The Joomla! Community Magazine™

Joomla 1.6, 1.7, and 2.5: ACL Concepts Overview

Written by | Saturday, 31 December 2011 16:00 | Published in 2012 January
One of the most powerful new features in Joomla 1.6 and later versions is Access Control Lists (ACL). ACL stands for access control lists. It refers to who has permission to do what on the website, including read, create, edit, delete, or log in, among other permissions.

Thank you to Katerina Vorobyova for translating this article to Russian!

Thank you to Lo Jen-Chih for translating this article to Traditional Chinese!

Thank you to Helvecio for translating this article to Brazilian Portuguese!

This article is based on two articles originally written for Joomla 1.6. This article was written in December 2011, prior to the release of Joomla 2.5. However, it assumed that ACL concepts will not change between Joomla versions, even if minor changes to the interface do occur.

One of the most powerful new features in Joomla 1.6 and later versions is Access Control Lists (ACL).

ACL stands for access control lists. It refers to who has permission to do what on the website, including read, create, edit, delete, or log in, among other permissions.

Many think of ACL as relating to the front end of a website only. For example, when I log into the website, what articles do I have available to me? And if someone else logs into the site, do they see the same articles, or do they see different ones?

However, ACL also relates to who has rights to create, edit, and delete content; who can publish and unpublish content; who can log into the front end or back end of the website; and who can make changes to which components, modules, and templates.

Just because you can doesn't mean you should! ACL is complex, and it takes some time to understand exactly how it works. For many sites, perhaps even most sites, you might not need anything beyond the default Joomla configuration. However, if you're building a larger site, it could come in handy.

Examples of where ACL would be required include:

  • A school site, where parents, teachers, students, and the public see types of content
  • A large website with many contributors, where you don't want people changing each other's content, and trust can't or won't work
  • You have users who should be able to create and edit content for the website, but they can't necessarily publish content. What's more, you have two or more groups of these users who need to create and edit content belonging to different areas of the website.
  • You would like a user to be able to log into the back end of the website, access controls for a single component, and touch nothing else.

ACL can also be used to build a simplified administrator interface, eliminating areas where a client would not need to visit to make changes to the site. In Joomla 1.5, you could make a client a manager, but they would be able to edit any component, any content on the site, and make changes to menus. With Joomla 1.6 and higher, you can refine ACL so a client can access only specific categories of articles (or specific articles), specific components (or none at all), and so forth. Via ACL, you can improve backend administrator usability for your client.

ACL in Joomla 1.5

Joomla 1.5 has a limited and fixed ACL system. If you’ve worked with Joomla 1.5, you’ve seen how you can set a menu item or article to be viewable by the public, registered users, or “special” (authors and above). Likewise, you probably know that registered users can’t log into the back end of a Joomla site, but a super administrator can. Joomla 1.5 ACL is hierarchical, meaning that each user group inherits permissions from the groups below it.

A full explanation of Joomla 1.5’s groups can be found at brian.teeman.net. Groups include public, registered, author, editor, publisher, manager, administrator, and super administrator.

Joomla 1.5's access levels include public, registered, and special. Public indicates that anyone can see the content. Registered indicates that those with registered user access and higher can see the content. Special is for Author groups and higher only. There is no way to add additional access levels, nor is there any way to segment audiences more finely.

ACL in Joomla 1.6 and higher: Overview

Joomla 1.6+ ACL is not necessarily hierarchical. You can set up groups with whatever permissions you wish. These permissions are inherited from parents in the case of groups, but they are not inherited in the case of access levels. At a minimum, all user groups are children of the Public group.

There are four aspects to the ACL system in Joomla 1.6+. These include the user, the group, core permissions, and access levels. I've represented these in the following diagram to describe their relationship, and I'll go through each in detail.

Diagram of how ACL works

User

This is the easiest one to understand — that's you, or someone else visiting the website. A user does not have to have an account to be considered a user of the website. That user would still be considered a public user. Individual users may be assigned to one or several groups. You cannot assign core permissions directly to users; these are assigned to the group.

