Today we are going to discuss the details about Access Control Lists (ACL) of Joomla 3.x
Access Control List (ACL) specifies which users or system processes are granted access to objects, as well as what operations are allowed to be performed on given objects. In the case of Joomla there are two separate aspects to its ACL which site administrators can control:
Which users can gain access to what parts of the website? For example, will a given menu choice be visible for a given user? A registered user can view, but the public at large cannot. Perhaps the menu choice is hidden from all except an Editor user and higher.
What operations (or actions) can a user perform on any given object? For example, can a user listed as an "Editor" submit an article or only edit an existing article. The ACL settings could allow submitting and editing, or allow a change an article's category, add tags or any combination.
The implementation of ACL in Joomla was substantially changed in the Joomla! 2.5 series which allowed for more flexibility in groups and permissions
Access Levels in Joomla 3.x series are simple and flexible. The Access Level includes the Public, Guest, Manager, Registered, and Super Users groups. It also includes child groups of those groups. So, Administrator is included as a child group of the Manager group. The Author, Editor and Publisher are included as child groups of Registered group.
One can also create a new access level and assigned permissions to it as per the project requirement. Once Access Levels are created, they are used in the same way as in version 1.5. Each object in the front end is assigned an Access Level. If the level is Public, then anyone may access that object. Otherwise, only members of groups assigned to that access level may access that object. Access levels are assigned to Menu Items and to Modules. Each one can only be assigned to one access level.
Permission Level Hierarchy
Different Action permission can be set as required for different Access level and that can be set using the following options:
Global Configuration: Determines the default permissions for each action and group. The options for each value are Inherited, Allowed, or Denied. The Calculated Setting column shows you the setting in effect. It is either Not Allowed (the default), Allowed, or Denied. This is set up in the Site->Global Configuration->Permissions. The first thing to notice are the nine Actions:
Edit State and
These are the actions that a user can perform on an object in Joomla.
Component Options: This is accessed for each component by clicking the Options icon in the toolbar. This can override the default permission for components like Articles, Menus, Users etc and so on. Access to Options is only available to members of groups who have permission for the Configure action in for each component.
Category Options: Category permissions are accessed in the Category Manager.
Note that the Configure and Access Component actions do not apply at the category level. Also remember that Categories can be arranged in a hierarchy. If so, then action permissions in a parent category are inherited automatically by a child category. For e.g. If you have the parent category as Vehicles and its child categories as Car, Bus, Truck etc.. then the full permission to parent category will be inherited to all its child categories.
How Permissions Work
There are four possible permissions for actions, as outlined below:
Inherit: Inherits the value from a parent Group or from a higher level in the permission hierarchy. This permission applies to all levels except the Global Configuration level.
Deny: Denies any action for this level and group.
IMPORTANT: This also denies any action for all child groups and all lower levels in the permission hierarchy. Putting in Allow for a child group or a lower level will not have any effect. The action will always be denied for any child group member and for any lower level in the permission hierarchy.
Allow: Allow actions for this level and group and for lower levels and child groups. This does not have any effect if a higher group or level is set to Deny or Allow. If a higher group or level is set to Deny, then this permission will always be denied. If a higher group or level is set to Allow, then this permission will already be allowed.
Not set: Defaults to "deny" but, unlike the Deny permission, this permission can be overridden by setting a child group or a lower level in the permission hierarchy to "Allow". This permission only applies to the Global Configuration permissions.
Example about how to set permission:
Suppose you have a manager who is assigned to manage only few sections of your website (likes Article, modules, Categories, Menu, Template etc...) from the administrator(back-end). So you can give him some permission to Edit, Delete, Create, Edit Own etc, so that he can see and manage those.
And how you can achieve this? Follow the steps below to do so...
Go to Users->Groups and create a new group as "Site Manager" and set its Group Parent to Super User.
Then Go to System-> Global configuration -> Permissions tab and select "Site Manager" to see the Action and settings related to it.
Here give all the desired setting/permission under "Select New Setting" and click on the save to see the new settings under the "Calculated Settings" section.
Now you can create a new user and assign it as "Site Manager" and he can now access the Articles, modules, menu and templates etc.. he could manage.
That's all you need to do. Members of this group can login to the back end and do everything in Article, Menu, Module etc but can't do anything else in the back end.