Blog

Your go-to resource for Joomla knowledge, tutorial, information and latest news in Joomla world

All you need to know about Joomla Access Control List - ACL

Joomla access control list

The Joomla Access Control List - ACL is one of the most powerful features in the Joomla core system. There are many settings in this feature that allow you to manage Joomla’s site more effectively.

Naturally, it raises a huge number of discussions and becomes a challenge for users to understand and be able to manage it on sites.

Thus, we hope that this informative article will give an overview of Joomla ACL to you and others as well as help Joomla's users to fully understand the ACL working process

Table of content

What is the Joomla Access Control List?

Joomla Access Control List (ACL) is a system that allows the administrator to control the user’s roles on sites. 

With Joomla ACL, you are able to decide which parts of your site your users can view or take action on, such as edit, publish or delete. 

Respectively, Joomla ACL is divided into two completely separate sections with different setups: 

  1. User viewing access levels
  2. User action permissions 

Once you log-in your Joomla site from the backend, you can easily access the Joomla ACL manager.

Why is Joomla Access Control List important?

As we mentioned above, the settings on the Joomla ACL will determine what people can see and do on your Joomla sites. 

Let’s assume that you are not the only person managing the Joomla site, and you also can not closely follow each team member’s actions. Joomla ACL will allow you to distribute the team member’s roles on-site specifically or separately to delegate tasks more effectively.  

In another case, you have some private information that should be seen by your customers who have registered on your websiteACL will help you divide users into different groups with specific viewing access levels, which means people can only see what you allow them to see on your site.

In summary, the Joomla Access Control List will help webmasters to easily and effectively manage their users on sites.

User Groups in Joomla

Joomla User Groups explanation

Due to a large number of users, Joomla user groups make it simpler for an administrator to manage and allocate permissions on the sites. 

By assigning viewing access and permissions to certain groups, you can allow the user in that group to view, access or edit your content and much more through the front end or the back end.

To view ‘User Group Manager’, go to Users -> GroupsAdd new user groupThe Joomla 3.x User Manager settings include a set of default groups with child-parent relationships

One you set permission for the parent group, all child groups will be automatically inherited that permission. For more information on these pre-existing user groups, please read more at User Group Joomla 3.x.

Otherwise, if you wish to create your own User Group, you can go to the next step. 

How to create a new User Group

People can come to your Joomla sites from anywhere with a variety of purposes, thus in some cases, you might need to create Joomla custom user groups which differ from default user groups. 

Here is a guide for creating a new user group on the Joomla site:

Select New User Group with Group title, Parent (optional) -> Hit SaveUsers new group screenWhen returning to the ‘User Manager: User Group’ area, you can see the new User Group that is created underneath the Parent Group that you selected. 

Viewing Access Levels in Joomla

Your user groups will be the same until you assign them particular viewing access levels or permissions. 

You can create various viewing levels on-site and assign user groups to each level. One group can have multiple viewing access levels. 

To access ‘Users: Viewing Access Levels’ screen:

Go to Users -> Access LevelUsers viewing access levelsWith each viewing access level, you can see a group or set of groups that are allowed to view certain parts respectively.  

How to create a new Viewing Access Level

From ‘Users: Viewing Access Levels’ screen, you can add new Access Levels by clicking New (similar to adding a new User Group) or Edit the default level by clicking to Level Name. Users edit viewing access level

How does Access Control List work? 

Assign viewing access levels for a single item

Access levels can be assigned from various areas on your site: menu items, articles, article categories, contacts, and news feeds, to name a few. 

Depending on your desired user viewing abilities, you can set up User Groups and Viewing Access Levels options by following these steps:

Step 1: Access single item (content, menu or module) 

Step 2: Set up the Access Levels

For illustration purposes, the picture below presents changing the access level for a menu item:

  1. Open menu item in the back end
  2. In the Detail tab, select access level in Access option

Edit menu item

Control action permission system

In order to take certain actions on your site, you need to have certain permissions. The other option of Access Control List allows customizing action permissions at different levels

From Joomla 2.5+, the Joomla ACL permission hierarchy is divided into four levels as follows: Global configuration level, Component level, Category level and Article level.

The setup for controlling what users can do is done as follows:

Step 1: Access the Permission tab following one of these above levels

Step 2: Set up permission for user groups. 

We will access the ACL permission in a single article as following steps:

  1. Open the article in the back end
  2. In the Permission tab, select user group and manage permission setting

Articles edit screen

Case study

To help Joomla’s users gain a better understanding of Joomla ACL, we’ve chosen the following case study to provide the step-by-step guide to set up ACL on sites. 

