Give a group access to a single component in the back end

Moderators: mandville, PhilD, General Support Moderators

scousejohno
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 136
Joined: Mon Oct 13, 2008 10:54 am
Location: Liverpool
Contact:

Give a group access to a single component in the back end

Postby scousejohno » Tue Sep 11, 2012 1:38 pm

Hi All,
I need to create a group which can access a booking component within the back end of Joomla 2.5. I really do not want them to have visibility of any other settings at all as based upon past history they like to break thing’s :eek:

Is this achievable with 2.5, as the last time I was in this scenario I had to resort to Juga? If it is achievable could somebody point me towards a resource were I can read and then implement my requirements.

Many thanks in advance!

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Give a group access to a single component in the back en

Postby rcarey » Tue Sep 11, 2012 3:15 pm

Yes, 2.5 provides the settings to do this. You create a new user group that grants just the permissions/access needed and then whoever is assigned to this group has those permissions. As long as you don't add the user to other backend groups, the only access the user has is just what's needed to mange the component. Here is a quick how-to:

  • Create a new user group. Choose a name similar to the component and set its parent to Public.
  • Go to GlobalSettings->Permissions, open up the permissions for this new group, "allow" the permission "Admin Login." this allows the user to login
  • Go to Access Levels, edit "Special," and add this group to the Special access Level. The admin menu is shown only to those under the access level Special.
  • Go to the component, open up its options and go to Permissions. Open up the new group to see the permissions assigned to this group. Add the permissions you want to give to this user. If this component does not provide permissions, you can use the extension ACL Manager to add the basic permission of accessing/editing the component.

That should be it. Report back with your results.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

bbolli
Joomla! Explorer
Joomla! Explorer
Posts: 455
Joined: Fri Nov 11, 2011 9:43 pm
Location: Chicago, IL

Re: Give a group access to a single component in the back en

Postby bbolli » Tue Sep 11, 2012 3:17 pm

Absolutely possible and something I've implemented as well for the similar reasons! :D

Now, first however, a little clarification; Access View Levels control whether or not a an individual can view an item in the front end. Access View Levels consist of one or more groups. However, when it comes to back-end component permissions you assign those using groups.

For example, in back-end; go to Components > Banners. Once in the Banner Manager: Banners screen, click the Options button in top right. Then in modal window select Permissions tab. Here is where the magic happens, and to accomplish what you want you must deny access to the user groups who shouldn't be allowed to see these items. In other word, to limit regular users to only a particular component, you must deny them ALL permissions for all the other administrator menu items they are *not* supposed to see. Once done, when a user in the group logs into the back-end, they'll only see the menu options for the component you wish.

Does that make sense?

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Give a group access to a single component in the back en

Postby rcarey » Tue Sep 11, 2012 3:41 pm

@bbolli,

When using a role-based approach, I have yet to have the need to use "deny." By using "deny" you can get unexpected results if a user belongs to multiple groups (as was the cause in this posting: http://forum.joomla.org/viewtopic.php?f=673&t=747494). Another problem arises when a new component is added (which might require one to add a deny - but will you remember for each extension added?).

Right now I'm leaning toward the notion that the use of "deny" suggests a compromised design of the user group hierarchy. I'm still waiting to see if I'll ever need it. ...Test the solution I suggested and see what you think.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

Fat_terry
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Jun 15, 2010 10:19 am

Re: Give a group access to a single component in the back en

Postby Fat_terry » Tue Sep 11, 2012 11:34 pm

Ive been reading this thread, and it all makes sense thankyou.

However, if my single back-end component to which I require restricted access happens to be the User maintenance component (which in my case it is :-) ) , am I right in saying :

    a back end user can alter their own group membership and so add whatever access they like for themselves, save super. This would only not be true if I have no other groups available, which would be highly unlikely as it is more likely I want several groups with different permissions.

    they can still access any extension components from the drop down menus and do what they like. The exception, of course, would be for components which integrate into the ACL system.

Im hoping Ive missed something here, but as I understand the User management component is unique in that it implies (indirect) access to all other back end functions, even though you might think otherwise from appropriately restricted settings of the ACL mechanism.

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Give a group access to a single component in the back en

Postby rcarey » Wed Sep 12, 2012 5:07 am

Terry,

You are correct to recognized that the role of user management is a special type of role. In the study of access control (throughout information systems, not just Joomla), this area receives special attention. It is assumed that management of users is confined to a very few (perhaps to just one person) and that this person must hold a level of trust.

In your case, it seems you want someone in this role to assign only other role-based groups and not administrator. If this is true, then your highest level "user manager" is really the administrator because this "role" has more authority. And if you are not going to use the administrator role except for super admin, then just get rid of it. (seriously!)

