role based acl
DESCRIPTION
A review of the mechanics behind Joomla's ACL, then a discussion as to how one can leverage a role-based access control system through Joomla - to improve the user experience for those managing the website and its content. Please open the tab below to view my NOTES PER SLIDE.TRANSCRIPT
![Page 1: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/1.jpg)
Role-Based ACLto improve content management
Randy Carey
iCueProject.com
![Page 2: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/2.jpg)
This is the revised 2014 version of my presentation Role-Based ACL.
Many of the slides here have been slightly changed to accommodate annotations. This helps to convey meaning beyond the pictures.
![Page 3: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/3.jpg)
My current work is with the iCueProject.com. Here we see the problem of the CMS is that it provides only one interface to be used by two different types of users…
![Page 4: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/4.jpg)
A better approach is to provide a separate CMS interface to each of the two user types.
Actually, we can do better yet to provide personalized user experiencesfor each user group. The starting point of doing this is with the ACL –and setting up the ACL with roles.
![Page 5: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/5.jpg)
I’ll start by explaining the ‘mechanics’ of Joomla’s ACL.
![Page 6: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/6.jpg)
Then I’ll explain how permissions are calculated.
![Page 7: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/7.jpg)
Then we can move on to Role-Based. What is it? How is it set up?
![Page 8: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/8.jpg)
I’ll show how roles allow to create a personalized user experience
![Page 9: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/9.jpg)
Then I’ll show how to set it up in Joomla.
![Page 10: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/10.jpg)
Then I’ll reference a few tools that make this process easier
![Page 11: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/11.jpg)
ACL Mechanics
![Page 12: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/12.jpg)
![Page 13: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/13.jpg)
Groups are the foundation of Joomla’s ACL.They know only their name and which other group is its parent.They don’t know about any other parts of the ACL or of Joomla. Simple. Yet this allow us to create a rich expression of rolesthrough custom hierarchies.
![Page 14: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/14.jpg)
Users are connected to the ACL by assigning them to groups.This is the only direct connection they have with the ACL.
Each user can be associated to any number of groups and in any combination.
![Page 15: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/15.jpg)
Next we look at what I call “resources.” These are the other parts of Joomla that connect to the ACL. Technically, these are not part of the ACL – they connect to the ACL system only by referencing it.
![Page 16: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/16.jpg)
Currently, permissions are provided only by the site configuration,by components (and their categories/items), and by modules. Menu items and plugins do not implement permissions.
Permissions are part of the ACL, but it is the responsibility of the resource to provide a list of “actions” for which the ACL can assign permissions.Unfortunately, in some cases, developers don’t do this.
![Page 17: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/17.jpg)
Another thing to note…
For each resource, the permissions screen automatically presentsus with the set of user groups currently held by the ACL. And within each of these user groups is the set of actions that the resource declares.
So permissions are always within the context of the resource first, then within each of the groups, and finally (within each group) assigned per action.
![Page 18: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/18.jpg)
In contrast to permissions, all resources reference access levels.Also in contrast to permissions, each resource references one-and-only-one access level.
![Page 19: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/19.jpg)
Each access level simply defines some set of groups.If any person belongs to any of the groups selected by that access level item,Then that person is included by this access item. So for any resource, the ACL evaluates if the current user is included by thatResource’s access level. If so, then the user has access to the resource. If not, then the user does not have access.
![Page 20: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/20.jpg)
Note: a better term for this item is access list – as its role is to provide a formula that determines which users that are included (having access).
These do not confer “level,” and that term is an unfortunate carry-over from the ACL in 1.5.
![Page 21: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/21.jpg)
One more look at the ACL diagram.
![Page 22: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/22.jpg)
ACL
permissions personalization
When we think of ACL we probably think “permissions.” but “permissions is Just one side of the coin. The other side is “personalization.”
Next we’ll discuss permissions. But later we will talk about personalization.
![Page 23: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/23.jpg)
Permissions (& actions)
![Page 24: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/24.jpg)
Permissions (& actions)
Permissions are managed by the ACL, but for logical reasons, the component is responsible for three things. Let’s look at those…
![Page 25: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/25.jpg)
Permissions (& actions)
1
For permissions to apply to a component, that component must declare a list of actions relevant for it and its data.Below you see the traditional/core actions (create, delete, edit, etc.)
![Page 26: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/26.jpg)
Permissions (& actions)
1
But many developers can do better by offering actions specific to thecomponent’s type and data.
