Access control principles
Very often shop owners need their employees to access the VirtueMart information (e.g. Customer Orders, Products ) but want to restrict this access to certain areas and functions within these areas.
Store owners may want to prevent general operator access to the Backend of Joomla (administrative area), but still allow operators access to some VirtueMart views (eg orders).
VirtueMart 3 now supports frontend access for the administration of VirtueMart and uses the Joomla ACL to achieve this.
Joomla usergroups and VirtueMart shoppergroups
These two groups sound similar but are not related:-
- Joomla usergroups - used for Joomla administrative matters such as access rights including VirtueMart.
- Shoppergroups in VirtueMart - used for customers and are not related to the Joomla usergroups.
When a user is created in Joomla - they are assigned to Joomla usergroups - If a user is allowed to work in the administration area of Joomla they will probably be assigned to the Manager usergroup, one of its subordinates or a new usergroup that you have created (This is your choice).
A Joomla user can be assigned to multiple Joomla usergroups e.g. Manager and Registered.
Shoppers are created automatically by VirtueMart and belong to the Joomla "Registered" usergroup. DO NOT allow any VirtueMart access permissions for the "Registered" usergroup or any subordiantes! This could give VirtueMart admin access to customers.
Managing access to specific VirtueMart functions
Most VirtueMart functional areas (views), e.g. Products, Product Categories, Orders, Tax and Calculation Rules etc. show the "Permissions" icon.
This is used to access the permissions section for ALL VirtueMart configuration areas and is not restricted to the current view.
When you choose to edit VirtueMart permissions - you will be taken to the VirtueMart permissions screen.
The left side of the screen shows the Joomla usergroups. By selecting the usergroup you require, the screen will display VirtueMart permissions that are configured for that Joomla usergroup. You will be able to update the options to suit your needs.
Most entries are self explanatory with many of them having the following options:-
- Access Administration Interface area for this view - allowed to view the list
- Edit - allowed to make changes to existing entries
- Create - allowed to create new entries
- Delete - allowed to delete existing entries
- Edit state - allowed to edit a state (published, featured)
If you want a user to see the VirtueMart options in the backend of Joomla then the "Access Administration Interface" =>"Calculated Setting" option must be shown as Allowed.
If you do not want to allow access for this usergroup to a particular VirtueMart function, then set the option to "Not Allowed".
You can give vendors frontend managing rights denying "Access Administration Interface", but allowing "VM Manager".
Manage vendors is for multivendor stores and allows to manage the vendors itself. This should be only allowed for administrators.
+++++ N.B. there is a small bug in versions prior to VM3.2.2. If you want your new "admin" to see the products etc on a single vendor shop even if you have allowed all permissions you also need to allow "Manage Vendors" +++++
There is some more information about Shop Permissions at EXAMPLE SETUP ACL