Core Permissions

Core permissions are assigned to the group, not to individual users. (If you want specific core permissions for a single user, you would need to create a group for that single user.)

Core permissions include:

  • Site login: the ability to log into the front of the website.
  • Admin login: the ability to log into the back end of the website.
  • Offline access: When the site is taken offline (in Global Configuration - Site tab), this controls who is able to log in to see the site
  • Super Admin: administrative (root) privileges, such as changing Global Configuration. Super Admin privileges also override any other ACL settings, giving this user group full access to all of Joomla's systems.
  • Access Component: ability to get to specific areas in the back end (think menus, article manager, media manager, components, etc)
  • Create: ability to create new content
  • Delete: ability to delete (trash) content
  • Edit: ability to edit existing content which is not necessarily your own
  • Edit state: ability to change state between published, unpublished, trashed, archived
  • Edit own: ability to edit your own content (but not the content of others)

The core permissions are set in the Global Configuration, under Site - Global Configuration, then clicking on the Permissions tab.

Understanding Core Permissions in Global Configuration

globalconfig

In the Manager group shown above, and in all other groups except for Public, each one of the dropdowns shown here has three options: Allow, Deny, and Inherited. The Public group is the parent for all groups underneath. The Public group's dropdowns has three values, which include Allow, Deny, and Not Set.

  • Allow means something is explicitly allowed or permitted for a specific group.
  • Deny means something is explicitly denied or not permitted for a specific group.
  • Inherited means something is derived from a parent group. Inherited is not available as an option for the Public group.
  • Not Set means the permission has not yet been configured. Not Set is only available to the Public group and only in the Global Configuration.

A full explanation of each user group's permissions is explained below.

Special Note about Core Permissions Assigned in Global Configuration

When core permissions are set at the Global Configuration level, they carry through the entire site and through all areas of the site. For example, an Author has the Create permission assigned globally. That author may create an article in any category on the website. The Create permission also means they could create a new weblink from the front end of the website, if the weblink component is in use. You may want to think carefully about where permissions are assigned within Joomla. You do not have to set the Create permission in Global Configuration if you want a user group to be able to create articles and categories. You could also assign this permission within the Options in the Article Manager. I will go more in depth about where to assign permissions in later articles.

All About Deny

You might be tempted to set all of these dropdowns to specifically say Allow or Deny so it's easier to read.

However, I would strongly encourage you NOT to do that.

If Deny is set in the permissions, even if you set an Allow for a higher level user group, the lower level Deny would be inherited and would override the Allow.

For example, if you set the Public group dropdowns to Deny for all, there's no point in having any higher level groups! Everyone would be denied from doing anything on the website forever with the exception of the Super Users.

User Group

A user group (also called groups) is a group of users who share the same permissions. Using the Joomla 1.5 groups as an example, the publisher group has the right to log into the front of the website, create new articles, edit any articles on the site, and publish or unpublish articles. Anyone in the publisher group has the same permissions to do these same things.

Unlike Joomla 1.5, however, a user may be assigned to multiple groups. A user may be in the publisher group as well as the administrator group, for example.

You can create your own groups and assign them their own set of core permissions. Core permissions are inherited between groups.

A group might be created for two different reasons. One would be to view content on the front end of the website. (User groups are assigned to access levels to see content on the front end of the website.) The other would be to specify what content can be created, edited, deleted, published or unpublished, or managed by that group.

By visiting the website, a site visitor is considered a user belonging to the public group.

The public group may not be deleted, but all other groups may be deleted. (However, I'd recommend you keep them, because they give you a good model of how permissions inheritance works.)

