You may have seen my diagram describing this around the internet:
Users are the easy part to understand. Users are you, your friends, your colleagues, and everyone with the ability to access your website. In Joomla 1.6, even those without a login are considered users.
Users are created via the Create New User screen in Joomla. They can be assigned to user groups. Unlike Joomla 1.5, users may belong to multiple user groups if desired.
A user group is a group of users, plain and simple! The group is comprised of the users assigned to it. Core permissions are also assigned to the user group. All users within a user group are treated equally in regards to permissions. If you want a user to have different permissions than other users, then you would assign that user to their own group.
Core permissions are assigned to the user group and allow users to perform specific tasks. All users within the user group share the same settings.
These tasks include:
- Site Login: This permits a user group to log into the front end of the website.
- Admin Login: This permits a user group to log into the back end of the website.
- Super Admin: This permission overrides all other settings for a given group. If the Super Admin permission is present, this group can perform any action to any content anywhere on the website. This also permits access to the Global Configuration.
- Access Component: Allows modifying component, template, plugin, and module settings and configuration.
- Create: Ability to create new content.
- Delete: Ability to delete content from the trash.
- Edit: Ability to edit any content anywhere on the website.
- Edit State: Publish or unpublish content, or move content to the trash.
- Edit Own: Edit the user’s own content.
Note that the ability to view specific content on the front end (also called a “read” permission in other CMSs) is NOT included in the core permissions. Reading is configured in a separate system.
Core permissions may be set to one of three states: Allow, Deny, or Inherit.
- Allow means a certain action is allowed.
- Deny means an action is denied. Furthermore, deny is inherited, and it cannot be overridden at a higher level.
- Inherit means the state is inherited from lower level groups.
Public is the bottom level user group. By default, the public group has no state set on any core permission. This acts as a deny, but it’s a deny that can be overridden at higher inheritance levels.
Public is the parent for all user groups, and this group cannot be deleted.
Access levels (also called “viewing access levels” in some places in the Joomla administrator interface) controls who sees what content on the front end of the website. This is a separate but parallel system to the other permissions.
By default, Joomla has three access levels: Public, Registered, and Special. Public content may be viewed by anyone without a login. Registered content may be viewed with a login only. Special content is content viewed by Authors and higher level user groups.
Remember that these default access levels correspond to the default user groups. You may delete any access level (except public), and you may assign or remove user groups from any of these levels.
Access levels do not inherit their permissions. If you have an article, and you set it to be viewable by publishers only, then only those users in the publisher user group may view it. Even super users cannot view that article! (However, as a super user, you are able to edit this article on the back end.)
OK, got it!
Now that you have the overview of the four parts of ACL, including users, user groups, core permissions, and access levels, you’re ready to start with an example of how to configure common problems with ACL. I’ll cover some of these in coming posts.