All you need to know about Joomla Access Control List - ACL
The Joomla Access Control List - ACL is one of the most powerful features in the Joomla core system. There are many settings in this feature that allow you to manage Joomla’s site more effectively.
Naturally, it raises a huge number of discussions and becomes a challenge for users to understand and be able to manage it on sites.
Thus, we hope that this informative article will give an overview of Joomla ACL to you and others as well as help Joomla's users to fully understand the ACL working process.
Table of content
- What is the Joomla Access Control List?
- Why is Joomla Access Control List important?
- User Groups in Joomla
- Viewing Access Levels in Joomla
- How does ACL work?
- Case study
- Joomla ACL extensions
- Final thoughts
What is the Joomla Access Control List?
Joomla Access Control List (ACL) is a system that allows the administrator to control the user’s roles on sites.
With Joomla ACL, you are able to decide which parts of your site your users can view or take action on, such as edit, publish or delete.
Respectively, Joomla ACL is divided into two completely separate sections with different setups:
- User viewing access levels
- User action permissions
Once you log-in your Joomla site from the backend, you can easily access the Joomla ACL manager.
Why is Joomla Access Control List important?
As we mentioned above, the settings on the Joomla ACL will determine what people can see and do on your Joomla sites.
Let’s assume that you are not the only person managing the Joomla site, and you also can not closely follow each team member’s actions. Joomla ACL will allow you to distribute the team member’s roles on-site specifically or separately to delegate tasks more effectively.
In another case, you have some private information that should be seen by your customers who have registered on your website. ACL will help you divide users into different groups with specific viewing access levels, which means people can only see what you allow them to see on your site.
In summary, the Joomla Access Control List will help webmasters to easily and effectively manage their users on sites.
User Groups in Joomla
Joomla User Groups explanation
Due to a large number of users, Joomla user groups make it simpler for an administrator to manage and allocate permissions on the sites.
By assigning viewing access and permissions to certain groups, you can allow the user in that group to view, access or edit your content and much more through the front end or the back end.
To view ‘User Group Manager’, go to Users -> GroupsThe Joomla 3.x User Manager settings include a set of default groups with child-parent relationships.
One you set permission for the parent group, all child groups will be automatically inherited that permission. For more information on these pre-existing user groups, please read more at User Group Joomla 3.x.
Otherwise, if you wish to create your own User Group, you can go to the next step.
How to create a new User Group
People can come to your Joomla sites from anywhere with a variety of purposes, thus in some cases, you might need to create Joomla custom user groups which differ from default user groups.
Here is a guide for creating a new user group on the Joomla site:
Select New User Group with Group title, Parent (optional) -> Hit SaveWhen returning to the ‘User Manager: User Group’ area, you can see the new User Group that is created underneath the Parent Group that you selected.
Viewing Access Levels in Joomla
Your user groups will be the same until you assign them particular viewing access levels or permissions.
You can create various viewing levels on-site and assign user groups to each level. One group can have multiple viewing access levels.
To access ‘Users: Viewing Access Levels’ screen:
Go to Users -> Access LevelWith each viewing access level, you can see a group or set of groups that are allowed to view certain parts respectively.
How to create a new Viewing Access Level
From ‘Users: Viewing Access Levels’ screen, you can add new Access Levels by clicking New (similar to adding a new User Group) or Edit the default level by clicking to Level Name.
How does Access Control List work?
Assign viewing access levels for a single item
Access levels can be assigned from various areas on your site: menu items, articles, article categories, contacts, and news feeds, to name a few.
Depending on your desired user viewing abilities, you can set up User Groups and Viewing Access Levels options by following these steps:
Step 1: Access single item (content, menu or module)
Step 2: Set up the Access Levels
For illustration purposes, the picture below presents changing the access level for a menu item:
- Open menu item in the back end
- In the Detail tab, select access level in Access option
Control action permission system
In order to take certain actions on your site, you need to have certain permissions. The other option of Access Control List allows customizing action permissions at different levels.
From Joomla 2.5+, the Joomla ACL permission hierarchy is divided into four levels as follows: Global configuration level, Component level, Category level and Article level.
The setup for controlling what users can do is done as follows:
Step 1: Access the Permission tab following one of these above levels
Step 2: Set up permission for user groups.
