Make A Component Accessible By Only One Administrator in Back End

[crave81]

Hello,

I have a Joomla 3.8 site with several super administrator users. I would like to make one of my components accessible by only one super admin. How can I achieve this?

Thanks

[waarnemer]

You cannot deny access rights to super admins as far as I know...

But you can do this:

Leave one super admin group and create sub admin groups below.
A sub admin group without the component but with access to all of the rest. (all w/o the component)
A sub admin group with the specific access rights for your component. (all)

Assign the members to these groups.

[crave81]

OK nice idea. I will try that and report back how it works. Thanks!

[Webdongle]

...
Leave one super admin group and create sub admin groups below.
A sub admin group without the component but with access to all of the rest. (all w/o the component)
A sub admin group with the specific access rights for your component. (all)
...

That will not work

But this will

1. Create a new user group with 'Registered as Parent
2. In Global config Permissions Allow (for the new user group) 'Administrator Login'
3. In the specific Components Options >>> Permissions Allow the access (edit etc.) that you want for the user group
4. Select that user in the 'Special' view/access level

#1 Inherits login front end
#2 Allows admin login
#3 Allows the access (edit etc.) to that Component only for that user group
#3 Allows members of that user group to see the menu item (or items if you have allowed access to more than one component.

[crave81]

OK thanks for the reply webdongle. I will try that instead and report back shortly.

[Webdongle]

And any other new user group that you create with the first new user group as Parent ... will inherit the Permissions of that first user Group. So if you wanted one group to Edit own then another to Edit as well ... then the first new group you would select edit own.

Addendum
Although Permissions are inherited (from the Parent user group) access/view levels are not. So if you wanted (logged in) members of the new user group to see Registered menu items in the front end ... then you would need to select the new user group in the 'Registered' view/access level.

[waarnemer]

@webdongle then that has changed somewhere over time as I am sure this used to work (though it has been a long long time ago I did use this) and actually by the explanation in the back end (somewhere below the permissions settings) it is stated:

Denied means that no matter what the parent group's setting is, the group being edited can't take this action.

[Webdongle]

@waarnemer
The OP wants one user group to have access to one Component. The way you suggested requires giving full access to all Components then 'hard' denying access to all but one. This means that every time a Component is added then it must be Denied also. That is not flexible. Also you missed the step of adding the user group to the 'Special' view/access level.

The method I suggested uses a 'soft' deny (by default) and allows flexibility.

[waarnemer]

As I read it it is the other way round.
Super admin group 1 needs access to all but one component,
Super admin group 2 need access to all.

Users that do not need access to the specific component made members of group 1.
User that does need access made member of group 2.

It is hard denying only one.

However it does not work as I knew from "way past ago".
Now also the lock is inherited keeping the "calculated" to the orginating super user. Though the setting can be saved for the child as denied.

Also I noticed this "SuperUser" option in the permissions list. Set to allow and save.. Now this group inherits the super user permissions.. but still one and all is locked for overrides to it.
When browsing through the component permission sets, calculated settings do not match the real.

It should not inherit the lock.

It seems to me that when made child of "registered" you need to stay away from option "Super User allowed" and then allow each component to the group manually and you have to do that each new component installed.

But if current is like that... it simply is the only way... but..


.. There is another catch though... as I was browsing through several components in the sites config, I noticed not all have the right permission options to actually make it block or appear in the administrators view. ("access administrator interface")

(samples in my lab: chronoforms lacks the option "access administrator interface", j2xml has no options at all, cannot make them visible to the children of "registered")

So either way, it seems to depend on the extension if you actually can set the appropriate permissions...
Come to think of it, should this "access administrator interface" not be a default part of any component?

[Webdongle]

It should not inherit the lock

If a Permission is 'Denied' then a child group inherits that and it can not be set Allowed. It is a HARD deny.

I noticed not all have the right permission options to actually make it block or appear in the administrators view. ("access administrator interface")

That has nothing to do with Permissions ... it is because the Admin menu is in the 'Special' view/access level. in addition to that if you Allow 'access administrator interface' then you have to individually Deny access to all but one Component.

j2xml has no options at all, cannot make them visible to the children of "registered"

Here is an example of where your confusion is. Permissions do not control what (members of) a user group sees. Permissions allow (or disallow) what (members of) a user group can do not what they can see. That might sound sheldonesqe but it is an important distinction. If ever you come to understand that distinction then you will realise why your approach is incorrect.

As for j2xml there is no need to set it to allow Edit etc. because it should only be accessed by a user that has full control over the backend. To limit a user group to just j2xml would not give it access to Articles or anything else. So to allow (members of) a user group only access to j2xml but not Categories, Users etc. then you have a paradox ... A user without Permission to edit users or content would be using a Component that Permits the user to do things that they don't not have Permission to do.

The method I posted is the correct method. You start with the lowest Permissions needed in Global config and add Permissions further down the tree.

[waarnemer]

Here is an example of where your confusion is. Permissions do not control what (members of) a user group sees. Permissions allow (or disallow) what (members of) a user group can do not what they can see. That might sound sheldonesqe but it is an important distinction. If ever you come to understand that distinction then you will realise why your approach is incorrect.

I already declared my approach as "cannot do". I only mentioned In the past it could. I also mentioned that setting the available "Super User" action to allowed doesn't make it work also.
So we are left with your approach as being the only viable solution.

And the way I distinct what one can see and do is fine as ever.

What one can see is defined in accesslevels.
A group needs to have viewing access to an access level assigned.
A group needs members assigned.
Access level is assigned to a module (ie. in admin interface)

What one can do is tied to permission set actions.
Actions set to allowed, denied or inherited.
Inherited is value of parent.

