Joomla! 1.6: Managing Site Users with Access Control

Exclusive offer: get 50% off this eBook here
Joomla! 1.6 First Look

Joomla! 1.6 First Look — Save 50%

A concise guide to everything that's new in Joomla! 1.6.

$23.99    $12.00
by Eric Tiggeler | March 2011 | Joomla! Open Source

One of the biggest changes in Joomla! 1.6 is the introduction of a completely new system to manage user permissions. The previous version of Joomla! already featured a basic system of Access Control Levels (ACL), as user permissions management is usually called. In Joomla! 1.6, you've got much more control over what users can see and do on the site. However, the new system can be pretty complex. Let's find out how you can put Joomla!'s new ACL system to work.

In this article by Eric Tiggeler, author of Joomla! 1.6 First Look, you'll learn about:

  • The default set of user groups and permissions in Joomla! 1.6
  • Action Permissions: what users can do
  • Viewing Access Levels: what users can see

 

Joomla! 1.6 First Look

Joomla! 1.6 First Look

A concise guide to everything that's new in Joomla! 1.6.

        Read more about this book      

(For more resources on Joomla!, see here.)

What's new about the Access Control Levels system?

In Joomla! 1.5, a fixed set of user groups was available, ranging from "Public" users (anyone with access to the frontend of the site) to "Super Administrators", allowed to log in to the backend and do anything. The ACL system in Joomla! 1.6 is much more flexible:

  • Instead of fixed user groups with fixed sets of permissions, you can create as many groups as you want and grant the people in those groups any combination of permissions. ACL enables you to control anything users can do on the site: log in, create, edit, delete, publish, unpublish, trash, archive, manage, or administer things.
  • Users are no longer limited to only one group: a user can belong to different groups at the same time. This allows you to give particular users both the set of permissions for one group and another group without having to create a third, combined set of permissions from the ground up.
  • Permissions no longer apply to the whole site as they did in Joomla! 1.5. You can now set permissions for specific parts of the site. Permissions apply to either the whole site, or to specific components, categories, or items (such as a single article).

What are the default user groups and permissions?

The flexibility of the new ACL system has a downside: it can also get quite complex. The power to create as many user groups as you like, each with very fine-grained sets of permissions assigned to them, means you can easily get entangled in a web of user groups, Joomla! Objects, and permissions.

You should carefully plan the combinations of permissions you need to assign to different user groups. Before you change anything in Joomla!, sketch an outline or use mind mapping tools (such as http://bubbl.us) to get an overview of what you want to accomplish through Joomla! ACL: who (which users) should be able to see or do what in which parts of the site?

In many cases, you might not need to go beyond the default setup and just use the default users groups and permissions that are already present when you install Joomla! 1.6. So, before we go and find out how you can craft custom user groups and their distinctive sets of permissions, let's have a look at the default Joomla! 1.6 ACL setup.

The default site-wide settings

In broad terms, the default groups and permissions present in Joomla! 1.6 are much like the ACL system that was available in Joomla! 1.5. To view the default groups and their permissions, go to Site | Global Configuration | Permissions. The Permission Settings screen is displayed, showing a list of User Groups. A user group is a collection of users sharing the same permissions, such as Public, Manager, or Administrator.

By default the permission settings of the Public user group are shown; clicking any of the other user group names reveals the settings for that particular group.

Joomla! 1.6 First Look

On the right-hand side of the Permission Settings screen, the generic (site-wide) action permissions for this group are displayed: Site Login, Admin Login, and so on. Actions are the things users are allowed do on the site. For the sample user groups, these action permissions have already been set.

Default user groups

Let's find out what these default user groups are about. We'll discuss the user groups from the most basic level (Public) to the most powerful (Super Users).

Public – the guest group

This is the most basic level; anyone visiting your site is considered part of the Public group. Members of the Public group can view the frontend of the site, but they don't have any special permissions.

Registered – the user group that can log in

Registered users are regular site visitors, except for the fact that they are allowed to log in to the frontend of the site. After they have logged in with their account details, they can view content that may be hidden from ordinary site visitors because the Access level of that content has been set to Registered. This way, Registered users can be presented all kinds of content ordinary (Public) users can't see.

