Magento 2 Admin ACL Access Control Lists

Magento 2 Admin ACL (Access Control Lists) is a feature that allows you to control the access and actions of different admin users in your Magento store. It provides an additional layer of security by enabling you to specify which admin users have access to specific store areas and functions.

With Magento 2 Admin ACL, you can create custom roles and assign specific permissions to each role. For example, you can create a role that only has access to order management or product catalog management. You can also create a role that has full access to all store functions. In this article, we will find out how it works and how to add ACL for our custom module.

To Create Admin ACL

Follow the following steps to create Admin ACL

• Create ACL Rule
• Clear Magento Cache
• Check ACL Rule

Create ACL Rule

In Magento 2, ACL (Access Control List) rules are used to control access to different admin panel resources based on user roles. ACL rules can be used to limit access to specific actions or resources, such as managing products or editing customer data. Let’s say you have an admin user role called “Content Manager” that should only be able to manage CMS pages in the admin panel. To create an ACL rule for this, you would first create a new module with an acl.xml file in the etc/ directory of your module.

Directory

app/code/GDBlogger/DemoModule/etc/acl.xml

Code of acl.xml

<?xml version="1.0"?>
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <acl>
        <resources>
            <resource id="Magento_Backend::admin">
                <resource id="GDBlogger_DemoModule::cms_page" title="Content Manager" sortOrder="51">
                    <resource id="GDBlogger_DemoModule::content_elements" title="Content Elements" />
                </resource>
            </resource>
        </resources>
    </acl>
</config>

In this example, we’ve created an ACL rule that allows the “Content Manager” role to access the cms_page resource (which represents the CMS pages in the admin panel) and it’s child resource content_elements.

To assign this ACL rule to the “Content Manager” role, you would go to the Admin panel. Navigate to System > User Roles and edit the “Content Manager” role. Under the “Role Resources” tab, you can then select the “CMS Pages” checkbox to give the “Content Manager” role access to the CMS pages in the admin panel.

In summary, ACL rules allow you to control access to different admin panel resources based on user roles. And you can create new ACL rules by defining them in an acl.xml file in your module’s etc/ directory.

Clear Magento Cache

To clear the Magento cache run the following command:

Php bin/magento c:c

Check ACL Rule

To check if the ACL rule you created is working in Magento 2, you can follow these steps:

1. Log in to the admin panel with a user that has the “Content Manager” role.
2. Navigate to the CMS Pages section in the admin panel.
3. Verify that the “Content Elements” link is visible in the left-hand menu.
4. Try to access a different section of the admin panel that the “Content Manager” role should not have access to (e.g. the Products section).
5. Verify that you receive an “Access Denied” message and are unable to access that section.

If you can see the “Content Elements” link and are unable to access restricted sections of the admin panel. Then the ACL rule is working as intended.

I hope this guide will be helpful to create Admin ACL in Magento 2. Please do not hesitate to contact us through the comments section if you have any further questions.