Magento 2 Admin ACL Access Control Lists

Magento 2 admin acl use an authentication system and a robust system for create Access Control List Rules (ACL) which allows a store owner to create fine grained roles for each and every user in their system.

Magento 2 Admin ACL panel use an authentication system and a robust system for create Access Control List Rules (ACL) which allows a store owner to create fine grained roles for each and every user in their system. In this article, we will find how it work and how to add ACL for our custom module.

Magento 2 Access Control List Rules

The Magento 2 Admin ACL resources are visible under the Magento 2 admin System > Permissions > User Roles area. When we click on the Add New Role button or access to a role, you will see the page look like:

In this resources tab, you can see a tree-list of all the available resources in your system. You can choose all Resource or some of them for this role and select the user for this role in Role Users tab. All of the user who belong to this role will be limit access to the resource which you choose. They cannot see and access to other one.

To Create Admin Admin ACL

• Step 1: Create ACL rule
• Step 2: Flush Magento cache
• Step 3: Check ACL rule

Step 1: Create ACL rule

Now, we will see how to add our module to ACL role. We will use a previous simple module HelloWorld to do this. As in the Admin Menu and System Configuration article, you saw that we alway have a resource attribute when create it. Now we will register that resources to the system, so Magento can realize and let us set a role for them. To register the resource, we use the acl.xml file which located in app/code/{namespace}/{module}/etc/acl.xml. Let’s create this file for our simple Module:

File: app/code/Mageplaza/HelloWorld/etc/acl.xml

Contents would be:

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <acl>
        <resources>
            <resource id="Magento_Backend::admin">
                <resource id="Mageplaza_HelloWorld::helloworld" title="Hello World" sortOrder="51">
                    <resource id="Mageplaza_HelloWorld::post" title="Posts" sortOrder="10"/>
                    <resource id="Mageplaza_HelloWorld::helloworld_configuration" title="Configuration" sortOrder="99" />
                </resource>
                <resource id="Magento_Backend::stores">
                    <resource id="Magento_Backend::stores_settings">
                        <resource id="Magento_Config::config">
                            <resource id="Mageplaza_HelloWorld::helloworld_config" title="Hello World"/>
                        </resource>
                    </resource>
                </resource>
            </resource>
        </resources>
    </acl>
</config>

Our resource will be placed as child of Magento_Backend::admin. Each resource will have an Id, title and sortOrder attribute:

• Id attribute is the identify of this resource. You can use this when define resource in Admin menu, configuration and limit access to your module controller. This is a unique string and should be in this format: Vendor_ModuleName::resource_name.
• Title attribute is the label of this resource when showing in resource tree.
• sortOrder attribute define the position of this resource in tree.

After this done, please refresh the cache and see the result on resource tree

Step 2: Flush Magento cache

Make sure it admin menu items are displayed on Magento 2 admin, you should try to flush Magento 2 cache.

Step 3: Check ACL rule

There are some place where we put the ACL resource to make it limit the access:

Admin menu: Put the ACL resource to hide the menu if it’s not allowed by store owner.

File: app/code/Mageplaza/HelloWorld/etc/adminhtml/menu.xml

<add id="Mageplaza_HelloWorld::helloworld" title="Hello World" module="Mageplaza_HelloWorld" sortOrder="51" resource="Mageplaza_HelloWorld::helloworld"/>

System configuration: Put the ACL resource to limit access to this section page.

File: app/code/Mageplaza/HelloWorld/etc/adminhtml/system.xml

<section id="helloworld" translate="label" sortOrder="130" showInDefault="1" showInWebsite="1" showInStore="1">
        ….
            <resource>Mageplaza_HelloWorld::helloworld_configuration</resource>
        ….
</section>

We will use Mageplaza_HelloWorld::helloworld_configuration in Magento 2 How to Create System.xml Configuration

With resource it also use on controller.

In admin controllers: Magento provides an abstract type Magento\Framework\AuthorizationInterface which you can use to validate the currently logged in user against a specific ACL. You can call that object by use the variable: $this->_authorization. In the controller, you have to write a protected function to check the resource:

Example: File: vendor/magento/module-customer/Controller/Adminhtml/Index.php

protected function _isAllowed()
{
 return $this->_authorization->isAllowed('Magento_Customer::manage');
}