Administrative Access with ACL

Posted in Concepts

Access control principles

Very often shop owners need their employees to access the VirtueMart information (e.g. Customer Orders, Products ) but want to restrict this access to certain areas and functions within these areas.

Administrators may wish to prevent general user access to the Backend (administrative area of Joomla).

VirtueMart 3 now has an integrated Frontend access for the administration of VirtueMart that previously was only available in the Backend.  VirtueMart uses the joomla ACL to achieve this.

Joomla usergroups and VirtueMart shoppergroups

 These two groups sound similar but are not related:-

  • Joomla usergroups - used for joomla administrative matters such as access rights including VirtueMart.
  • Shoppergroups in VirtueMart - used for customers and are not related to the Joomla groups.

When a user is created in Joomla - they are assigned to a Joomla usergroup - If a user is to work in the administration area of Joomla they will probably be assigned to the Manager usergroup or one of its  subordinates. 

Shoppers are created automatically by VirtueMart and belong to the Registered usergroup.  It is unlikely that this usergroup (or any of its subordinate groups) should ever be granted access rights to VirtueMart.

Managing access to specific VirtueMart functions

Most VirtueMart functional areas (views), e.g. Product Categories, Tax and Calculation Rules, Orders, have the "Permissions" icon shown. This is used to access the permissions section for ALL configuration areas and is not restricted to the current view.

The first tab allows you to configure some some general options for the usergroup highlighted in the left column e.g.:-

  • change the ACL options
  • access the backend and/or frontend administration.
  • which filter is used for their data entries.
  • If the user is allowed to manage vendors, he can switch the vendor and see the products of other/all vendors. It is also allowed to change the property of items. When a user is manager, but has no vendorId, he gets the vendorid 1.

The remaining tabs relate to the configuration/management functions of VirtueMart - each area has its own settings, but most have the following options:-

  • Access Administration Interface area for this view - allowed to view the list
  • Edit - allowed to make changes to existing entires
  • Create - allowed to create new entries
  • Delete - allowed to delete existing entries
  • Edit state - allowed to edit a state (published, featured)

When you see only the name for the view, there are no subordinate rights.

If you do not want to allow access for this usergroup, then set the rights for this usergroup in the "Permissons" tab to "Denied".

In the other tabs you can modify the settings VirtueMart . 

Read more: Example to setup ACL