The Default Groups

By default, Joomla 1.6 and higher comes configured with the same groups as appear in Joomla 1.5. The groups and their core permissions are as follows (consider singing along to "The 12 Days of Christmas" while reading):

  • Public: Public can see the content on the front end of the website that is not hidden behind a login. For the Public group, by default, all values are set to Not Set. As you might expect, Public users are not allowed to log into the front end of the website, among other permissions. They are not explicitly denied from doing this, however — they are denied because there is no permission explicitly set.
  • Registered: Registered users can log into the front end of the website only. Registered users are children of the Public group. They are assigned the Site Login permission.
  • Author: Authors can create their own content via the Create and Edit Own permissions. Authors are children of the Registered group. They inherit the Site Login permission from Registered users.
  • Editor: Editors can edit any content on the site via the Edit permission. Editors are children of the Author group. They also inherit the Create and Edit Own permissions from Authors and the Site Login permission from Registered users.
  • Publisher: Publishers may publish, unpublish, archive or trash content via the Edit State permission. Publishers are children of the Editor group. They also inherit the Edit permission from Editors, the Create and Edit Own permissions from Authors, and the Site Login permission from Registered users.
  • Manager: Managers are children of the Public group, so all permissions previously assigned to Registered, Author, Editor, and Publisher groups do not apply to Managers. They must all be reassigned individually. That includes Site Login, Admin Login, Offline Access, Create, Delete, Edit, Edit State, and Edit Own.
  • Administrator: Administrators are able to edit and configure extensions via the Access Component permission. Administrators are children of the Manager group, so they inherit the Site Login, Admin Login, Offline Access, Create, Delete, Edit, Edit State, and Edit Own permissions from them.
  • Super Users: Super Users (formerly Super Administrators) are able to change Global Configuration as well as other abilities via the Super Admin permission. Super Users are also children of Public. However, they have only one permission set: the Super Admin permission. This permission overrides all others, so the super user is able to perform all functions.

The default groups and their permissions are represented in the Global Configuration (under Site - Global Configuration - Permissions).

Access Level

Access levels refer to who can see what content on the front end of the website. Essentially, this amounts to read permissions on the front end of the website.

Historically, there have been three access levels: public (which anyone can see), registered (you must be logged in to see the content), or special (you must be a logged in author or higher level group to see the content).

These access levels are still present in 1.6+ as default settings, but you can also create your own access levels.

Access levels do not inherit their permissions. If an article is set to be viewable by publishers only via a custom access level, even super administrators cannot view that article. You must assign super users to also be part of the publisher group in order to view this article on the front end of the website, or you must assign super users and publishers to the same access level to see the content.. (In all cases, as a super user, you are able to edit this article on the back end.)

What's next?

I will be writing a series of case studies that you can follow for putting the above principles into action. The examples will include:

  • Different users seeing different content from the front end of the website
  • A stripped down back end for simplifying a client's administration of their site
Read 73350 times

Related Video

Tagged under Administrators
avatar
A great article...thanks for posting it. Understanding ACL truly has been made so much simpler. Must read.
VOTES:1
avatar
Thanks Sachin! We just posted one of my lynda.com videos as well. I hope this furthers your understanding. There will be two more articles, one in February and the other in March.
VOTES:2
avatar
I am working on a site for a club. I will use ACL for this as payed club members should have more access than registered users.

One problem I have that I haven't figured out is how to disclose some content for clubmembers.

The registered users who aren't clubmembers will see content to promote membership and they will see an application form for membership. All this is unnecessary for the clubmembers to see but I don't understand how I should set this up since the clubmembers group has higher rank than registered they will see everything.

On another site with J1.5 I used JUGA and they had a way of negating access for higher ranked groups by entering a ! before the groupname.

It would be nice if you could cover some of these questions in future articles. It must be a way to solve this!