Case study

You are a webmaster of the blog sites. You want to create a ‘Reviewer’ user group, who can review and edit the article before official publishing (but will not be allowed to delete content).

Problem-solving

As the above requirements, you can customise existing groups in Joomla default setting to ‘Reviewers’. However, you might want to have specific tasks in the future for this group. 

So, we suggest creating a new profile for each reviewer and then assigning these users to a new “ Reviewer” group. 

Here are two steps that you need to follow: 

  • Step 1: Create a new user group and a new user (optional)
  • Step 2: Assign appropriate Permissions

Step 1: Create a new user group  and a new user (optional)

1. Create New User Groups

Go to Users -> Hover Groups -> Add New GroupCase study Add new groupThe new user group “ Reviewer” has Registered as a parent.Case study User group settingNext, when going back to ‘User: Group’ screen we can have the result like the following picture:User group list

2. Create a new user (optional)

Go to Users -> Hover Manage -> Add New UserAdd new userAfter accessing the ‘User: New’ screen, create a new user for “Reviewer” group by filling in the required information:New user screenDon’t forget to assign a new user to ‘Reviewer’ groups by opening the ‘Assigned User Groups’ tab:Assign user group And here is the result when you go back to the ‘Users’ screen:New user created

Step 2: Assign appropriate Permissions

1. Permissions tabs

For this case study, there are three permissions tabs (levels) that you need to know on the Joomla site before setting up ACL: 

1.1 Permissions tab in Global ConfigurationGlobal configuration Permissions setting1.2 Permissions tab in Component: Article Articles options Permissions1.3 Permissions tab in single Article Single article PermissionsThe settings in ‘Component: Article permissions’ will be inherited from ‘Global Configuration permissions’

Similarity, the settings in ‘Article permissions’ will be inherited from ‘Component: Article permissions’.

In summary: Global > Component - Article > Single Article.

Note for Settings in Permissions tab:

Here is some useful information that helps you set up user group permissions in the Permission Tab on sites easier:

  • If the selected setting is Inherited or Allowed:

- Low-level user groups will automatically inherit the setting from a higher level. 

- Settings in low-level user groups can be manually overridden by settings in the higher level.

  • If the selected setting in higher level is Denied, you will be unable to choose new settings for the lower level and it will be shown as Locked.

2. Set up ‘Reviewer’ group permissions 

Open the Single Article -> Permissions tab:Reviewer Permissions defaultSelect ‘Reviewer Group’ - the Joomla default setting shows you three actions with Not Allowed (Inherited) settings. That means all actions are that are ‘Not Allowed’ have been inherited from a higher level.

Then, you need to change the Edit setting to Allowed, other settings need to be kept as default to make sure the Reviewer group will only participate in assigned actions. 

Edit Reviewer permissionWhen you finish, don't forget to save your work.

Now, the new Reviewer group will be able to review and edit that article before other groups publish it. 

With Joomla 4, the ACL system has integrated Publishing Workflow feature, which is an amazing tool to give webmasters more control and flexibility on their site.

Joomla ACL extensions

As beginners don’t have any experience with Joomla ACL system, it can be quite confusing due to the dozens of permission screens, nested groups, and inherited permissions.

In most cases, you won’t need anything beyond the Joomla ACL manager default settings. The exception is if you want to build a very large site which includes a great number of user groups with advantaged custom permissions.

Joomla ACL extensions come in handy to support both cases.

1. PWT ACL Manager

PWT ACL extensionThis extension is a powerful tool for Joomla users to get a great overview of all Joomla ACL settings. It helps you to quickly understand the concept and guide you to set up Joomla ACL permissions.

With Joomla PWT ACL, you also can set the basic ACL permission for any component, even 3rd party components, which is not supported by default Joomla ACL. 

This extension works well with Joomla 3+ ACL manager.

2. Mijo ACL

Mijo ACLMijo ACL is an advanced Access Control List component that allows you to manage all Joomla permissions from one page, including 3rd party components.  

This component provides an easy-to-use interface, so you will easily create custom permissions and manage multiple Joomla user groups.  

Final thoughts

With two different setting systems, Joomla Access Control List can be used to assign which part of the site people can access and take action on. 

It’s a great tool that can help you to better manage your site and site settings

 

How to Utilize Joomla Smart Search - Basic and Adv...
How to create a Joomla article - Step-by-step Guid...
 

Getting Started Series

Step-by-step guide to build quality website with JSN Template

Learn More

Related Posts