Registered users, however, can't contribute content. They're part of the user community, not web team.

Author, Editor, Publisher – the frontend content team

Authors, Editors, and Publishers are allowed to log in to the frontend, to edit or add articles. There are three types of frontend content contributors, each with their specific permission levels:

  • Authors can create new content for approval by a Publisher or someone higher in rank. They can edit their own articles, but can't edit existing articles created by others.
  • Editors can create new articles and edit existing articles. A Publisher or higher must approve their submissions.
  • Publishers can create, edit, and publish, unpublish, or trash articles in the frontend. They cannot delete content.

Manager, Administrator, Super User – the backend administrators

Managers, Administrators and Super Users are allowed to log in to the backend to add and manage content and to perform administrative tasks.

  • Managers can do all that Publishers can, but they are also allowed to log in to the backend of the site to create, edit, or delete articles. They can also create and manage categories. They have limited access to administration functions.
  • Administrators can do all that Managers can and have access to more administration functions. They can manage users, edit, or configure extensions and change the site template. They can use manager screens (User Manager, Article Manager, and so on) and can create, delete, edit, and change the state of users, articles, and so on.
  • Super Users can do everything possible in the backend. (In Joomla! 1.5, this user group type was called Super Administrator). When Joomla! is installed, there's always one Super User account created. That's usually the person who builds and customizes the website. In the current example website, you're the Super User.

Shop Suppliers and Customers – two sample user groups

You'll notice two groups in the Permission Settings screen that we haven't covered yet: Shop Suppliers and Customer. These are added when you install the Joomla! 1.6 sample data. These aren't default user groups; they are used in the sample Fruit Shop site to show how you can create customized groups.

Are there also sample users available?

As there are user groups present in the sample data, you might expect there are also sample users. This is not the case. There are no (sample) users assigned to the sample user groups. There's just one user available after you've installed Joomla!— you. You can view your details by navigating to Users | User Manager. You're taken to the User Manager: Users screen:

Joomla! 1.6 First Look

Here you can see that your name is Super User, your user name is admin (unless you've changed this yourself when setting up your account), and you're part of the user group called Super Users.

There's also a shortcut available to take you to your own basic user settings: click on Site | My Profile or—even faster—just click on the Edit Profile shortcut in the Control Panel. However, you can't manage user permissions here; the purpose of the My Profile screen is only to manage basic user settings.

Action Permissions: what users can do

We've now seen what types of users are present in the default setup of Joomla! 1.6. The action permissions that you can grant these user groups—things they can do on the site—are shown per user group in the Site | Global Configuration | Permissions screen. Click on any of the user group names to see the permission settings for that group:

Joomla! 1.6 First Look

You'll also find these permissions (such as Site Login, Create, Delete, Edit) on other places in the Joomla! interface: after all, you don't just apply permissions on a site-wide basis (as you could in previous versions of Joomla!), but also on the level of components, categories, or individual items.

To allow or deny users to do things, each of the available actions can be set to Allowed or Denied for a specific user group. If the permission for an action isn't explicitly allowed or denied, it is Not Set.

Permissions are inherited

You don't have to set each and every permission on every level manually: permissions are inherited between groups. That is, a child user group automatically gets the permissions set for its parent.

Wait a minute—parents, children, inheritance ... how does that work? To understand these relationships, let's have a look at the overview of user groups in the Permission Settings screen. This shows all available user groups (I've edited this screen image a little to be able to show all the user groups in one column):

Joomla! 1.6 First Look

You'll notice that all user group names are displayed indented, apart from Public. This indicates the permissions hierarchy: Public is the parent group, Manager (indented one position) is a child of Public, Administrator (indented two positions) is a child of Manager.

Permissions for a parent group are automatically inherited by all child groups (unless these permissions are explicitly set to Allowed or Denied to "break" the inheritance relationship). In other words: a child group can do anything a parent group can do—and more, as it is a child and therefore has its own specific permissions set.