We will access the ACL permission in a single article as following steps:
- Open the article in the back end
- In the Permission tab, select user group and manage permission setting
To help Joomla’s users gain a better understanding of Joomla ACL, we’ve chosen the following case study to provide the step-by-step guide to set up ACL on sites.
You are a webmaster of the blog sites. You want to create a ‘Reviewer’ user group, who can review and edit the article before official publishing (but will not be allowed to delete content).
As the above requirements, you can customise existing groups in Joomla default setting to ‘Reviewers’. However, you might want to have specific tasks in the future for this group.
So, we suggest creating a new profile for each reviewer and then assigning these users to a new “ Reviewer” group.
Here are two steps that you need to follow:
- Step 1: Create a new user group and a new user (optional)
- Step 2: Assign appropriate Permissions
Step 1: Create a new user group and a new user (optional)
1. Create New User Groups
Go to Users -> Hover Groups -> Add New GroupThe new user group “ Reviewer” has Registered as a parent.Next, when going back to ‘User: Group’ screen we can have the result like the following picture:
2. Create a new user (optional)
Go to Users -> Hover Manage -> Add New UserAfter accessing the ‘User: New’ screen, create a new user for “Reviewer” group by filling in the required information:Don’t forget to assign a new user to ‘Reviewer’ groups by opening the ‘Assigned User Groups’ tab: And here is the result when you go back to the ‘Users’ screen:
Step 2: Assign appropriate Permissions
1. Permissions tabs
For this case study, there are three permissions tabs (levels) that you need to know on the Joomla site before setting up ACL:
1.1 Permissions tab in Global Configuration1.2 Permissions tab in Component: Article 1.3 Permissions tab in single Article The settings in ‘Component: Article permissions’ will be inherited from ‘Global Configuration permissions’.
Similarity, the settings in ‘Article permissions’ will be inherited from ‘Component: Article permissions’.
In summary: Global > Component - Article > Single Article.
Note for Settings in Permissions tab:
Here is some useful information that helps you set up user group permissions in the Permission Tab on sites easier:
- If the selected setting is Inherited or Allowed:
- Low-level user groups will automatically inherit the setting from a higher level.
- Settings in low-level user groups can be manually overridden by settings in the higher level.
- If the selected setting in higher level is Denied, you will be unable to choose new settings for the lower level and it will be shown as Locked.
2. Set up ‘Reviewer’ group permissions
Open the Single Article -> Permissions tab:Select ‘Reviewer Group’ - the Joomla default setting shows you three actions with Not Allowed (Inherited) settings. That means all actions are that are ‘Not Allowed’ have been inherited from a higher level.
Then, you need to change the Edit setting to Allowed, other settings need to be kept as default to make sure the Reviewer group will only participate in assigned actions.
When you finish, don't forget to save your work.
Now, the new Reviewer group will be able to review and edit that article before other groups publish it.
With Joomla 4, the ACL system has integrated Publishing Workflow feature, which is an amazing tool to give webmasters more control and flexibility on their site.
Joomla ACL extensions
As beginners don’t have any experience with Joomla ACL system, it can be quite confusing due to the dozens of permission screens, nested groups, and inherited permissions.
In most cases, you won’t need anything beyond the Joomla ACL manager default settings. The exception is if you want to build a very large site which includes a great number of user groups with advantaged custom permissions.
Joomla ACL extensions come in handy to support both cases.
This extension is a powerful tool for Joomla users to get a great overview of all Joomla ACL settings. It helps you to quickly understand the concept and guide you to set up Joomla ACL permissions.
With Joomla PWT ACL, you also can set the basic ACL permission for any component, even 3rd party components, which is not supported by default Joomla ACL.
This extension works well with Joomla 3+ ACL manager.
2. Mijo ACL
Mijo ACL is an advanced Access Control List component that allows you to manage all Joomla permissions from one page, including 3rd party components.
This component provides an easy-to-use interface, so you will easily create custom permissions and manage multiple Joomla user groups.
With two different setting systems, Joomla Access Control List can be used to assign which part of the site people can access and take action on.
It’s a great tool that can help you to better manage your site and site settings.