Joomla 1.7. Access Control List explained
Since the birth of the first version of Joomla CMS, the permission system has had serious limitations for Joomla! Users. The permission system is implemented by the access control list (ACL). With a new Joomla 1.7 ACL you are able to define who has permission to do what on the website, to login, access, create, edit or delete the content. With the release of Joomla 1.7 the ACL is much more sophisticated. In this article I'll give you a detailed explanation what the ACL is and how it can help you in customization of User Groups. For a better understanding of the great value of the ACL in this article you will see a comparison between Joomla 1.5 and Joomla 1.7.
An understanding of the ACL includes 3 important concepts: User Groups, Access Level and Permission. Let's take a closer look at the purpose and functionality of each of these.
User Groups are used to control what your user can do on the website; for instance, create, edit, and delete articles or categories on the website, work with the menu system, configure extensions, and so on.
The ACL in Joomla 1.5 is hierarchical, each User Group inherits permissions from the group below it. There are only 4 groups available for Public Front–end users and 3 groups for Public Back–end users. The customization of users' groups wasn't possible if you wanted to create a special group for your customers. Each user can be assigned to only 1 defined User Group.
The ACL in Joomla 1.7 is not hierarchical; you can build unlimited user–defined groups. A user can be assigned to multiple User Groups with unlimited user–defined Access Levels. User Groups are assigned to Access Levels. Any combination of User Groups can be assigned to any Access Level.
In Joomla 1.7 the User Manager has been extended to 3 sections: Users, User Groups and Viewing Access Levels.
As you can see the user can be assigned to several User Groups. Joomla 1.7 allows you to create unlimited User Groups for various needs.
Access Levels control what your user can see on the website. You might restrict the user to see certain categories, articles, menus or components on the website.
Access Levels are fixed and restricted to 3 levels: Public, Registered and Special. The Access Level covers all your articles, component, modules and plugins. Each Access Level belongs to a defined User Group.
In Joomla 1.7 you can build unlimited Access Levels with any combination of User Groups can be assigned to them. These settings are located in the menu item Users of the menu toolbar.
Let's say we create a new Access Level and name it "Customer Access Level" with assigned groups Manager, Author and Customer Group. Check the necessary box for each User Group and click "Save".
After creating a new Access Level you can apply it to any articles or categories on the website. Below is the example of setting up the Access Level for an article.
Permissions and Actions
The main purpose of Permissions is allowing or denying access to the functionality of your website. For instance, you can allow a User Group to create and edit content only, but restrict access to the components.
Permissions in Joomla 1.5.x has a fixed value and is assigned to defined User Groups. You cannot change or create a new User Groups with preferred permission settings. The permission concept isn't flexible and the customization of user groups is seriously limited.
Below you can see the screenshot of a typical interface for Permission Settings. The settings include all created User Groups on your website. For each User Group you can set the Actions and Permission Level.
A User Group has 9 Actions:
- Site Login – Allows users in the group to login to the front - end site.
- Admin Login - Allows users in the group to login to the backend administrator site.
- Super Admin – Allows users in the group to perform any action over the whole site regardless of any other permission settings.
- Access Component – Allows users in the group to access all areas on the backend administrator site except Global Configuration.
- Create – Allows users in the group to create any content in any extension.
- Delete - Allows users in the group to delete any content in any extension.
- Edit - Allows users in the group to edit any content in any extension.
- Edit State – Allows users in the group to edit the state of any content in any extension.
- Edit Own – Allows users in the group to edit any content they own in any extension.
The Action has 4 Permissions:
- Not Set – No permission. (Available only in the Public User Group).
- Inherited – The permission from the parent group will be used.
- Denied – No matter what the parent group's setting is, the group being edited cannot take this action.
- Allowed - The group being edited will be able to take this action
The Joomla 1.7 ACL defines 4 permission levels which can override one another. The low permission level uses the permission from parent level.
- Level 1: Global Configuration
- Level 2: Component Options
- Level 3: Category
- Level 4: Article
Defines the default permission for each user group and actions.
Overrides the default permission for components. For instance, Articles, Menus, Users, Banners and so on.
Overrides the permission of Global Configuration and Components. It's available for components with categories including Articles, Contacts, Banners, Newsfeeds, and Weblinks.
Overrides the permission of Global Configuration, Components and Category. It's only available for articles in Joomla 1.7 core.
With a plain 4-levels structure you can customize permission settings from the smallest object to the biggest one. One thing worth to mentioning here is that with the permission value "inherited" you can configure low-level permissions more effectively and faster.
With the launch of Joomla 1.7 the ACL mechanism added great value to the whole content management system. It gave us more ways to customize the user groups and assign permission for various purposes. Joomla 1.7 ACL is a serious step in the improvement and increased the flexibility of the system. If you have any opinions feel free to share them it out here in the comment box.