Joomla ACL: Configuring back-end ACL
How to set up a better user experience for your clients — while enhancing usability — by using ACL on the back end of Joomla
Thank you, Helvecio da Silva, for translating this article to Portuguese: Joomla: configurando ACL no back-end
Thank you, Iván Ramos, for translating this article to Spanish: Joomla ACL: Configurando el ACL del backend
Thank you, Claudio Driussi, for translating this article to Italian: migliorare l'esperienza utente aumentando l'usabilità utilizzando ACL nel back-end di Joomla
Thank you, Lo-Jen Chi, for translating this article to Traditional Chinese: Joomla存取控制列表:設定後台的存取控制列表
Thank you, Katerina Vorobyova, for translating this article to Russian:
Please feel free to translate this article to other languages. Include a link to this article, and I will link back to you! Let me know your translation is posted via Twitter (@jen4web) or through my website (jenkramer.org).
In previous articles, I've covered ACL terminology and a general overview of how ACL works, setting up front-end access levels, and creating a better user experience at login. Now I will cover how to set up a better user experience for your clients — while enhancing usability — by using ACL on the back end of Joomla.
For most sites I've built, I try to set clients up to edit their website from the front end of Joomla. Unfortunately, Joomla's front-end editing capabilities are limited. It's not possible to easily create new articles or link them to the front end of the website, for example, without setting up blog functionality (and sometimes that's not what you want to use). Therefore, more often than I'd like, I must give my client access to the back end of Joomla to complete simple tasks.
However, when a client arrives at Joomla's back end, they quickly get distracted by functionality they shouldn't ever touch. Even if you give your client Manager access to the back end, they still have distracting options to consider.
By stripping back functionality in Joomla's back end to include only what your client must access, you make the process simpler and easier for your client. They will know what each option is within the menu structure, and they will know how to use them... if you provide proper training and documentation.
Deny until Allow vs. Allow until Deny
Joomla's ACL is configured as a "deny until allow" system. The Public user group has no permission to do anything except view the front end of the website. Each of the default user groups have permissions added, and those permissions are always to Allow something.
Remember that Deny cannot be overridden. If you deny a user group the ability to edit content within a category, you can't override that for just one article within that category. However, if the user group has inherited the "Not Set" permission from Public (meaning they're not allowed to do something but that something can be overridden), they're currently unable to edit articles within a category. You could then give the Allow permission for a single article and override the category setting.
We can add permissions for a user group to perform a certain task at several levels. Let's consider adding the Edit permission, so that our client can edit articles. There are several places where the Edit permission could be added, with associated meanings.
- Edit, Global Configuration: Many of Joomla's default user groups have the Edit permission assigned in Global Configuration. However, when the Edit permission is assigned here, it means the user group has permission to edit any kind of content: articles, but also weblinks, contact forms, and more. In order to disable ability to edit, you must use Deny. That might mean that you'll need to Deny the ability to edit in many places in Joomla's structure. In general, I don't recommend allowing Edit at the Global Configuration level.
- Edit, Article Options: Adding the Edit permission here means the client can edit articles and categories anywhere within content. You would need to Deny access to specific categories or articles if the client was not allowed to edit. Remember that Deny cannot be overridden. Unless your client needs to edit everywhere within the Article and Category managers, I would not recommend setting Edit here either.
- Edit, individual category: The client will now be able to edit articles within a given category. This makes the most sense and is easiest to administer. You can Deny editing in individual articles and not have to worry about what happens if you need to override something deeper in Joomla's structure later.
- Edit individual articles: You can set permissions on individual articles, but it's time-consuming. In general, I don't recommend changing permissions on articles unless it's absolutely necessary because there's no other solution. Remember that if Deny is set at the category level, it cannot be overridden at the article level.
In general, you want to follow a Deny until Allow strategy when configuring Joomla's ACL. This will allow maximum flexibility for you later, to adjust permissions on an article-by-article basis. If you Allow until Deny, you will not have the flexibility to change permissions later.
The problem we're trying to solve
Let's assume you want to give your client some very basic access to the back end of Joomla:
- Ability to create, edit, and publish/unpublish articles within a certain category or categories (or all categories)
- Ability to create, edit, and publish/unpublish menu items
- Ability to access some basic components like the web links component
The general approach to configuration will be as follows:
- Create a new user group, assign core permissions, and create a user for the client.
- Assign the appropriate access level(s).
- Assign permissions so that the client can access the Article Manager, Menu Manager, and Weblinks.
I recommend you follow along with this example using two web browsers. I use Firefox for my super user login, and I use Chrome for my client login, but you can use any combination of browsers that Joomla supports. This way I can flip between views, adjusting information as I go. If you use one browser, you will need to log out and log in to see the different views — Joomla will not allow you to have two logins shared from one browser.
1. Creating a new user group, assign core permissions, create a user
I have covered this process in detail in other articles. Briefly, do the following:
- Create a new user group called Client User Group. Make this a child of Public.
- In Global Configuration, under Permissions, set the Admin Login permission to Allowed. (If your client must also log in on the front end, you may need to set the Site Login permission to allowed. Adjust other permissions accordingly, depending on what your client needs to do.)
- Create a client user, and assign this user to the Client User Group. Make sure you remember the username and password!
2. Assign access levels
If you log into Joomla as a client at this point, you will see a screen similar to this:
This is not terribly helpful! You were able to log in, but where's the menu? Where's the control panel? What can you do here, other than log out?
One thing you have not yet configured is an access level for the back end of the website. Remember that access levels control who sees what, including modules, content, and so forth. Menus are a module, even on the back end of Joomla. They're an administrator module, and these administrator modules are assigned an access level of Special. Therefore, your client will also need to have the Special access level assigned to their user group.