Anyway, it is true that in out-of-the-box Joomla, one assigned to the user manager has the ability to assign anyone (including him/herself) to any role/group except super administrator. ...and that this gives that user the ability to escalate his/her own set of rights. Again, this comes down to some level of trust. But if you want the person to be limited as to what he/she can assign, you can do this...

When out-of-the-box ACL does not offer a fine enough level of access control, look to see what you can do by overriding a view file. In the case of the user management, consider overriding this file:
/administrator/components/com_users/views/user/tmpl/edit_groups.php
this is a short file that lists all the groups in the array $this->groups. You can add logic here that removes groups from the array if the current user does not have the right credentials. For example you can do this: show all groups if the user is an admin or a super admin, otherwise, strip out the groups manager, administrator. The result will be that the role "user management" will have only a subset of the available groups which he/she can assign to others (including to him/herself). And you can even add the logic within the overriding file so that the any one assigned to user management will not be able to see any groups for his/her own profile! Its code, so you can do what you want - it just depends upon your business rules.

Keep in mind that if you implement a role-based system, you probably can just delete Manager and Administrator - keeping only Super (for yourself as developer and perhaps for the owner of the site). If you do this, most of what you are concerned about is resolved.

Going to your second point... No - the user manager cannot see all the components from the menu - at least not with just the role of user manger. Any user assigned to role-based groups has access only to those components associated with each role. The admin menu is smart enough to manage this, but even here - you can override the admin menu to add additional logic as to what might be suppressed based upon the group membership of a user.

This line of discussion is a bit off of the original topic, but it is a fair point you raised.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

scousejohno
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 136
Joined: Mon Oct 13, 2008 10:54 am
Location: Liverpool
Contact:

Re: Give a group access to a single component in the back en

Postby scousejohno » Wed Sep 12, 2012 9:34 am

Many thanks for the informative replies, i shall implement today :)

scousejohno
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 136
Joined: Mon Oct 13, 2008 10:54 am
Location: Liverpool
Contact:

Re: Give a group access to a single component in the back en

Postby scousejohno » Wed Sep 12, 2012 2:03 pm

Followed the advice and had to resort to using the commercial ACL Manager extension as the component which required the access did not have its own permissions etc. Everything working as expected apart from one or two niggles around objects etc.

Thanks again for the suggestions :)

Fat_terry
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Jun 15, 2010 10:19 am

Re: Give a group access to a single component in the back en

Postby Fat_terry » Wed Sep 12, 2012 10:59 pm

rcarey wrote:When out-of-the-box ACL does not offer a fine enough level of access control, look to see what you can do by overriding a view file. In the case of the user management, consider overriding this file:
/administrator/components/com_users/views/user/tmpl/edit_groups.php
this is a short file that lists all the groups in the array $this->groups. You can add logic here that removes groups from the array if the current user does not have the right credentials.

Thankyou for your reply and detailed info - exceptionally helpful. I think the above is the answer for me, so thanks for that. In my case I dont want to administer users as they join and leave the club for which Ive done the site, but I do need to retain additional admin rights. So your solution is perfect.
Going to your second point... No - the user manager cannot see all the components from the menu


Ah, imagine my surprise when I temporarily got this working through deny on admin (temporary solution!), when I now look the component dropdown is indeed not available just as you say! Obviously when I finally restricted to just the user management it vanished!, I get that now thankyou :) I should pay more attention before posting secondary questions to my main point.

But Im not sure I understand your comment "The admin menu is smart enough to manage this" - its still the case that when granted some level of access (Im not clear what just yet) then the component dropdown will be available. Once that is available isnt my original concern valid in that the back end user can then freely access any component on the dropdown UNLESS that component integrates with the ACL, which in my cases (oziogallery, remository and so on) it does not as far as I know? Or put another way your point is "only to those components associated with each role, providing the component integrates with the ACLHave I got this right, or am I still mistaken? (at least I get the point about user management now, code will come this week thanks :) )

This line of discussion is a bit off of the original topic, but it is a fair point you raised.

Yes my apologies for that, I wasnt sure if I should start a new thread, but the original question seemed so on topic it appeared to me as duplication if I did !! Should I repost, or have I messed it all up too badly for recovery !

Thanks again for your help in getting me (and doubtless others) to understand this better.

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Give a group access to a single component in the back en

Postby rcarey » Wed Sep 12, 2012 11:46 pm

Thanks for letting me know you found the info helpful. I appreciate reading it.

The admin menu includes the ACL checks, so the only menu items and components that show up will be what the user has access to. If you are seeing more, I assume that somewhere you've given the user permissions. This can happen if you mix in role-based groups with some of the default level-based groups like manager or administrator. I think a lot of people are so used to thinking that the only way to access the backend is to make someone a manager, that they assume the all the permissions and access of the manager group is just part of getting into the backend. But so far, I don't see the need any longer for manager or administrator and I try to avoid using them. Instead, as the Super User I create groups with the needed backend permissions - nothing more than what the users need to accomplish their roles.

