How to Use Joomla ACL (Access Control List) to Manage User Permissions

ACL, an abbreviation of Access Control List, is a great extension for user control in terms of login, content editing & creating and so on. That can be separated into several systems for different purposes. Since Joomla ACL enables a large number of features for users, some readers feel confused how to take a good use of this powerful manager.

The guide on how to use Joomla ACL to manage user permissions is just about the way to explore more possibilities of this manager. We would like to show you a brief introduction on ACL and then explain the main functions one by one.

Basics of Joomla ACL

Access Control List (ACL) for Joomla is used to determine which users can get access to which parts of your website, or make a decision what operations should be assigned to a user. The basics of Joomla Access Control List should come down to Users, User Groups, Access Levels and Core Permissions. Check more details about the basics of ACL from the following list.

  • Users – A user can be anyone accessing to your website, referring to both login visitors and someone never signing up an account on your Joomla website.
  • User Groups – A user group is created to hold all users sharing the same permissions. For example, if you are running a Joomla hosting review website comprised of multiple authors, there should be a group for those authors having a right to edit and create posts on your website.
  • Access Levels – That is used to assign access right to certain visitors who can visit your website front-end. Someone out of permission cannot see any content on your Joomla site. It can yet be regarded as a great method for privacy protection or precaution of hacker attack.
  • Core Permissions – All permissions included in this part are valid for user groups and that affects all individuals involved in. It can be the right to manage site login, offline access, access component, etc. The core permissions are explained in the following part in details.

Joomla ACL Core Permissions

All user groups are allowed to get the core permissions as long as you make some changes in Permission Settings page. To do so, log into your Joomla dashboard and target System tab on the top menu. And then, go to System > Global Configuration and click Permissions tab. Here you come to the Permission Settings page and that includes nine actions for every default user group.

System Global Configuration

Each user group comes with nine actions that can be Allowed, Inherited or Denied according to your own needs. Select a setting from the “Select New Setting” drop-down list and then check the current status via the “Calculated Setting” column.

The Public is the parent groups for all other groups and that comes with three settings, including Not Set, Allowed and Denied. If you set “Not Set” for an action, it is regarded as “deny” by default, but that can be changed by child groups.

For the child user groups, there are also three permissions available for each action, including Inherited, Allowed and Denied. The “Inherited” is used to inherit the permission of parent user group or stay the same with a higher level of the permission hierarchy.

For “Allowed” and “Denied”, all child groups should be brought into correspondence with the parent groups. That is to say, since the parent group set “Allowed” or “Denied” for certain permissions, the child groups can make no difference to this decision. Here, we would like to brief you on more details about those actions as below.

Permission Settings Manager

  • Site Login – As the name suggests, this action determines the login permission via the website front-end. The users who get that permission can feel free to log into the front-end of your site.
  • Admin Login – Having this permission allowed for a user group, all users involved in are able to access to the back end of your website. Take it seriously and prevent your website from malicious attacking with effect.
  • Offline Access – When the website is offline, the users who get that access can view the website as usual.
  • Super User – Users who get that permission can do anything even for changing Global Configuration settings. Note that, once getting this permission, users get out of the influence of other assigned permissions.
  • Access Administration Interface – That allows users to access to do something via the administration interface under permission.
  • Create – Users with this permission can create content on website, like articles, menu items, users, and so on.
  • Delete – That is used to delete any objects users have created before.
  • Edit – That allows users to edit any existing content on the website even for something created by others.
  • Edit State – Users who get that permission can change the status of all objects, in terms of Published, Trashed, Unpublished or Archived.
  • Edit Own – Known from the “Edit” permission, “Edit Own” only allows users to edit own content instead of anything created by other users.

Create New User Groups & Assign Users to a Group

Once accessing to System > Global Configuration > Permission, a list of user groups are available for user control by default, including Public, Guest, Manager, etc. Public is in charge of all other groups and allows you to create new child groups. Each child group can further include more child groups as needed.

Since the default groups can no long satisfy the needs of your website development, log into your Joomla dashboard and go to Users > Groups > Add New Group.

Users Groups Add New User Group

Once accessing to the “User Manager: Add New User Group”, you are required to enter the new user group details, including Group Title and Group Parent. Give it a proper name and then select a group parent from the drop-down list. For instance, we make this new group subject to Manager and name it as Group 1. Click “Save” button to confirm all settings.

Add New User Group

Go back to user Groups setting page and check if this group has been included under Manager. That should be like the following screenshot. And then, set the core permissions for this newly created group. If there is a need to make a change to the existing groups, go to Users > Groups and check certain groups to delete or edit.

New User Group Example

Having a new user group created, you should set about assigning users to this group in real time. Stay in the Joomla dashboard and go to Users > User Manager. This is where to view all users on your website. Target the user to be assigned to a new user group and then click the username to enter the “Edit User” page.

There are three tabs available in this page, among which the Assigned User Groups should be selected here. Given that we plan to assign this user to the newly created group named as Group 1, we should check the name of this user group and then click “Save & Close” button.

Assign User Groups

Adjust User Group Permissions via an Article Category

If you wish to adjust the core permissions in the control of a user group based upon article category, follow the steps shown as below to make a difference. Go to Content > Category Manager to view all article categories you have created before. Access to the edit page of a category and click “Permissions” tab.

Expand the user group to be adjusted. There are 5 actions available for each group and each comes with three settings, including Inherited, Allowed and Denied.

Edit Article Category

Here, we take the newly created Group 1 as an example. As a child group for Manager, the permissions for Group 1 would better inherit the permissions of Manager user group. Finally, click “Save” button to confirm all settings.