Because Special is required for making back end ACL work, I advise you not use Special as an access level in the front end of Joomla.
Now do the following:
- As a super user, assign the Special access level to the Client User Group. (See this article if you need help.)
- Log out as the client, and then log in again. (Because of the access level change, you will need to log out and log in again to see a changed administrator interface.)
You should see something like this now, as the client:
Here is what the client can do on the back end at this point:
- Edit their own user profile, including changing username and password for themselves (but because they are not a super user, they will not be able to change their user group(s)).
- View links to Help, all of which are publicly available web pages.
- Log out, or view the front end of the website.
- View a list of the top 5 most popular articles and the last 5 added articles via the modules on the right, but they cannot edit any of those articles.
It's still not terribly useful, but at least it's not absolutely nothing anymore! Our next step is to give the client permission to create, edit, and change state with articles.
3a. Assign permissions: Articles
The client should be able to access the Article Manager on the back end of Joomla. The first step is having the client have the Article Manager as an option in the menu. Once the option is visible, we can then focus on assigning more specific permissions.
Getting the Article Manager to appear in the client back end
To get the Article Manager to appear as an option in the menu, go to Content - Article Manager - Options, choose the Permissions tab, and set "Access Administration Interface" to Allowed for the Client User Group. Click Save in the upper right hand corner.
(You might be curious about the Configure option. This is the permission which allows you to access the Options dialog box. In general, you'll only want super users to have access to this.)
Now go to the client web browser, refresh your screen, and you should see the Article Manager and the Category Manager appear as icons in the control panel as well as in the top menu.
Unfortunately, it is NOT possible to separate permissions for the Article Manager and the Category Manager at this time. This is a major weakness in Joomla's ACL.
If you look at the Article Manager as the client, you will be able to see a full listing of all articles. However, you cannot edit any of them, nor can you change their state. There is no button to create a new article in the upper right — there is only an icon for help.
Editing all articles vs. editing categories of articles
The next step is to give the client permission to edit and change state with these articles. Do you want to give the client the ability to change all articles this way, or do you want to give permission in specific categories, or do you need to give permission on an article-by-article basis?
The answer is always It Depends! When configuring your category structure for the site, I recommend the following:
- Keep ACL in mind when setting up categories of content. If you need to lock your client out of some of the pages of the site, you might put all of those pages in the same category, even if their content is very different. This will make ACL easier to configure.
- Likewise, if the client will only edit a certain subset of articles, it might make sense to put them all in the same category.
- Changing permissions on an article-by-article basis should be saved only for the most rare cases. It's hard to teach your client to configure permissions on new articles. Set the permissions on the category, and the client will never need to touch them as they create new articles.
For each scenario, here's how you might proceed.
The client should edit all articles
If the client should edit all articles, configure permissions as follows:
- Under Content - Article Manager - Options - Permissions, for the Client User Group, set Create, Edit, Edit State, and Edit Own to Allowed. In general, I do not give clients permission to delete content, as this means they would be able to empty the trashcan. They can unpublish or trash any article with the Edit State permission.
The client should edit articles within a category or categories
If the client will only edit articles within one category or a small number of categories, configure each category as follows:
- You will still need to allow Access Administrator Interface under Content - Article Manager - Options - Permissions.
- Under Content - Category Manager, click the category name of the category of articles where the client will be editing. At the bottom of the configuration screen for each category is a set of permissions. Set those permissions to allow Create, Edit, Edit State, and Edit Own.
- Repeat this process for each category of articles where the client will need access.
The client needs access on an article-by-article basis
You can also edit an individual article as a super user, scroll to the bottom of the screen, and set permissions for the client there. This should only be used in the rarest circumstance. Configuring permissions at the category level is a better approach from a maintenance perspective.
I've allowed my client to create, edit, and change state for any article within the website. The control panel for the client's Joomla control panel now looks like this:
3b. Assign permissions: Media Manager
As the client, if you edit any of the articles, one of the tasks you'll certainly need to accomplish is the ability to add an image to the article.
The way permissions are currently assigned, the client is able to get to the articles, choose one to edit by clicking on the title to get to the editing screen, then click the Image button at the bottom of the article editing window. They pull up the Media Manager screen that looks like this:
Note the client is able to browse for any image that's already in the Media Manager, but there is no interface for uploading a new image to the site. That's because the Media Manager is a separate component from the Article Manager, and because of that, it has its own set of permissions. What's more, the Media Manager does not appear in the menu structure for the back end of Joomla when logged in as the client.
To change this, flip to your super user login, go to Content - Media Manager - Options - Permissions, set Access Administration Interface and Create to Allow.
3c. Assign permissions: Menu
By now, you should have a pretty good idea of what comes next. If the client needs to link articles to the menu, they'll need access to the Menus menu item in the back end of Joomla.
As a super user, go to Menus - Menu Manager - Options - Permissions, and for the Client User Group, set Access Administration Interface, Create, Edit, and Edit State to Allow.
Unfortunately, you are not able to allow the client to add menu items as children of a given menu item only, or allow them to create only specific types of menu items. That would be a great addition to Joomla's ACL.
3d. Assign permissions: Weblinks component
Here's the way my client back end looks now:
Now I want to give the client access to Weblinks, but to no other components within Joomla. Fortunately, that's easy to do, and you can probably guess how to do this at this point.
As a super user, go to Components - Weblinks - Options - Permissions, and for the Client User Group, set Access Administration Interface, Create, Edit, Edit State, and Edit Own to Allow.
You can repeat this process for any of Joomla's core components for which you'd like the client to have access.
Note: some third-party components may not have fully integrated Joomla's ACL system. If ACL is important to your site, make sure you consider this when choosing the right component for your website.