Action "Access Administration Interface" set allowed, does allow someone to actually access but also see the component. Setting denied hides but also prevents access. So there some distinct overlaps.

That all is clear....

This setting also is in Global Config. Making the rest of it inherit the value.
If it is there I can toggle between inherited/allowed/denied. If I set it to denied in globals I can allow it in the component config. And the other way round...

Expected behaviour and this works.

Now it becomes unclear...

A component missing action "Access Administration Interface" cannot be controlled by this.
Ie. I cannot make Chronoforms available to a user that is member of a group that has this set to "denied" in global config.
I cannot make it unavailable to a group that has this action set to allowed in globals.
This is just a sample, I can imagine much more components lacking this action in permissions tab. One of the WOW! factors of Joomla is this ACL. Making it enterprise ready CMS. So for larger groups of people working on a site joomla! is awesome.

Therefore my question, shouldn't components not at least have the "Access Administration Interface" action in the config?

Would you know what would be the purpose of action "Super User" in globals? If set to allowed it becomes same as true super user. One cannot override. Which makes it similar to creating a child with parent super user. That is confusing indeed.
Maybe Super User action or a child to Super User should not inherit the lock?

[Webdongle]

This setting also is in Global Config. Making the rest of it inherit the value.
If it is there I can toggle between inherited/allowed/denied. If I set it to denied in globals I can allow it in the component config. And the other way round..

Now that is where you are party incorrect.

#1
If
'Allowed' is set in Global config
Then
that is inherited and can be Denied further down the tree

#2
If
not allowed (inherited) is the setting
that is inherited and can be Denied further down the tree ... it is a 'soft' Deny

#3
But (and this is the error in your statement.
If
'Denied' is set in Global config
Then
that is inherited and can NOT be changed further down the tree ... it is a 'Hard' Deny

denied 01.JPG

denied 02.JPG

In the OP's request was access to only one component therefore:
#1 Gives more Permissions than needed while #3 prevents for all components. That is why creating the group with 'Registered' as Parent (and just adding Admin Login) is the correct method.

[andy fev]

Crikes that's a lotta effort. I use a plugin called SU control to keep my super users out of specific pages. I just add the page URLs that are not allowed to view and they are redirected to the dashboard. And it is free http://cmsenergizer.com/extension-direc ... er-control

dowloadedimage.jpg

[waarnemer]

#3 ah yes indeed.. I missed that "denied" vs "denied (inherited)". Stupid me.

But OP wants one user to have access to ALL and the rest to All minus one component. Which still is impossible when that component has no settings of its own....

At least that is what I read from the wording "super admin" in the post from OP:

I have a Joomla 3.8 site with several super administrator users. I would like to make one of my components accessible by only one super admin.

As long as it is a component with the "Access Administration Interface" action it will work.

[waarnemer]

@andy that is a workaround which still shows the links to these pages, right? And it is not in the JED? Why?

[Webdongle]

@andy fev
Using that plugin is even more work because you have to add all but one Component to fulfill the OP's requirements. There can also be a security risk when using extensions that alter the way Joomla's ACL operates. Not saying that extension is risky but care must always be taken when choosing extensions especially of that sort.

[andy fev]

I don't think the plugin alter Joomla's user system. In fact when I view the coding, it was a wee 14 lines of working code. It seems to just create an array of user id and compare the viewing user then redirect the user if the page they can't view is in another array.

What I do know is that it works very well for my purpose. I have to allow potential clients super user access periodically to demonstrate what I am offering, and the plugin lets me block them from any configuration area or installer. Yes I have to add urls, but it can be just a matching word like 'com_installer', com_users etc.

From what I understand in the Op post, is that he just wants to block a single component from other super users. This would be quite simple. I tried to do that group setup and I went batty with confusion.

[Webdongle]

...
From what I understand in the Op post, is that he just wants to block a single component from other super users. ...

Nope the exact opposite The OP want's to allow access to one Component not block one.

...
I have a Joomla 3.8 site with several super administrator users. I would like to make one of my components accessible by only one super admin. How can I achieve this?...

.... I tried to do that group setup and I went batty with confusion.

Add a user group with Registered as Parent
Add the user group in the 'Special' view/access level
In global config allow the user group to login admin
In a Components options Permissions (if edit ect. needed) allow for that user group
You find difficult?

I have seen many of your posts and you appear more than capable of understanding that. Maybe I am underestimating how clever I am but using Joomla's ACL is child's play.

[andy fev]

You find difficult?

I have seen many of your posts and you appear more than capable of understanding that. Maybe I am underestimating how clever I am but using Joomla's ACL is child's play.

I see clarification is required. It's not "difficult" to set groups, It was uneccessarily confusing. A group had to setup, then set permissions per extension. For what I needed (which seems to be what this post's OP wants), it was just too much effort. With the plugin I can see everthing on the single page and I wanted to completely block access to the page. Also I am not limited to any group. As long as I add the user ID for any backend user, they can't see the page. The ACL method is great for configuring specific permission actions.

@andy that is a workaround which still shows the links to these pages, right? And it is not in the JED? Why?

Yes the menu is still visible but when clicked, the restricted user is redirected to the admin home. I don't know that the plugin is not listed at JED. I found it in July via a facebook ad about a Joomla audio player module which appeared on my wall. I went to the page and while viewing the list, I spotted the plugin information. https://www.facebook.com/joomla.extensi ... &__tn__=-R

[Webdongle]

Joomla's ACL is not complicated ... it is only as complex as the site owner's needs for various levels.

[waarnemer]

Joomla's ACL is not complicated ... it is only as complex as the site owner's needs for various levels.

Totally agree... if you want to see some complex ACL... check out Adobe AEM.... "checkboxes festival"