A review of the mechanics behind Joomla's ACL, then a discussion as to how one can leverage a role-based access control system through Joomla - to improve the user experience for those managing the website and its content.
Please open the tab below to view my NOTES PER SLIDE.
2. This is the revised 2014 version of my
presentation Role-Based ACL.
Many of the slides here have been slightly
changed to accommodate annotations. This
helps to convey meaning beyond the
pictures.
3. My current work is with the iCueProject.com.
Here we see the problem of the CMS is that it provides only
one interface to be used by two different types of users…
4. A better approach is to provide a separate CMS interface
to each of the two user types.
Actually, we can do better yet to provide personalized user experiences
for each user group. The starting point of doing this is with the ACL –
and setting up the ACL with roles.
5. I’ll start by explaining the ‘mechanics’ of Joomla’s ACL.
13. Groups are the foundation of Joomla’s ACL.
They know only their name and which other group is its parent.
They don’t know about any other parts of the ACL or of Joomla.
Simple. Yet this allow us to create a rich expression of roles
through custom hierarchies.
14. Users are connected to the ACL by assigning them to groups.
This is the only direct connection they have with the ACL.
Each user can be associated to any number of groups and
in any combination.
15. Next we look at what I call “resources.”
These are the other parts of Joomla that connect to the ACL.
Technically, these are not part of the ACL – they connect
to the ACL system only by referencing it.
16. Currently, permissions are provided only by the site configuration,
by components (and their categories/items), and by modules.
Menu items and plugins do not implement permissions.
Permissions are part of the ACL, but it is the responsibility of the resource
to provide a list of “actions” for which the ACL can assign permissions.
Unfortunately, in some cases, developers don’t do this.
17. Another thing to note…
For each resource, the permissions screen automatically presents
us with the set of user groups currently held by the ACL. And within each
of these user groups is the set of actions that the resource declares.
So permissions are always within the context of the resource first,
then within each of the groups, and finally (within each group) assigned per action.
18. In contrast to permissions, all resources reference access levels.
Also in contrast to permissions,
each resource references one-and-only-one access level.
19. Each access level simply defines some set of groups.
If any person belongs to any of the groups selected by that access level item,
Then that person is included by this access item.
So for any resource, the ACL evaluates if the current user is included by that
Resource’s access level. If so, then the user has access to the resource.
If not, then the user does not have access.
20. Note: a better term for this item is access list – as its role is to provide a
formula that determines which users that are included (having access).
These do not confer “level,” and that term is an unfortunate carry-over
from the ACL in 1.5.
22. ACL
permissions personalization
When we think of ACL we probably think “permissions.” but “permissions is
Just one side of the coin. The other side is “personalization.”
Next we’ll discuss permissions. But later we will talk about personalization.
24. Permissions (& actions)
Permissions are managed by the ACL,
but for logical reasons, the component is responsible for three things.
Let’s look at those…
25. Permissions (& actions)
1
For permissions to apply to a component, that component must declare
a list of actions relevant for it and its data.
Below you see the traditional/core actions (create, delete, edit, etc.)
26. Permissions (& actions)
1
But many developers can do better
by offering actions specific to the
component’s type and data.
Shown to the left here are the rich set
of actions provided by EasyBlog.
27. Permissions (& actions)
1
2
The component is responsible for offering ACL at the desired
level of granularity:
component, category, and item.
The ACL cannot force a component to implement permissions –
even at the component level. Frustratingly, some developers don’t offer
any permissions on their extension!
28. Permissions (& actions)rc
1
2
3
enforce result
It is the component’s responsibility to enforce
permissions and to enforce them correctly.
The ACL can only respond as to whether or not
the current user has permission, but the ACL itself
cannot enforce the permission.
31. 1. for a particular action
2. Each of the user’s groups
The ACL considers each group to which the user belongs.
Keep in mind that if a user belongs to a group with a parent, then the ACL assumes
the user belongs to each parent group tracing back to Public. In this example,
belonging to B1 also includes user group B.
32. The formula is simple.
FIRST: Consider the permission settings for each group to which
the user belongs – without considering where that group falls
within the group hierarchy.
33. THEN: Evaluate the set of permission settings (in any order)
• If all the permissions are set to Inherit, the result is deny.
• If at least one permission is Allow but none are Deny, the result is allow.
• If any one of the permissions is Deny, the result is deny – regardless of
any other Allows that might be present. A single Deny anywhere results in deny.
34. 1. for a particular action
2. Each of the user’s groups
3. For extension, category, & object
The same applies to when we need to include
the permissions on categories and objects.