Do experiment with the ACL. Create some role-based groups. Create a "test" user and assign it to just that role. Login and see what that role shows in the backend and what it does not show. Refer to this article for a suggested approach to implement role-based groups: http://magazine.joomla.org/issues/Issue-Sept-2012/item/856-Implementing-Role-Based-ACL

I probably have yet to directly answer an important question you had... What about components that do not implement basic ACL. Well, they rely on some group providing permissions at the global/site level to edit, create, etc. These permissions are provided by the manager group, and the developer short-sightedly defers to these global permissions instead of providing permissions for his component. But as long as you are using role-based groups, not setting permissions at the global level, and not assigning the users to manager or administrator - these components will not show.

So if you use a role-based solution, the problem with components lacking basic ACL is not that they will show to everyone, but that they are inaccessible! So how do we make these components accessible where needed? The easiest solution I know is to invest in ACL Manager, as this tool has the ability to add basic ACL permissions to components that lack them. The other alternative is to add some code into the component - code that will be overwritten with an upgrade. So I always suggest one just buy the inexpensive subscription to ACL Manager. You might still want even finer-grained permissions, but at least you can get component-grained permissions, and that goes a long way in implementing role-based ACL.

Hope this provides the insights to alleviate the concerns you first had.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

Fat_terry
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Tue Jun 15, 2010 10:19 am

Re: Give a group access to a single component in the back en

Postby Fat_terry » Thu Sep 13, 2012 2:51 am

Thaht all makes sense thankyou. I will go nd play further now, and armed with some knowledge will be able to make much better sense of it!

thanks again ...

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 684
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

My experience : Create a single new group called 'User Manag

Postby mojito » Tue Mar 12, 2013 12:22 pm

Not sure why this posted a new message anyway was meant for - viewtopic.php?f=673&t=749774 can a moderator do this for me ?

Objective: Create a single new group called 'User Manager' to allow backend acces purely show the user menu and not allow to elevate themselves past what they are...

@rcarey qt "Go to Access Levels, edit "Special," and add this group to the Special access Level. The admin menu is shown only to those under the access level Special."

when I do this the group seems to get FULL ACCESS like for an administrator

I didn't want to have to DENY for the reason stated above rather just add this component through its own permissions. So for me it doesnt seem to work. Adding special is the breaker which seems to add everything - but if this isnt there then I get a blank admin screen with NO menus - which looks better than full admin access.
Last edited by mandville on Wed Mar 20, 2013 6:28 pm, edited 1 time in total.
Reason: topics merged
Check out the 'bad toilet' online !

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: My experience : Create a single new group called 'User M

Postby rcarey » Wed Mar 20, 2013 3:59 am

The common suggestion is to add any group to the Special access level so that the main menu module will show. When I get a chance to explain why, I usually suggest that it is probably better to change the access level on the main menu module to Registered. That way, any user group with the permission to access the backend will also be registered and thus have access to the main menu - without having to add new user groups to Special. (Just go to modules manager, view the admin modules, edit the main menu module, and set the access level to Registered.

Does that help?

I suspect you have other admin modules that are set to the access level Special, so your user manager sees them as well as the main menu. If that is what you meant, then certainly, your best solution is to change the access level on the main menu module to Registered, rather than adding user manager to Special.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 684
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: My experience : Create a single new group called 'User M

Postby mojito » Wed Mar 20, 2013 1:10 pm

Thanks will investigate this idea -But quickly I dont like the dea of registered users being able to snoop by chance in /Administrator though.
Have you tried renaming this folder to secure it then doing as you say..
Check out the 'bad toilet' online !

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: My experience : Create a single new group called 'User M

Postby rcarey » Wed Mar 20, 2013 1:31 pm

I assume you are referring to the making the main menu module set to the Registered access level. This is a not a problem, as it will be displayed only to those you grant the permission to login to the backend.

If you want, you can create a new access level to be used just for the main menu module - and it would include only those groups that should see it. So you could add your user manager group to it, along with manager, administrator, and super. That way, the user manager sees the main menu in the backend, but not the other modules which are assigned to Super. But try setting main menu's access level to Registered first and I assume you will recognize that doing so does not expose the menu except to those who should see it.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 684
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: My experience : Create a single new group called 'User M

Postby mojito » Wed Mar 20, 2013 1:47 pm

Yes thanks I see your point and need to balance it with a legacy of group now a bit. Have you played with moving or renaming the administrator folder at all ? Just know you know your stuff so thought I could ask that of you. I know it is ultimately possible but comes at a price perhaps or upgrading time and for each component too. I dont feel its insecure but people with little idea do.
Check out the 'bad toilet' online !

