Bookmark

Access Control Lists (ACL) in Magento 2: Configuring Roles and Resources

Understanding ACL in Magento 2

In Magento 2, ACLs define which parts of the Magento admin panel a user can access based on their role. They help manage permissions for various resources, such as controllers, actions, and pages. ACLs ensure that only authorized users can perform specific tasks, thereby securing sensitive operations and data.

Key Concepts

  • Roles and Resources: Roles define what users can do, while resources specify the parts of the system they can access. Resources are mapped to specific parts of the Magento admin panel, and roles are assigned to users.
  • Privileges: Within each role, privileges are granted to resources, determining the level of access a user has (e.g., read, write, or deny).
  • ACL Configuration Files: ACLs in Magento 2 are configured using XML files. These files specify roles, resources, and privileges, which are then processed by Magento to enforce permissions.

Configuring ACL in Magento 2

To configure ACL in Magento 2, you need to define your resources and roles in XML files. Here’s a step-by-step guide:

Define ACL Resources

First, you need to define the resources your module will use. This is done in the acl.xml file, which is typically located in the etc directory of your module.

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <acl>
        <resources>
            <admin>
                <children>
                    <your_module>
                        <title>Your Module Title</title>
                        <sortOrder>10</sortOrder>
                    </your_module>
                </children>
            </admin>
        </resources>
        <roles>
            <role id="Magento_Backend::admin">
                <children>
                    <your_module>
                        <title>Your Module Title</title>
                        <sortOrder>10</sortOrder>
                    </your_module>
                </children>
            </role>
        </roles>
    </acl>
</config>

Add ACL Rules

Define specific ACL rules for resources. This is also done in the acl.xml file:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <acl>
        <resources>
            <admin>
                <children>
                    <your_module>
                        <title>Your Module Title</title>
                        <sortOrder>10</sortOrder>
                        <children>
                            <manage_items>
                                <title>Manage Items</title>
                                <sortOrder>10</sortOrder>
                            </manage_items>
                        </children>
                    </your_module>
                </children>
            </admin>
        </resources>
        <roles>
            <role id="Magento_Backend::admin">
                <children>
                    <your_module>
                        <children>
                            <manage_items>
                                <title>Manage Items</title>
                                <sortOrder>10</sortOrder>
                            </manage_items>
                        </children>
                    </your_module>
                </children>
            </role>
        </roles>
    </acl>

Assign Roles to Users

Once ACL rules are defined, assign them to user roles. This is done in the Magento admin panel under System > Permissions > User Roles. Create or edit a role, and assign permissions based on the defined ACL resources.

Assign Roles to Users

Check Permissions in Code

In your module’s code, check if the current user has the required permissions:

$isAllowed = $this->_authorization->isAllowed('Vendor_Module::resource_id');
if ($isAllowed) {
    // Perform actions
} else {
    // Access denied
}
Post a Comment

Post a Comment