Controlling Access to Elements in the Manager

There may be occasions when you want to control access to specific elements (snippets, plugins, chunks, templates, and template variables) in the Manager. You might, for example, want to let users edit some elements but not others, or view them but not edit them. This tutorial will help you create a case where specific users have limited access to a specific set of elements.

Note that this process is exactly the same as the one used for controlling access to resources except that you use Categories instead of Resource Groups. In all other ways, the two processes are identical.

If you want to control access to all elements of a certain type for certain users, that is done with a Context Access ACL entry as explained in this tutorial.

If you simply want to hide some elements from certain users, that's explained in this tutorial.

Preview

Here is a preview of the basic steps necessary to control access to a specific Resource Group for users in a specific User Group:

  • Create the users
  • Create a Role for the users
  • Create a User Group for the users
  • Put the users in the group (and the admin)
  • Create a Category
  • Put the elements in the Category
  • Duplicate the appropriate Policy
  • Create an Element Category Access ACL entry with a Context of "mgr", the Category you created, and the Policy you duplicated
  • Create another Element Category Access ACL entry for the admin with a Context of "mgr", the same Category, and a Policy of "Element"
  • Edit the duplicate Policy to set the appropriate Permissions

Step-by-step Tutorial

Here are the steps for creating Manager users with limited rights to specific elements. The links in the list below are to other mini-tutorials explaining how to perform each step. We'll assume that the user group is called "Editors" and the Category is called "RestrictedElements", although you can use any names as long as you're consistent. If you have performed the first steps in another tutorial, you can skip those steps and use the groups and roles you created.

  1. Create the Users
  2. Create a Role for the users. Call the Role "Editor" and give it an Authority level of 10
  3. Create a User Group called "Editors" and add the users to it with a role of Editor
  4. Add the admin Super user to the User Group with a role of admin Super User
  5. Create a Category. Call it "RestrictedElements" and add the elements to it
  6. Duplicate the standard Element Policy. Call the new Policy "EditorElement" and base it on the Element Template
  7. Create an Element Category Access ACL Entry for the group:
    1. Go to Security | Access Controls
    2. click on the "User Groups" tab if it is not the current tab
    3. Right-click on the "Editors" User Group
    4. Select "Update User Group"
    5. Click on the "Element Category Access" tab
    6. Click on the "Add Category" button
    7. Use the following values in the ACL entry:
      • Category: Restricted Elements
      • Context: mgr
      • Minimum Role: Editor
      • Policy: EditorElement
    8. Click on the "Save" button in the dialog
    9. Create another Element Category Access ACL entry with the following values:
      • Category: Restricted Elements
      • Context: mgr
      • Minimum Role: admin Super User
      • Policy: Element
    10. Click on the "Save" button in the dialog
    11. Click on the "Save" button at the upper right
  8. Edit the EditorElement Policy. Uncheck any Permissions that you don't want the users to have
  9. Click on the "Save" button to save the Policy
  10. Under Security in the Top Menu, select "Flush Permissions". You may also need to Flush All Sessions and clear the site cache before your permissions take effect.
  11. We added the second Element Category Access ACL entry for the admin. Otherwise, the admin Super User would have only those rights granted to the users for the elements in that Category.

    Note that some Permissions are dependent on Permissions in the Policy granted to users in any Context Access ACL entry. If the user does not have the new_snippet Permission there, granting the create Permission here will not let the user create snippets. In order to create snippets, the user must have both Permissions. The user will also need the element_tree context permission in order to see the Element tree at all.

    Security Resources at Bob's Guides

     

    My book, MODX: The Official Guide - Digital Edition is now available here. The paper version of the book is available from Amazon.

    If you have the book and would like to download the code, you can find it here.

    If you have the book and would like to see the updates and corrections page, you can find it here.

    MODX: The Official Guide is 772 pages long and goes far beyond this web site in explaining beginning and advanced MODX techniques. It includes detailed information on:

    • Installing MODX
    • How MODX Works
    • Working with MODX resources and Elements
    • Using Git with MODX
    • Using common MODX add-on components like SPForm, Login, getResources, and FormIt
    • MODX security Permissions
    • Customizing the MODX Manager
    • Using Form Customization
    • Creating Transport Packages
    • MODX and xPDO object methods
    • MODX System Events
    • Using PHP with MODX

    Go here for more information about the book.

    Thank you for visiting BobsGuides.com

      —  Bob Ray