Access Control List (ACL) in Joomla

The Joomla ACL system is divided into two completely separate systems. The ACL for each is set up differently.

  1. One system controls what things on the site users can view.

  2. Other system controls what things users can do (what actions a user can take).

What Users Can View

How to setup?

First, create a set of Access Levels you wish only logged in users to see. Do not assign any user groups to the new Access Levels at this point. Then, create a User Group, with "Registered" as parent, for each Access Level. Edit new Access Levels and assign the new User Group to each one.

You may also wish to assign the Super User Group (or other default User Groups but not 'Guest' User Group) to your new Access Levels. 

Finally, assign each item to be viewed to one Access Level. Items can be content items like articles, contacts, and so on, menu items, and modules.

How it works?

Any time a user is about to view an item on a Joomla page, the system checks whether the user has access to the item. It creates a list of all the Access Levels that the User has access to, based on all Groups that the User belongs to. Also, if a group has a parent group, access levels for the parent group are also included in the list.

Then, the system checks whether the Access Level for the item is on that list. If yes, then the item is displayed to the user. If no, then the item is not displayed.

What Users Can Do

This is set up with the Permissions tab of Global Configuration and the Permissions tab of the Options of each component. Permissions can also be set up at the Category level for core components and at the Article level for articles. Permissions are assigned to user groups.

This set up is independent of the setup for viewing but a User Group needs to be assigned to the appropriate Access Level in order for the user in that Group to use those Permissions.

When a user wants to initiate a specific action against a component item (for example, edit an article), the system (after checking the Group the user is in has access) checks the permission for this combination of user, item, and action. If it is allowed, then the user can proceed. Otherwise, the action is not allowed.

Actions: Actions allowed for each group are defined by site administrator.

Permissions: Permissions can be set at multiple levels in hierarchy: Site, Component, Category, Object.

Permission Inheritance: Permissions can be inherited from parent Groups and parent Categories.

Types of Permissions

There are four possible permissions for actions:

  1. Not set: Defaults to "deny" but, unlike the Deny permission, this permission can be overridden by setting a child group or a lower level in the permission hierarchy to "Allow". This permission only applies to the Global Configuration permissions.

  2. Inherit: Inherits the value from a parent Group or from a higher level in the permission hierarchy. This permission applies to all levels except the Global Configuration level.

  3. Deny: Denies this action for this level and group. This also denies this action for all child groups and all lower levels in the permission hierarchy. Putting in Allow for a child group or a lower level will not have any effect. The action will always be denied for any child group member and for any lower level in the permission hierarchy.

  4. Allow: Allows this action for this level and group and for lower levels and child groups. This does not have any effect if a higher group or level is set to Deny or Allow. If a higher group or level is set to Deny, then this permission will always be denied. If a higher group or level is set to Allow, then this permission will already be allowed.

Types of Actions

There are ten Actions: Site Login, Admin Login, Offline Access, Super User, Access Administration Interface, Create, Delete, Edit, Edit State. and Edit Own. These are the actions that a user can perform on an object in Joomla.

  1. Site Login: Login to the front end of the site

  2. Admin Login: Login to the back end of the site

  3. Offline Access: Login to the front end of the site when the website is offline.

  4. Super User: Grants the user "super user" status. Users with this permission can do anything on the site. Only users with this permission can change Global Configuration settings. These permissions cannot be restricted.

  5. Access Component: Open the component manager screens (User Manager, Menu Manager, Article Manager, and so on)

  6. Create: Create new objects (for example, users, menu items, articles, weblinks, and so on)

  7. Delete: Delete existing objects

  8. Edit: Edit existing objects

  9. Edit State: Change object state (Publish, Unpublish, Archive, and Trash)

  10. Edit Own: Edit objects that you have created.

Default User Groups

When you install Joomla, it includes a set of default user groups. The groups are structured as the child-parent relationships. When you set a permission for a parent group, this permission is automatically inherited by all child groups.

The Inherited, and Allowed permissions can be overridden for a child group. The Denied permission cannot be overridden and will always deny an action for all child groups.

  1. Public has everything set to "Not set". Basically, "Not Set" is the same as "Inherited". Because Public is our top-level group, and because Global Configuration is the top level of the component hierarchy, there is nothing to inherit from. So "Not Set" is used instead of "Inherit". In this case, the default is for no permissions. So, the Public group has no special permissions. Also, since nothing is set to Denied, all of these permissions may be overridden by child groups or by lower levels in the permission hierarchy.

  2. Guest is a 'child' group of the Public group has everything set to 'Inherited'. This is the default 'Guest User Group' in the User Manager options and the Group that non-logged in visitors to your site are placed in.

  3. Manager is a "child" group of the Public group. It has Allowed permissions for everything except Access Component and Super Admin. So, a member of this group can do everything in the front and back end of the site except change Global Permissions and Component Options.

  4. Administrator group inherit all of the Manager permissions and also have Allowed for Access Component. So, members of this group can access the Options screens for each component.

  5. Registered is the same a Public except for the Allow permission for the Site Login action. So, members of the Registered group can login to the site. Since default permissions are inherited, this means that, unless a child group overrides this permission, all child groups of the Registered group will be able to login as well.

  6. Author is a child of the Registered group and inherits its permissions and also adds Create and Edit Own. Author, Editor, and Publisher have no back-end permissions.

  7. Editor is a child of the Authors group and adds the Edit permission.

  8. Publisher is a child of Editor and adds the Edit State permission.

  9. Super Users group has the Allow permission for the Super Admin action. Because of this, members of this group have super user permissions throughout the site. They are the only users who can access and edit values on the Global Configuration screen.

The ability to have child groups is completely optional. It allows you to save some time when setting up new groups. However, you can set up all groups to have Public as the parent and not inherit any permissions from a parent group.