Thanks

Jan
VOTES:0
avatar
Jen Kramer, my favorite Lynda.com author. I am absolutely thankful to you, ma'am. All of your titles are just so good that I found no difficulty in learning Joomla. However, I have a suggestion to you. In your title- Joomla 1.6 Essential Training, you didn't mention how to take my local site into the server & how to change the configuration codes in order to work in the hosting server. Moreover, I didn't find any lynda.com title on virtue mart. I hope, in the next title on Joomla 2.5, you'll have a portion on VirtueMart software along with the security feature essential for the e-commerce sites. Custom Template editing should focus on much more topics, not just the simple css anymore. I want to see some new features like drop down menu, flash file integration, sliding contents, social networking integration, scrolling text, comment functionality, captcha, calendar, google analytics, newsletter and so on. Please, make them available or at least mention the specific name of the title that focuses on the given criteria.
VOTES:0
avatar
Hi Asadul! Thank you so much for your feedback on my lynda.com courses. I think I did cover moving a site from your local host to a web host in chapter 12, "Launching your site". I moved the site with Akeeba Backup. Thanks also for the feedback on the custom templates course. Some people really love the CSS part of that course, while others skip right over it -- and that was really what I intended, as the CSS is pretty basic for some but new to others.

I do appreciate the feedback, and keep watching! I'm working on some new stuff. :-)

Jen
VOTES:0
avatar
Miles Baltrusaitis Tuesday, 10 January 2012
Excellent article. I use a fairly complex ACL setup to support my company's intranet. Staff, Managers, Executives each have their own levels. Couldn't have done it in 1.5!
VOTES:0
avatar
Thanks Jen for your great article.

This ACL feature should be spread widely since many Joomla users ask about extensions which help them grant permission to different user groups.
VOTES:0
avatar
Thank you, Huyen! ACL is definitely complicated but worth learning because it's so powerful.

Jen
VOTES:0
avatar
@Dave,

Thanks for the tip but that wouldn't help in this case.

What I'm looking for is a solution to hide stuff for a group with higher access that are shown for public or registered users.

Since a higher group access inherit access rights from lower groups it needs something more to hide things for the higher group.

Jan
VOTES:0
avatar
This is possible with core Joomla ACL. The trick is to not use the existing user groups. Make your own user groups as children of public, set up access levels accordingly, and you should get the result you want.

I've covered this in detail in my new lynda.com video on ACL, and next month, there will be an article in the magazine about this very topic.

Thanks!
Jen
VOTES:0
avatar
An excellent briefing article. I'd be interested in seeing your followup articles showing case studies, in particular, an example group/category/access breakdown for a large youth organisation with multiple local groups based on locality/suburb/town, and a hierarchy of parent groups to which they all participate.
VOTES:0
avatar
Hi,

How can I show the VirtueMart component in the Register group? Only selected components are shown in the components tab. I'm hoping for your response.

Thanks!
VOTES:0
avatar
Jen:
Great write up. Thanks! I followed your write up to try and create a private group within Joomla 2.5 and came across one issue dealing with the ability of usrs to change Access Permission in the front end article edit or article submit window.

What I did: I set up "Private" user group as subset of public, with rights to log on, create, edit etc. Created Access Level of "Private", with viewing rights limited to only the Private user group. Set up a category of "Private", with access limited to the "Private" Access Level. Created a user that belongs to only the "Private" user group. And created a submit article link viewable to only the Private Access Group, which locks the content submission category to the Private category. All works as expected following your guide here, except for one thing.

The Issue: When this user logs and goes to create content in their private category, the publishing parameters in the edit window allow them to set the Permission on the article to ANY other Access Level that is defined in the system. If they happen to select another Access Level, the article is “lost”. They can’t access it because they don’t have rights to view content in other access levels, and others cannot view the content because others do not have rights to view the Private category. If they leave it the parameter as the default value of Public, the article ends up being viewable by all.
Is there a way around this? Is it possible to limit the Access Levels shown for this Permission Parameter, or to hide it and have it default to some value link you can with the submit content link? Am I missing something in ACL set-up or is there an issue with Joomla’s implementation.

I am asking here because you seem to understand the ACL quite well, and this is a good example of what you could do, and maybe a potential limitation.
VOTES:1
avatar
Hi there -- wow, what a great question. I had to take a look, and you are correct. If you have permission to edit an article, you can set it to any access level available, whether you're part of a user group that's included in that access level or not.

That would seem like something that would need to be addressed. Perhaps the way it should work is that the user could set the article to any access level their user group is part of, including public?