Just look at the permission settings of each of the user’s groups
at each level: component, category, and object.
35. 1. for a particular action
2. Each of the user’s groups
3. For extension, category, & object
Rely on the same formula:
• All Inherits is deny.
• One or more Allow is allow
• A single Deny cancels all Allows
and results in deny
36. So let’s look a permission calculcations from a different data model…
37. If the component level is set to Allow and nothing is set on the category or object…
All items are allowed. All new items are allowed.
All new items in a new category will be allowed.
38. If the component level is not set…
All items allowed –
even new items within this category.
No items are allowed –
new items will not be allowed.
Selected items are allowed –
other are not allowed and
new items will not be allowed
39. All items denied –
even new items within this category.
The Denied items are denied, but
All other items and those that are
created later will be allowed
All items denyed –
even new items within this category.
Even an Allow on the item will not
undo the Deny on the category.
When the component is allowed by a Deny is set inside it…
40. ACL Manager is a great tool for helping you see the results of your ACL settings.
42. RBAC1
Users can be assigned to one
or more roles. The thin lines
denote these connections are
easily made or changed
Users Roles Permissions
The ACL Rules assigns permissions
to each role. The thick arrows
denote that these do not change
often and can demand more
technical knowledge to set up.
43. RBAC1
Joomla accommodates this. If we treat a user group as a role,
then we have what we need to implement role-based access control.
Users are assigned to
one or more roles. Each role is assigned
to a set of permissions
45. 1.5 vs 2.5/3.x
1.5 delivered a totem-pole approach to groups.
2.5 allows for sibling groups.
46. 1.5 vs 2.5/3.x
1.5 has a fixed set of groups
2.5 allows us to create groups as we need them…
…and to place them wherever we want within the group hierarchy.
47. 1.5 vs 2.5/3.x
In 1.5 a user belonged to one place on the ‘totem pole’ of groups.
In 2.5 we can assign any user to any combination of groups
48. 1.5 vs 2.5/3.x
In 1.5 the permission were pre-assigned are rather fixed for each group
In 2.5 a component can declare the actions, and each actin can have its own
permissions settings.
We can set a permission as we want: on whichever actions for whichever groups.
49. 1.5 vs 2.5/3.x
Since 2.5 we can set permissions at the category and object levels.
50. 1.5 vs 2.5/3.x
And the new ACL allows developers
to declare a rich set of actions that are
specific to the component.
51. 1.5 vs 2.5/3.x
Whereas the old ACL gave us only 3 access levels
…that imposed levels (no sibling items)
...and we could not change
In the new ACL we have real access lists
…we create as many as we want
…each item is a sibling (no imposed levels)
…we can configure each as we want/need
52. The new ACL offers so much more than the
old one did.
So why does the 2.5 and 3.x ACL look so
similar!?!
53. 1.5 2.5/3.x
The new ACL offers so
much more than the old
one did.
But to help users understand
the ACL, the out-of-the-box
configuration mimicked what
users knew from 1.5.
…The unintended consequence
is that many 2.5 users
maintained their 1.5 mindset
about the new ACL. But the
new ACL was not meant to
be limited to that!
54. 1.5 2.5/3.x role-based
The role-based approach exploits
the new features of Joomla’s ACL
and it leads us to a different look.
65. What does role-based buy us?
Flexibility
– as staff and staff assignments change over time
66. What does role-based buy us?
Ease of Comprehension
– for business people using the CMS
A staff person does not have to understand
ACL and permissions to quickly and easily
assign a person to a role.
68. roles
permissions personalization
Now its time to look at the other
side of the coin – using roles to
reflect personalization of the user’s
experience with the CMS.
69. Role-Based Joomla!
We can leverage roles to reflect what the user sees
when logging in to the backend
70. County Auditor’s dashboard
I built a site for a county that had over 20 departments.
Each department was represented by a role (user group).
When a staff member logged in, she would see the quick
links for the department to which she belonged.
Here is what the staff for the Auditor/Treasurer would see.
71. Auditor’s department pages
And each link led to a list of items with the filter
preset to those of that department’s category.
72. Auditor’s JCE settings
The JCE editor was preset so that
its image manager and document
manager would give that user
access only to the directory
dedicated to that department.
A user could not add or delete assets
only for any department but his own.
74. County Webmaster’s dashboard
The person who is a site’s webmaster
usually includes multiple administrative
roles – including access to site reports.
75. before
after
HikaShop product pageOne can use roles to show only the form fields that a user needs to access. This
usually takes a little bit of code in a layout override.
