Users and Permissions

People simply try to use the Joomla! website that you have created for them - in an active or passive way. The better the experience, the better the website will be perceived. Joomla! - as every CMS differentiates between visitors and registered users with different permissions. Visitors usually arrive via search engines or social media site recommandations and can become users by registrating. Already registered users mostly know what they are looking for and come to your site with certain expectations.

The more users your site has, the more complex the topic users and permissions becomes. In versions preceding Joomla! 1.6, there was a static system consisting of user groups, permissions and access levels that could not be changed. With Joomla! 1.7, the old system is still alive as the default configuration of a very powerful so-called access control list (ACL).

Every site access will be evaluated by a Permission Group, even an access from a visitor. After registering on your Joomla! website, the user will automatically become a member of a Permission Group. The group has predefined permissions and belongs to an access level. One Access Level can have any number of Permission Groups. One group can have any number of users/visitors. Permissions can be passed down and overwritten in several places.

Let's begin by having a look at the registration process.

Registration and Login

The first registration process in your website's life cycle was completed with the installation of Joomla!. In the last step you were prompted for a user name, an email address and a password. The person who installed Joomla! is now the super duper administrator, who has permission to do everything on the site. This is why every Joomla! website has at least one user account. It's up to this user only to modify the behavior of the site in Users - User Manager - Options (Figure 1).

Figure 1: User options

On your Joomla! site, you can create as many users as you would like. You can also allow visitors to register themselves. Depending on the their permissions, users can create their own content and/or view content that has been created for them in particular.

User options

The form user options has three tabs:

• Component
  In this area you can configure whether you would even like a user registration form on your site or not. One of the new features since Joomla! 1.6 is the possibility to predetermine which user group guests should be assigned to, and which user group newly registered users are in by default.
• Mass mail
  It is possible to send a mass mail to your users. In this tab you can configure the static email settings.
• Permissions
  In this tab you can manage the permission settings for each user group.

Log in

Visitors can register on the website. Joomla!, therefore, offers a login module, which can be positioned at the site (Figure 2). 

Figure 2: Login module

This module can be configured with many additonal features like customized text, SSL encryption and login / logout redirection. Have a closer look at Extensions - Module Manager (Figure 3).

Figure 3: Login module options

The advantage of the form, which is delivered by login module, is that there is no necessity for the user to click a link before the log in form appears. If this behavior is not necessary or you don't want to have the login form as a module, you may also create the form via a component. To do this, you just have to create menu items with the desired menu item types (Figure 4).

Figure 4: Menu item types for users

Additional profile fields

In the past it was only possible to have additional fields in the registration form if additional extensions were used. In order to solve this issue and connect the user data to the contact component, Joomla! 1.7 core is equipped with a plug-in called User Profiles. In Extensions - Plug-in Manager, you can activate and configure the plug-in (also see Contact component). This module provides several additional fields, even a Terms of service option, which users have to click during the registration process to accept the terms of service (Figure 5).

Figure 5: Additional profile fields

Tip: For better membership management functionality including extended registration form, additional profile and registration fields, membership approval workflows, profile tabs, etc. a membership management extension like e.g. Community Builder is needed.

User groups

The idea of an ACL user group is to create sets of permissions at the Joomla Access Control Level. This is not to be confused with other features available through additional extensions (e.g., GroupJive) that allow users to organize themselves into special interest groups..

"If you want to be an author on our site, you'll need the following permissions."

Instead of assigning these permissions to each user, they are assigned to a group. The individual user is then assigned to one or more groups. Imagine you have 10,000 users in four different groups. It's easy for the administrator to change the permissions for each of the groups. Without groups you  would have to change every user account manually. However, when using groups, you only have to change permissions once!

In Joomla! 1.7 you can create as many user groups as you would like. In User Manager - Groups, you can find an overview of all the groups that are in core Joomla! (Figure 6).

Figure 6: User group

The default setup is the same as it was for Joomla! 1.5. If your are happy with the structure, it will not be necessary to change anything.

Default permissions for website frontend user groups:

• Registered group
  A registered user can log in, edit his own credentials and see parts of the site that non-registered users cannot see.
• Author group
  The author can do everything that a registered user can. An author can also write articles and modify his or her own content. Generally, there is a link in the user menu for this.
• Editor group
  The editor can do everything that an author can. An editor can also write and edit all articles that appear in the front end.
• Publisher group
  The publisher can do everything that an editor can. A publisher can also write articles and edit every piece of information that appears in the frontend. In addition, a publisher can decide whether articles are published or not.

Default permissions for website backend user groups:

• Manager group
  A manager can create content and see various pieces information about the system. He is not allowed to:
  • Manage users
  • Install modules and components
  • Upgrade a user to super administrator or change a super administrator
  • Work on the menu item Site | Global Configuration
  • Send a mass mailing to all users
  • Change and/or install templates and language files
• Administrator
  An administrator is not allowed to:
  • Upgrade a user to super administrator or change a super administrator
  • Work on the menu item Site | Global Configuration
  • Send a mass mailing to all users
  • Change and/or install templates and language files
• Super Administrator or Super User
  This user is allowed to execute all functions in the Joomla! administration. Only a super administrator can add other super administrators.

Access levels

User groups can be assigned to access levels. So we have a users connected to a group, and groups connected to an access level (Figure 7, Figure 8)

Figure 7: Access levels

Figure 8: Groups assigned to an access level

Why access levels?

As we have seen, access levels are a bundle of groups. With the combination of group permissions and access levels, solving every use case becomes possible. In an article, for instance, you can limit the accessibility to an access level (Figure 9).

Figure 9: Access levels in an article

Such functionality is needed in order to limit access to content and functions in large organizations or to support e-commerce and subscriptions based services use cases on Joomla websites. The Joomla ACL system is not only available for Joomla content and core functions, but also available for use in Joomla extensions. For instance Community Builder and other memberships management solutions can take advantage of this enhanced ACL functionality.