Controlling Access to Resources in the Manager
One of the most common uses for security permissions in MODX Revolution is to control access to specific resources. You might, for example, want to let users edit some resources but not delete them, or edit them but not publish them. This tutorial will help you create a case where specific users have limited access to a specific set of resources.
Note that if you want to control access to all resources for certain users, that is done with a Context Access ACL entry as explained in this tutorial.
If you simply want to hide some resources from certain users, that's explained in this tutorial.
Preview
Here is a preview of the basic steps necessary to control access to a specific Resource Group for users in a specific User Group:
- Create the users
- Create a Role for the users
- Create a User Group for the users
- Put the users in the group (and the admin)
- Create a Resource Group
- Put the Resources in the Resource Group
- Duplicate the appropriate Policy
- Create a Resource Group Access ACL entry with a Context of "mgr", the Resource Group you created, and the Policy you duplicated
- Create another Resource Group Access ACL entry for the admin, with a context of "mgr", the same Resource Group, and a Policy or "Resource"
- Edit the Policy to set the appropriate Permissions
Step-by-step Tutorial
Here are the steps for creating Manager users with limited rights to specific resources. The links in the list below are to other mini-tutorials explaining how to perform each step. We'll assume that the user group is called "Editors" and the Resource Group is called "Editables", although you can use any names as long as you're consistent. If you have performed the first steps in another tutorial, you can skip those steps and use the groups and roles you created.
- Create the Users
- Create a Role for the users. Call the Role "Editor" and give it an Authority level of 10
- Create a User Group called "Editors" and add the users to it with a role of Editor
- Add the admin to the "Editors" User Group with a role of admin Super User
- Create a Resource Group. Call it "Editables" and add the resources to it
- Duplicate the standard Resource Policy. Call the new Policy "EditorResource" and base it on the Resource Template
- Create a Resource Group Access ACL Entry for the group:
- Go to Security | Access Controls
- click on the "User Groups" tab if it is not the current tab
- Right-click on the "Editors" User Group
- Select "Update User Group"
- Click on the "Resource Group Access" tab
- Click on the "Add Resource Group" button
- Use the following values in the ACL entry:
- Resource Group: Editables
- Context: mgr
- Minimum Role: Editor
- Policy: EditorResource
- Click on the "Save" button in the dialog
- Add another ACL entry using the following values:
- Resource Group: Editables
- Context: mgr
- Minimum Role: admin Super User
- Policy: Resource
- Click on the "Save" button in the dialog
- Click on the "Save" button at the upper right
- Edit the EditorResource Policy. Uncheck any Permissions that you don't want the users to have
- Click on the "Save" button to save the Policy
- Under Security in the Top Menu, select "Flush Permissions". You may also need to Flush All Sessions and clear the site cache before your permissions take effect.
- Installing MODX
- How MODX Works
- Working with MODX resources and Elements
- Using Git with MODX
- Using common MODX add-on components like SPForm, Login, getResources, and FormIt
- MODX security Permissions
- Customizing the MODX Manager
- Using Form Customization
- Creating Transport Packages
- MODX and xPDO object methods
- MODX System Events
- Using PHP with MODX
We added the second ACL entry for the admin, otherwise the admin Super User would have had only those rights granted to the Editors for the resources in the Resource Group.
Note that some Permissions are dependent on Permissions in the Policy granted to users in any Context Access ACL entry. If the user does not have the publish_document Permission there, granting the publish Permission here will not let the user publish documents. In order to publish documents, the user must have both Permissions.
Security Resources at Bob's Guides
My book, MODX: The Official Guide - Digital Edition is now available here. The paper version of the book may still be available from Amazon.
If you have the book and would like to download the code, you can find it here.
If you have the book and would like to see the updates and corrections page, you can find it here.
MODX: The Official Guide is 772 pages long and goes far beyond this web site in explaining beginning and advanced MODX techniques. It includes detailed information on:
Go here for more information about the book.
Thank you for visiting BobsGuides.com
— Bob Ray