Global Configuration settings

Components

Overrides the default permission for components. For instance, Articles, Menus, Users, Banners and so on.

Components settings

Category

Overrides the permission of Global Configuration and Components. It's available for components with categories including Articles, Contacts, Banners, Newsfeeds, and Weblinks.

Category settings

Article

Overrides the permission of Global Configuration, Components and Category. It's only available for articles in Joomla 1.7 core.

Article settings

With a plain 4-levels structure you can customize permission settings from the smallest object to the biggest one. One thing worth to mentioning here is that with the permission value "inherited" you can configure low-level permissions more effectively and faster.

The conclusion

With the launch of Joomla 1.7 the ACL mechanism added great value to the whole content management system. It gave us more ways to customize the user groups and assign permission for various purposes. Joomla 1.7 ACL is a serious step in the improvement and increased the flexibility of the system. If you have any opinions feel free to share them it out here in the comment box.