For example, as Authors are children of the Registered group, they inherit the permissions of the Registered group (that is, the permission to log in to the frontend of the site). Apart from that, Authors have their own specific permissions added to the permissions of the Registered group.

Setting an action to Denied is very powerful: you can't allow an action for a lower level in the permission hierarchy if it is set to Denied higher up in the hierarchy. So, if an action is set to Denied for a higher group, this action will be inherited all the way down the permissions "tree" and will always be denied for all lower levels—even if you explicitly set the lower level to Allowed.

 

Joomla! 1.6 First Look A concise guide to everything that's new in Joomla! 1.6.
Published: March 2011
eBook Price: $23.99
Book Price: $39.99
See more
Select your format and quantity:

 

        Read more about this book      

(For more resources on Joomla!, see here.)

What do the available action permissions mean?

In the Site | Global Configuration | Permissions screen, nine types of action permissions are available, such as Site Login and Admin login. However, the available action permissions vary through the different levels of the site for which you can set permissions. You can set action permissions at up to four levels on the website, ranging from site-wide permissions to permissions on the level of individual items, such as articles. Let's have a look at the possibilities: the different action permissions you can set on different levels.

Level 1 – site-wide permissions in Global Configuration

You can set the default permissions for each action and group site-wide, via Site | Global Configuration | Permissions:

Joomla! 1.6 First Look

The table below explains what the available permissions in Global Configuration mean:

Permission name Allows user to do the following
Site Login Log in to the front of the website.
Admin Login Log in to the backend administration interface.
Super Admin Do anything on the site, including Global Configuration (Super Users have Super Admin rights).
Access Component Have administrative access to components, but not to Global Configuration.
Create Create new content in components.
Delete Delete content in components.
Edit Edit content in components.
Edit State Change the state (publish, unpublish, trash, archive) of content in components.
Edit Own Edit content they've created themselves.

The Super Admin action is only available in the Global Configuration Permissions screen, as it applies only to the whole site.

Level 2 – permissions for components

You can set permissions on the level of components. Joomla! components are Articles, Menus, Users, Banners, and so on. There's a Permissions screen in each of the components of Joomla! 1.6. For example, go to Article Manager | Options | Permissions to access the Permissions screen of the Article Manager:

Joomla! 1.6 First Look

Other component permissions screens can be found in a similar way through the Options button: for example, navigate to Menus | Menu Manager and click on Options to access the article permissions, or go to Components | Banners and click on Options | Permissions to access permission settings for the banner component.

You'll notice that there's one action in the list that we haven't seen yet, Configure. It's only applicable to components. The table below explains what the available action permissions for components mean:

Permission name Allows user to do the following
Configure Set component options.
Access Component Have administrative access to component.
Create Create content in component.
Delete Delete content in component.
Edit Edit content in component.
Edit State Change the state (publish, unpublish, trash, archive) of content in component.
Edit Own Edit content that they've created themselves.

Level 3 – permissions for categories

You can also set permissions on the level of specific categories. In the screen where you create or edit a category (such as Content | Category Manager | Edit or New), you'll find a Category Permissions section at the bottom of the screen:

Joomla! 1.6 First Look

In this section, you can set permissions for all articles within a specific category. The Calculated Setting column on the right-hand side displays whether the specific action is Allowed or Not Allowed; in the Select New Setting drop-down box, you can change the current values.

In the same way, you can set permissions for types of categories other than Article Categories, such as Contacts categories or Banners categories.

The table below explains what the available action permissions for categories mean:

Permission name Allows user to do the following
Create Create content and subcategories in category.
Delete Delete category, subcategories, and category content.
Edit Edit category, subcategories, and category content.
Edit State Change the state (publish, unpublish, trash, archive) of category, subcategories, and category content.
Edit Own Edit their own category, subcategories, and category content.

Level 4 – permissions for articles

Finally, you can set permissions on the level of individual articles. As an example, go to Content | Article Manager | Edit or New to set permissions for a specific article in the Article Permissions section at the bottom of the screen:

Joomla! 1.6 First Look

The table below explains what the available action permissions for articles mean

Permission name Allows user to do the following
Delete Delete article.
Edit Edit article.
Edit State Change the state (publish, unpublish, trash, archive) of article.