Seems like this would make a good feature request for the next version of Joomla.

Jen
VOTES:0
avatar
enter your message here...
Hi Jen
Thank you for your article

Can I use Joomla! Administrator panel to configure adding new articles in a way that one user or group had a filtered list of Viewing Access Levels.

It refers to adding new article by menu item.

I can not cope with the black hole in the ACL Joomla! If the author will change the access level for the new article and saves the changes we all lose sight of the article.

Cheers!

cl.ly/0G2f0S0c2W1n0I0F0E2e
VOTES:0
avatar
Great article! I'm starting your Joomla course at Lynda.com but have a question:
I have new fresh install joomla 2.5.4 I did not install sample content. I am the only added user/Super user. I noticed a lot of extensions were "greyed out" so I played a little with the Global config permissions, and they went from greyed out to padlocked. I can login to front end and back end alright, but on the permissions settings I enabled "allow" for all of Super User settings and get the "conflict will be indicated by Not Allowed (Locked) under Calculated Settings", so a bunch of the extensions are now padlocked. How is this even possible if "Supper Users" will always have full access? I tried inherited that didn't work either. How do you fix this, and get rid of the padlocks, and greyed out extensions? Thanks a bunch!! -Diane
VOTES:0
avatar
Hi Diane -- not sure what you did, and I can't tell from your description. I think I would reinstall Joomla and start over if you're not sure how to fix the problem. As a super user, nothing should be "greyed out" (I'm not sure where you're talking about in the interface).

Sorry I can't be more help!
Jen
VOTES:0
avatar
I changed the permissions whilst tring out the different settings.. one off the settings I changed was admin / login to no.
Now I cant see the login and password block on my administrator page?
VOTES:1
avatar
Yes, the ACL did exactly what you told it to do -- and now you can't log into the back end!
VOTES:0
avatar
Hi!
Hello once again.
To thank you for this article and other content on Joomla! I share my work.

It may be useful komu� who starts with the ACL Joomla!
Also sorry for my English.
Maybe it will inspire someone to even greater simplification of the idea.

cl.ly/0V320A1b340b3g1h1v1d
cl.ly/0K352N3p1N1c2P293O21

Regards
Mario
VOTES:0
avatar
enter your message here...
Hi Jen...how can I hide some components for public ..they should be registered users
VOTES:0
avatar
This is via "guest access" which is described here:

docs.joomla.org/Access_Control_List/1.6-...nu_Items_and_Modules
VOTES:0
avatar
A plugin for Joomla 2.5 is out now which make multiple registration profiles upon registration available with a select box or dropdown. Check our website at www.joomapp.com

Jasper
VOTES:0
avatar
i am a super user of my joomla site but am not able now to log in to the backend of my site after changing the session setting handler to none..what should i do to log in to my backend again.am using joomla 2.5. thanks
VOTES:0
avatar
Sounds bad. Not sure what you should do. Personally, I would look into changing/creating a new user via MySQL or phpMyAdmin to get back in the site. If there's something easier, hopefully someone will tell us.
VOTES:1
avatar
clear browser cookies and cache and everything will be ok
VOTES:0
avatar
I am working on a eCommerce site , which is my first project in Joomla
1.Which contain different module, i.e user can register and log in to buy product.
2.Page for storing information for retailers and retailers also place order online.
3. Sales and marketing guys also register user.
4.Login system is common for all.

So my question is that , can i use ACL to create webpage which is accessible for particular group of user. i.e public user cant access page which is made for retailers and marketing guys and Vice Versa.
VOTES:0
avatar
Yes, it's possible to create this with ACL. Your eCommerce component may have different ACL options, depending on which component you choose.
VOTES:0
avatar
Thanks for the great articles. I have setup groups with category access and it works well. Unfortunately this disables the Publish Start option when creating the article. I either lose this option or the ability to restrict the group to a specific category. Do you know of a way around this?
VOTES:0
avatar
Excellent article. Thank you for this!
VOTES:0
avatar
Thanks for this breakdown in a simpler form!
VOTES:0