Access Control: Understanding the Default Joomla User Groups

The Joomla user manager comes with a set of pre-configured user groups with varying access levels. This is a guide to what roles and access each of them has.

usecase

A real world Use Case

Jenny loves cupcakes. Since she was a child, getting cake mix all over her fingers and face, she's loved everything about these creative and tasty little gems. Today, a grown up Jenny runs a busy blog - TheHappyCupcake.net. 

She spends most of her days writing, networking and coming up with new recipes and interesting content. Jenny's been working on her blog for a few years now and recently started hiring people to help with her business.

She also wants to start accepting contributions from guest authors.

Jenny is using Joomla to power her blog. She would like to set up these contributors with access to enter articles directly into the CMS.

She has a VA, Margie, that helps with certain tasks like social media updates and proofreading content.

Her web developer, John, developed the Joomla site. John maintains the site, applies updates and carries out programming tasks as required from time to time.

So, how do we grant access to all these people while still maintaining a secure site?

The good news... it's easy. We'll get back to Jenny and her cupcake blog soon. But, first you need to understand the difference between the various access levels. And, who needs front-end access and who needs back-end access. Lets get to it.

Joomla User Groups and Access Control

Front-end Access Levels

Guest

As you would expect, this is for users who aren't signed into the site. You can't grant this access level to anybody, but you can grant it to items on your site so they are visible only to guests. It's perfect for a "Log in" menu item that you don't need to show to logged in users.

Registered

This is the default login group. Registered users usually have access to hidden areas of your site like members content, downloads or the like.

Author

Authors have the ability to create and submit new content but they can't actually publish it. Authors can also edit their own articles once approved and published by a Publisher or Administrator. Use this level for members if you would like them to be able to submit new content to your site.

Editor

Editors are very similar to Authors but they can edit anybody's articles not just there own. They still can't publish or delete items though. We don't see this one used very much. Use this level for people you want to spell check or format items submitted by Authors before being approved by a Publisher.

Publisher

This is the highest front-end only access level. Publishers can create and edit any content and they are the only group with permission to  publish or unpublish content. The only limitation on Publishers is they can't delete content.

Back-end Access

Manager

Managers have very similar roles to Publishers with the ability to create and edit categories and menu items through the backend interface. 

All other admin functions like installing extensions, managing modules and most other components isn't even visible to them. Use this for users that have the responsibility to manage content.

Interestingly, if you have a look at the permissions in the User Manager configuration screen, Managers have permission to create, edit and delete users but they are denied access to the User Managers admin interface rendering those permissions useless.

user manager pererms

Managers have permission to create, edit and delete users but they are denied access to the User Managers admin interface rendering those permissions useless. 

Administrator

This is the level I prefer to create for clients when handing sites over.

The key difference with administrators is they have the ability to manage other users. Administrators can create new user accounts, reset passwords and block access. In addition to managing users, Administrators can manage content and menus and configure extensions.

The only limitations on Administrators is they can not install or change site templates, global configuration options or access Super Administrator's user profiles.

Super Administrator

This is the Big Daddy of them all. They have access to install, configure, update and delete anything they like.

Super Administrators have the power to break a site very easily. I've had to help a few people who have turned off authentication or user plugins effectively locking everyone out of the site - even themselves. So, use this access group carefully. Super Admin access should only be granted to one or two key people who know what they are doing.cupcake

Let's get back to Jenny and her cupcakes

Each of the users access would be set up like this.

  • Super Administrator - John the developer is the only one here who needs Super Admin access. As a Super Administrator, John has full access and permissions to edit any part of the CMS. He can also create new administrators and super administrators when required.
  • Administrator - Jenny. As the owner of the site, this gives Jenny full and complete control over the website content and menus. Jenny can create content and manage users. She can create new modules and edit menus. The Administrator's interface is a lot simpler than what a Super Administrator sees so Jenny can focus on creating content without getting distracted by Global Configurations, Templates and Plugins.
  • Publisher - Jenny's VA, Margie, has Publisher access through the front end. As a publisher, Margie can see all articles on the site, including unpublished items. Margie can proofread them, fix any errors and publish them. She can also set the "Start Publishing" date and publish the content in the future according to Jenny's content plan. Margie will see an edit link next to the title of each article.
  • Authors - All Jenny's guest contributors are registered as Authors so they can submit new articles. They can edit their own articles but can't edit anything other authors have written. Make sure you set up an appropriate menu link for Authors to "Submit an article" or the like.

To finish up

For most installations, the default groups and access levels are all you need. Since Joomla 2.5 we've been given unlimited ability to define our own user groups and access control levels. If you want to take the time to learn how it all works - and you've got a spare afternoon - there's a very detailed guide here.

John PitchersSince 2005, I've supported my family working from home building Joomla sites for paying clients.

If you're a first-time Joomla user, or building a freelance career of your own, I'm sharing everything I've learned one post at a time.

“My mission is to help you become the best Joomler you can be. Are you ready?

Search

My Awesome Joomla Website