Viewing Access Levels: what users can see

We've now covered two main parts of the ACL system: User Groups and action permissions (the specific things users can be allowed to do). A third important ACL concept is Viewing Access Levels. These access levels don't determine what users can do, but what users can see: can users only see the public site, can they access the frontend or maybe access the backend? What articles, menus, modules, or components can the user group actually view?

By default, three Viewing Access Levels are available: Public, Registered, and Special. Go to Users | User Manager and click on the Viewing Access Levels tab to see these levels:

Joomla! 1.6 First Look

This is what the three default Viewing Access Levels mean:

  • Public means that there are no special viewing permissions involved. It's the set of permissions for the Public user group, who are only allowed access to the public site.
  • Registered is the set of permissions for Registered Users. These by default are allowed to log in to the site to view the site parts that are set to the Registered access level.
  • Special is the set of viewing permissions for all users that can log in to the backend (Manager, Administrator, Super User).

At the top of the list, there's an extra viewing level: Customer Access Level. This is an example of customized access levels available in the sample data. It's used in the Fruit Shop sample site.

Viewing Access Levels can be set for all kinds of content on the site, from modules and menu items to individual articles, by changing the value of the Access dropdown list:

Joomla! 1.6 First Look

When the Access value of an article or another object is set to Registered, Special, or any other level that's not Public, this content will only be visible for user groups who have that particular Viewing Access Level assigned.

Summary

In this article, we've explored the exciting new possibilities of the Joomla! ACL system. This is what we have covered:

  • In the User Manager, you can create new users and assign them to a specific Group, granting them various levels of access to the site.
  • The default User Groups consist of seven levels, from guests (Public) to the most powerful (Super Users). These user levels are comparable to the ones present in Joomla! 1.5. However, you can now add as many custom user groups as you like.
  • The permissions that you can grant these user groups—things they can do on the site—are called Action Permissions. You can set these permissions (such as Site Login, Create, Delete, Edit) on different levels in the Joomla! interface: site-wide, for components, for categories, or for individual items.
  • Viewing Access Levels don't determine what users can do, but what users can see or access. By default, three Viewing Access Levels are available: Public, Registered, and Special, but you can create new custom levels for your specific user groups and their permissions.

Further resources on this subject:


Joomla! 1.6 First Look A concise guide to everything that's new in Joomla! 1.6.
Published: March 2011
eBook Price: $23.99
Book Price: $39.99
See more
Select your format and quantity:

About the Author :


Eric Tiggeler

Eric Tiggeler is the author of the Joomla! 3 Beginner's Guide and has written several Dutch guides on Joomla! and other content management systems, all of which got excellent reviews. Eric writes tutorials for several computer magazines and Joomla! community websites. Over the last ten years, Eric has developed numerous websites, big and small, many of them using Joomla!

Eric is fascinated by the Web as a powerful and creative means of communication, and by revolutionary software such as Joomla!, which enables anyone to create beautiful and user-friendly websites. His passion is making complex things easy to understand.

Books From Packt


ChronoForms 3.1 for Joomla! site Cookbook
ChronoForms 3.1 for Joomla! site Cookbook

Joomla! 1.5 Multimedia
Joomla! 1.5 Multimedia

Joomla! 1.5 Templates Cookbook
Joomla! 1.5 Templates Cookbook

Joomla! Social Networking with JomSocial
Joomla! Social Networking with JomSocial

Joomla! 1.5 Site Blueprints
Joomla! 1.5 Site Blueprints

Joomla! VirtueMart 1.1 Theme and Template Design: RAW
Joomla! VirtueMart 1.1 Theme and Template Design: RAW

Building job sites with Joomla!
Building job sites with Joomla!

Joomla! 1.5 JavaScript jQuery
Joomla! 1.5 JavaScript jQuery


No votes yet

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
C
Z
k
W
X
u
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software