Access Control List (ACL): How to create the rules in Magento 2 websites

Access Control List (known as ACL) is currently making its moves in the eCommerce Magento world. Moreover, the rules allow the Magento admin to limit the permissions of users. For example, you can use the rules to authorize the users to access menus, controllers, API endpoints, and conditionally render layout blocks. As a result, Magento ACL is helpful to make sure that no one will make changes in parts, not under their responsibility.

Access Control List (ACL) rules for Magento
Access Control Lists (ACL) rules for Magento

The Magento admin uses an authentication system and a robust system for creating Access Control List Rules (ACL). So, this allows a store owner to create fine-grained roles for each and every user in their system. However, the creation needs the steps to create. What are they? So now, we – ArrowHiTech would like to introduce to you guys the major process on how to create the Magento ACL.

Step 1: Define the custom resources in the Magento ACL

1. Create the etc/acl.xml file in your module. This file adds the custom Magento ACL resources in the resource tree, for further mention.

1 <?xml version="1.0"?>  
2 <config xmlns:xsi="" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
3 <acl>
4 <resources>
5 <resource id="Magento_Backend::admin">
6 <resource id="Vendor_MyModule::menu" title="Custom Menu" sortOrder="10" >
7 <resource id="Vendor_MyModule::create" title="Create" sortOrder="50" />
8 <resource id="Vendor_MyModule::delete" title="Delete" sortOrder="100" />
9 <resource id="Vendor_MyModule::view" title="View" sortOrder="150">
10 <resource id="Vendor_MyModule::view_additional" title="View Additional Information" sortOrder="10" />
11 </resource>
12 </resource>
13 </resource>
14 </resources>
15 </acl>
16 </config>

2. Clean the cache by clicking System > Cache Management > Flush Magento Cache or by entering the following command:

$ bin/magento cache:clean

3. Navigate to System > Permissions > User Roles.

4. After clicking the Add New Role button, enter values for Role Name and Your Password (for Magento ACL)

5. Then, click a Role Resources tab and select Resource Access as Custom.

6. Then, select the Custom Menu, Create, and Delete resources and save the Magento ACL rule.

Magento ACL
Save the ACL rules

Step 2: It’s time to restrict access for Admin users using Magento ACL

Here comes the fun part. In order to restrict access using the Magento ACL rules, you need to do like this:

  • In your module, create the etc/adminhtml/menu.xml file. This file defines a menu that will be hidden from unauthorized users. Moreover, the Magento ACL resource attributes in the add nodes determine which resource each action accesses.
  • We can restrict the access to admin controllers by overriding the _isAllowed method of the \Magento\Framework\App\Action\Action class. To do that using Magento ACL, you need to add the following to your module’s Controller/Adminhtml/Create/Index.php file: 
1 protected function _isAllowed()
2 {
3 return $this->_authorization->isAllowed('Vendor_MyModule::create');
4 }

Then, add the following module’s Controller/Adminhtml/Delete/Index.php file for Magento ACL:

1 protected function _isAllowed()
2 {
3 return $this->_authorization->isAllowed('Vendor_MyModule::delete');
4 }

Besides, if the user does not have permission, the action page displays an “Access Denied” message.

  • You may also restrict the content for admin users. With the Access Control List, it is also possible to render layout blocks dynamically on the page. So, it is enough to set the block’s value for the aclResource attribute. 
  • The view/adminhtml/layout/custommenu_view_index.xml contains two blocks that display information to the end-user. As a result, one of them is accessible only to users with Magento ACL Vendor_MyModule::view_additional permissions.

As a result, when the resource for Vendor_ModuleName::view_additional is enabled, the result is:

Access Control List code 1

When the resource is disabled, the content on the page differs:

Magento ACL

Step 3: Restrict web API access

Then, we can restrict users from accessing API endpoints by using the Magento ACL rule. Because of creating a Web API configuration file (etc/webapi.xml), the rules defined in acl.xml can restrict the access to API endpoints.

Step 4: Check the Magento ACL rule

Finally, there are some places where we put the Access Control List resource to make it limit the access:

  • Admin menu: Put the resource to hide the menu if it’s not allowed by the store owner.
  • System configuration: You should also put the resource to limit access to this section page.
  • In admin controllers: Magento provides an abstract type Magento\Framework\AuthorizationInterface which you can use to validate the currently logged in user against a specific Access Control List. As a result, you can call that object by using the variable: $this->_authorization. Moreover, in the controller, to check the resource, you must write a protected function.

Final words

Above all, that should conclude the major steps on how to create the Access Control List for Magento 2. Magento ACL is an important but often overlooked part of Magento. Even if you don’t want to slice your extension’s functionality into narrow bands, there are places in the Magento Admin where you’ll need to add the rules. So, we hope that after reading this article, you can set up roles for each user quickly and efficiently.

ArrowHiTech services