24. Sep 2014 - Structuring your Website

Joomla: ACL (Access Control List), Rights-Management

Joomla has a very elaborated and powerful Rights Management. this comes with a disatvanage: it is something like complicated and it takes some effort to understand. So let's start:

Which users can gain access to what parts of the website? For example, will a given Menu Item be visible for a given user?
What actions a user can perform? For example, can a user edit or publish an article?

Every User has to be assigned to one ore more User Groups.
Every User Group has specific access rights (see Access Control List)
Every Category, Module, Article has to be assigned to an Access Level (for Acess Levels see Access Control List)


Global Configuration: Permission Settings

Theses are the default permissions for each action and group.

Table of Permission Settings:

Site
Login
Admin
Login
Offline
Access
Super
User
Access
Administration
Create Delete Edit Edit
State
Edit
Own
Public Not Set
= Not Allowed
Not Set Not Set Not Set Not Set Not Set Not Set Not Set Not Set Not Set
- Guest Inherited
= Not Allowed
Inherited Inherited Inherited Inherited Inherited Inherited Inherited Inherited Inherited
- Registered Allowed Inherited
= Not Allowed
Inherited Inherited Inherited Inherited Inherited Inherited Inherited Inherited
-- Auther Inherited
= Allowed
Inherited
= Not Allowed
Inherited Inherited Inherited Allowed Inherited Inherited Inherited Allowed
--- Editor Inherited
= Allowed
Inherited
= Not Allowed
Inherited Inherited Inherited Inherited Inherited Allowed Inherited Inherited
---- Publisher Inherited
= Allowed
Inherited
= Not Allowed
Inherited Inherited Inherited Inherited Inherited Inherited Allowed Inherited
- Manager Inherited
= Allowed
Allowed Allowed Inherited Inherited Inherited Allowed Inherited Inherited Inherited
-- Administrator Inherited
= Allowed
Inherited Inherited Inherited Allowed Inherited Inherited Inherited Inherited Inherited
- Super Users Inherited
= Allowed
Inherited Inherited Allowed Inherited Inherited Inherited Inherited Inherited Inherited



Actions:

Site Login: Login to the frontend
Admin Login: Login to the backend
Offline Access: Access to the site while offline
Super User: Grants the user "super user" status. All rights, no restrictions
Access Administration: Open the component manager screens (User Manager, Menu Manager, Article Manager, and so on)
Create: Create new objects (for example, users, menu items, articles, weblinks, and so on)
Delete: Delete existing objects
Edit: Edit existing objects
Edit State: Change object state (Publish, Unpublish, Archive, and Trash)
Edit Own: Edit objects that you have created.

Groups:

Public: Top Level Element, Parent Element of all following elements; every setting is "Not Set": everything, which is not allowed explicitly, is "Not Allowed". If one setting would be "Denied", this setting would be inherited to all child elements without the possibility to change this to "Not Set" or "Allowed", "Denied" can not be overwritten, except for "Super Users".
Guests: This is a 'child' group of the Public group has everything set to 'Inherited'
Registered: Parent Element is "Public", all settings are "inherited", exept "Site Login". Can read articles, menues, ... which have been given Registered Permissions; no back-end permissions.
Author: Parent Element is "Registered", settings: see table: an Autor is allowed to write articles and edit his own articles, no back-end permissions.
Editor: This is a child of the Authors group and adds the Edit permission, no back-end permissions.
Publisher: This is a child of the Editors group and adds the Edit State permission, no back-end permissions, maximal frontend rights.
Manager: Child of Public group. A member of this group can do everything in the front and back end of the site except change Global Permissions and Component Options.
Administrator: Child of Manager group. A members of this group by default can access the Options screens for each component.
Super User: All rights, no restrictions, is allowed to do everything.

One can administer the Permission Settings for every component in the same way.


View Access Levels:

Don't mix "User Groups" and Access Levels"!

Public:
no additional viewing permissions, no rights, access to everything assigned to "Viewing Accsess Level: public"
A Visitor may find this website through a search engine or a link from another site.
Guest: same viewing permissions as "public", can be used to show content exclusevely to not logged-in users
Registered: A Visitor may register himself. "Viewing Accsess Level: public and registered"
A Registered User can not do anything. She/He has additional access to parts of the website categorized as "registered".
Special:
permissions for maintaining the website "Viewing Accsess Level: public, registered, Author, Editor, Publisher, Manager, Administrator and Super Users"


Example: Allowing Guest-Only Access to Menu Items and Modules


Example: "register to read more"
=> Articles
Options for Menu Link: Status = published, Access = public, Show Unauthorised Links = Yes (As a result the Intro-text of all Articles assigned to "Registered" wil be shown to everyone with a Link "register to read more"

See additionally: Access Control List Tutorial

 

Additional information