How to Access Control Lists (ACL) in Magento 2
Magento 2 Admin ACL panel use an authentication system and a robust system for create Access Control List Rules (ACL) which allows a store owner to create fine grained roles for each and every user in their system. In this article, we will find how it work and how to add ACL for our custom module.
Magento 2 Access Control List Rules
The Magento 2 Admin ACL resources are visible under the Magento 2 admin System > Permissions > User Roles
area. When we click on the Add New Role button or access to a role, you will see the page look like:
In this resources tab, you can see a tree-list of all the available resources in your system. You can choose all Resource or some of them for this role and select the user for this role in Role Users tab. All of the user who belong to this role will be limit access to the resource which you choose. They cannot see and access to other one.
To Create Admin Admin ACL
Step 1: Create ACL rule
Now, we will see how to add our module to ACL role. We will use a previous simple module HelloWorld to do this. As in the Admin Menu and System Configuration article, you saw that we alway have a resource attribute when create it. Now we will register that resources to the system, so Magento can realize and let us set a role for them.
To register the resource, we use the acl.xml file which located in app/code/{namespace}/{module}/etc/acl.xml
. Let’s create this file for our simple Module:
File: app/code/Mageplaza/HelloWorld/etc/acl.xml
Contents would be:
<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
<acl>
<resources>
<resource id="Magento_Backend::admin">
<resource id="Mageplaza_HelloWorld::helloworld" title="Hello World" sortOrder="51">
<resource id="Mageplaza_HelloWorld::post" title="Posts" sortOrder="10"/>
<resource id="Mageplaza_HelloWorld::helloworld_configuration" title="Configuration" sortOrder="99" />
</resource>
<resource id="Magento_Backend::stores">
<resource id="Magento_Backend::stores_settings">
<resource id="Magento_Config::config">
<resource id="Mageplaza_HelloWorld::helloworld_config" title="Hello World"/>
</resource>
</resource>
</resource>
</resource>
</resources>
</acl>
</config>
Our resource will be placed as child of Magento_Backend::admin
. Each resource will have an Id, title and sortOrder
attribute:
- Id attribute is the identify of this resource. You can use this when define resource in Admin menu, configuration and limit access to your module controller. This is a unique string and should be in this format: Vendor_ModuleName::resource_name.
- Title attribute is the label of this resource when showing in resource tree.
- sortOrder attribute define the position of this resource in tree.
After this done, please refresh the cache and see the result on resource tree
Step 2: Flush Magento cache
Make sure it admin menu items are displayed on Magento 2 admin, you should try to flush Magento 2 cache.
Step 3: Check ACL rule
There are some place where we put the ACL resource to make it limit the access:
Admin menu: Put the ACL resource to hide the menu if it’s not allowed by store owner.
File: app/code/Mageplaza/HelloWorld/etc/adminhtml/menu.xml
<add id="Mageplaza_HelloWorld::helloworld" title="Hello World" module="Mageplaza_HelloWorld" sortOrder="51" resource="Mageplaza_HelloWorld::helloworld"/>
System configuration: Put the ACL resource to limit access to this section page.
File: app/code/Mageplaza/HelloWorld/etc/adminhtml/system.xml
<section id="helloworld" translate="label" sortOrder="130" showInDefault="1" showInWebsite="1" showInStore="1">
….
<resource>Mageplaza_HelloWorld::helloworld_configuration</resource>
….
</section>
We will use Mageplaza_HelloWorld::helloworld_configuration
in Magento 2 How to Create System.xml Configuration
With resource it also use on controller.
In admin controllers: Magento provides an abstract type Magento\Framework\AuthorizationInterface
which you can use to validate the currently logged in user against a specific ACL. You can call that object by use the variable: $this->_authorization
. In the controller, you have to write a protected function to check the resource:
Example:
File: vendor/magento/module-customer/Controller/Adminhtml/Index.php
protected function _isAllowed()
{
return $this->_authorization->isAllowed('Magento_Customer::manage');
}
Admin Permissions for Magento 2
Customize backend access based on business needs and requirements
Learn moreRecommend
- How to create a simple Hello World module for Magento 2
- Magento 2 Block Template Ultimate Guides
- How to Create Module in Magento 2
- How to Create Controller in Magento 2
- How to create CRUD Models in Magento 2
- How to Create Magento 2 Block, Layout and Templates
- Configuration - System.xml
- How To Create Admin Menu In Magento 2
- Admin Grid
People also searched for
- Magento 2 Admin ACL
- magento 2 acl
- role resource tree not displaying in magento2
- magento 2 admin acl menu
- magento 2 acl adminhtml.xml
- magento 2 admin controller acl
- magento 2 admin acl
- magento 2 adminhtml xml acl 2
- magento 2 acl.xml
- acl.xml magento 2
- magento 2 acl example
- acl magento
- magento acl
- acl.xml
- 2.3.x, 2.4.x