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: My experience : Create a single new group called 'User M

Postby rcarey » Wed Mar 20, 2013 2:08 pm

I have not moved the admin folder. But I do know that Akeeba's Admin Tools (at least the pro version) allows one to add a short variable before one can login. For example, the default
mydomain.com/administrator
would bounce one to the home page. The Admin Tool can add the requirement that to reach the login screen one has to add some text as a URL variable. Something like this...
mydomain.com/administrator?qrs

The pro subscription of Akeeba does cost something, but one gets plenty of additional value from their pro tools. And I am willing to support quality developers who are providing valuable extensions and tools.

There are other techniques you can take to slow down hackers. One is to include a password on the administrator folder, and this means one has enter a valid username/password just to get to Joomla's admin login screen. Another approach is to set what IP addresses are allowed to access the admin portion of the site. ...So there are multiple ways to reduce the chance of someone breaking into your site.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

User avatar
mojito
Joomla! Guru
Joomla! Guru
Posts: 684
Joined: Wed Sep 07, 2005 10:18 pm
Location: London
Contact:

Re: My experience : Create a single new group called 'User M

Postby mojito » Wed Mar 20, 2013 2:22 pm

Thanks for those tips - very useful indeed and agree about supporting the community of coders.
Check out the 'bad toilet' online !

n0Ob
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Fri Jan 11, 2013 5:26 pm

Re: Give a group access to a single component in the back en

Postby n0Ob » Sun Aug 04, 2013 6:36 pm

Thanks rcarey
now its real easy to give access to specific component/whatever to any user
you make my life so much easier! :)

antiriad73
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Aug 08, 2013 2:36 pm

Re: Give a group access to a single component in the back en

Postby antiriad73 » Thu Aug 08, 2013 2:46 pm

Hi,
I read the thread with great interest, but I am still puzzled about my needs: my intention is to display in the backoffice administration only one single component (which by the way does not provide natively ACL options!). So should I create a group and assign to this group the access level "Special", and then hide everything except the desired component in the backoffice?

Also: if I need to enable only some features of this component (which does not provide natively ACL options) can I insert in the view php pages some code to allow visualization only by group/access level? There is some documentation about it?

Thank you!

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Give a group access to a single component in the back en

Postby rcarey » Thu Aug 08, 2013 3:22 pm

antiriad,

It is unfortunate that some components do not provide ACL support. When I stumble upon one, I question if its developer is committed to quality and upgrades. So I tend to look for an alternative as well as let the developer know why I decided to look elsewhere.

But you still might be able to use the extension you otherwise want to use. The extension ACL Manager can inject two types of permissions (access, and abilty to configure) to components. That is my first approach. This is better than elevating users to a higher level.

But if you want more detailed actions or sections upon which you can provide permissions, you can forge a solution by adding some ACL checks within the layout file. I explained this approach here: http://magazine.joomla.org/issues/issue-mar-2013/item/1138-adding-access-control-through-overrides

That article might be covering a bigger picture than what you want right now. So as a short answer... Override the layout files that should have some restriction. Create or chose the groups that should have access to that particular screen. As one of the first lines of code, check the to see if a user belongs to a group that has access. If the user does not have access, invoke a simple "return;" statement so that the layout does not display. (Or you can post an error that says the user is not authorized.)

Without doing your "homework" for you, I expect that to be a workable approach - it is one that I've taken when needed.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

DavidBoggitt
Joomla! Guru
Joomla! Guru
Posts: 785
Joined: Wed Jan 09, 2008 9:16 pm
Contact:

Re: Give a group access to a single component in the back en

Postby DavidBoggitt » Fri Aug 09, 2013 8:13 pm

Personally, I have the component Access Manager installed on all websites I build, to do exactly this in a very straightforward, painless way!
My website: http://www.davidboggitt.com/
Love and hate both devastate you, but at least love takes you to dinner first.

Fleder
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Tue May 12, 2015 6:13 am

Re: Give a group access to a single component in the back en

Postby Fleder » Tue Sep 08, 2015 7:13 am

EDIT:
Sorry for the inconvenience, i missed that this is the old joomla support thread.
I will ask in the current versions support forum.


I am sorry if i dig this up, but i am looking for solution to a similar problem, but could not find any help.
I read through this but if i missed something explaining how to achieve what i wanted to, please excuse me, because i am new to this and not quite familiar with this whole joomla rights management.

I have a website where i use a module to show the opening/business hours.
These change from week to week so the owner must be able to change the hours by himself.
The problem is, this module is only a module, not a component, so i can not give the owner (and his group) rights to view the backend (and only this module) to change its contents.

Is there any way (free preferred) to give a group the rights to change a modules contents if it is no component and has no front end editing function?

I took a look at M2C but could not figure out how this should work or make a module a component.

Sorry if i ask something that was already answered, i tried my best to look for an answer but could not find one.

thanks in advance and best regards
Mitch


Return to “Access Control List (ACL) in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 2 guests