I am developing a tool that allows a site integrator to configure this per role,
without having to code the solution.
77. I first create a base usergroup that grants nothing but
access to the backend. All backend roles will extend
from this.
78.
79. Role-based implies:
Then I create a user group (white) for each role, and an
access level item (red) for each of these role-based user
groups. Each of these access level items includes only
it’s associated user group.
80.
81. Typically, a role will be associated with only one component.
Set the permissions on this role only for that component and for
that role’s user group. Leave all other permissions as inherit.
82. Create an access level item for
each role. For each of these access
level items, assign it to include only
the corresponding user group.
83. My preference is to prefix
each role-based access level
with a tilde ~. It helps me
navigate the dropdown list
when assigning an access
level.
84. Then I create an admin module
of quick links for each role.
The access level for each of
these access levels is set
accordingly.
85. The admin template uses module
positions, so identify the position
to use for each of your role-based
admin modules.
86. As a result, one sees only the
quick links modules for the roles
to which she is assigned.
87. assignment
Often overlooked is the important
role of user manager. This itself
should be a role, and whoever is
assigned it has the power of your
ACL in his hands.
As I’ve worked on CMS-based projects over the past few years I’ve come to believe that we should not be giving our end users the same CMs interface that we use to build the site.
I believe we deliver added value when we deliver a CMS experience that is tailored to the needs and capabilities of those who will be maintaining the site and its content.
I realize that for some this is an unconventional approach. But I believe it is the rigth thing to do
Groups are related in a tree structure – groups can be independent of other groups. Use to be: arranged linearly as increasing levels, with each group contributing or inheriting to any other group.
Custom groups can be created and added anywhere within the group hierarchy.
User can belong to multiple groups and any combination of groups
Permissions can be set independently per group.
Permissions can be extended to category and object levels.
We are not bound to just the core actions: Extension developers can create a set of specialized actions that are appropriate for that extension.
We can create and configure access list items however we want.
A year ago I built a county website. The county had about 20 different usergroups for its departments and sub-departments. Each backend user is assigned to a usergroup representing a department. As a result, when that person logs in, he or she sees a list of tasks as you see here. Each task is preset to lead to an item or list of items filtered to that department.
How does this improve workflow? The user sees only those few links relevant to his/her role. And the user doe not have to navigate through filters each time to find the content to edit. Security is included, of course. But the user of department-specific usergroups improves usability and streamlines the user’s workflow.
Here is an example of the list of articles that the auditor reaches when clicking to see a list of department pages. Prefiltered to show just that departments pages, and every new item is preset to that department’s category.
Even the JCE toolbar is tuned with a profile for each department. For instance, clicking on an insert button (image, document, media), the popup opens to the directory for that department.
Workflow is advanced because the user does not have to navigate to his/her directory, and all items uploaded are automatically uploaded to that department’s directory.
Here is an example of the dashboard for anyone belong to the Sheriff’s department. In this case, the sheriff’s department includes a couple of sub departments, so those tasks are grouped accordingly and displayed.
The IT department includes a webmaster and site administrator. We also give this user roles like Security and front page management of announcements, events, and a gallery.
Note that even though this is the webmaster, I didn’t give this user full admin access. They have a super admin account to user perchance they need that level of control. But as a webmaster, that user just needs what you see here – nothing displaying that is not needed
By overriding the layout file for the HikaShop products page, I was able the significantly reduce the form’s footprint.
This introduces a new discipline into the field of web development.
The first part is what is discovering what is the appropriate user experience for any given client and the staff managing the site.
The second part is developing the skill and toolset for building this tailored experience.
I acknowledge that this requires extra work from the website developer. But I feel this provides additional value to the client. And in a competitive market, this is an added value that will win business and set your services apart.
In this presentation we will be looking at streamlining workflows, and in the latter minutes I would like to demo some of the tools that help us do that.
Evaluate which buttons the user needs – really needs.
Maybe we give them something simple like this.
---------
On a related note… There is a growing revolution emerging within the fields of content strategy and mobile development. It is a revolt against the idea of giving content managers toolbars for editing content as if it were a Word document. The argument is that content should be separated from form. The end users think they are designing for one platform – the desktop – and as a result the mobile display can suffer – suffer greatly. Not just mobile, but also RSS feeds, and perhaps more. While some tags can help to qualify pieces of content, these should be free of formatting that maybe should be rendered differently on different platforms. The movement says we (site developers) need to train our users that editing content on the web is not the same as editing a Word doc. Don’t give out users that idea, and don’t give them the toolbar to treat content that way.
Point here being – we should try to give as few toolbar buttons as we can.