Shown to the left here are the rich setof actions provided by EasyBlog.
![Page 27: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/27.jpg)
Permissions (& actions)
1
2The component is responsible for offering ACL at the desired level of granularity:
component, category, and item.
The ACL cannot force a component to implement permissions – even at the component level. Frustratingly, some developers don’t offer any permissions on their extension!
![Page 28: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/28.jpg)
Permissions (& actions)rc
1
2
3
enforce result
It is the component’s responsibility to enforce permissions and to enforce them correctly.
The ACL can only respond as to whether or not the current user has permission, but the ACL itself cannot enforce the permission.
![Page 29: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/29.jpg)
calculatingpermission
Now we look at how the ACL calculates a permission.
![Page 30: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/30.jpg)
1. for a particular action
![Page 31: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/31.jpg)
1. for a particular action2. Each of the user’s groups
The ACL considers each group to which the user belongs.
Keep in mind that if a user belongs to a group with a parent, then the ACL assumes the user belongs to each parent group tracing back to Public. In this example, belonging to B1 also includes user group B.
![Page 32: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/32.jpg)
The formula is simple.
FIRST: Consider the permission settings for each group to which the user belongs – without considering where that group falls within the group hierarchy.
![Page 33: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/33.jpg)
THEN: Evaluate the set of permission settings (in any order)• If all the permissions are set to Inherit, the result is deny.• If at least one permission is Allow but none are Deny, the result is allow.• If any one of the permissions is Deny, the result is deny – regardless of any other Allows that might be present. A single Deny anywhere results in deny.
![Page 34: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/34.jpg)
1. for a particular action2. Each of the user’s groups3. For extension, category, & object
The same applies to when we need to include the permissions on categories and objects.
Just look at the permission settings of each of the user’s groups at each level: component, category, and object.
![Page 35: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/35.jpg)
1. for a particular action2. Each of the user’s groups3. For extension, category, & object
Rely on the same formula:
• All Inherits is deny.• One or more Allow is allow• A single Deny cancels all Allows and results in deny
![Page 36: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/36.jpg)
So let’s look a permission calculcations from a different data model…
![Page 37: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/37.jpg)
If the component level is set to Allow and nothing is set on the category or object…
All items are allowed. All new items are allowed. All new items in a new category will be allowed.
![Page 38: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/38.jpg)
If the component level is not set…
All items allowed – even new items within this category.
No items are allowed – new items will not be allowed.
Selected items are allowed – other are not allowed and new items will not be allowed
![Page 39: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/39.jpg)
All items denied – even new items within this category.
The Denied items are denied, but All other items and those that are created later will be allowed
All items denyed – even new items within this category.Even an Allow on the item will notundo the Deny on the category.
When the component is allowed by a Deny is set inside it…
![Page 40: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/40.jpg)
ACL Manager is a great tool for helping you see the results of your ACL settings.
![Page 41: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/41.jpg)
RBAC1
Let’s look at how Role-based ACL looks
![Page 42: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/42.jpg)
RBAC1
Users can be assigned to one or more roles. The thin lines denote these connections are easily made or changed
Users Roles Permissions
The ACL Rules assigns permissions to each role. The thick arrows denote that these do not change often and can demand more technical knowledge to set up.
![Page 43: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/43.jpg)
RBAC1
Joomla accommodates this. If we treat a user group as a role, then we have what we need to implement role-based access control.
Users are assigned to one or more roles. Each role is assigned
to a set of permissions
![Page 44: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/44.jpg)
1.5 vs 2.5/3.x
![Page 45: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/45.jpg)
1.5 vs 2.5/3.x
1.5 delivered a totem-pole approach to groups.
2.5 allows for sibling groups.
![Page 46: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/46.jpg)
1.5 vs 2.5/3.x
1.5 has a fixed set of groups
2.5 allows us to create groups as we need them……and to place them wherever we want within the group hierarchy.
![Page 47: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/47.jpg)
1.5 vs 2.5/3.x
In 1.5 a user belonged to one place on the ‘totem pole’ of groups.
In 2.5 we can assign any user to any combination of groups
![Page 48: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/48.jpg)
1.5 vs 2.5/3.x
In 1.5 the permission were pre-assigned are rather fixed for each group
In 2.5 a component can declare the actions, and each actin can have its own permissions settings. We can set a permission as we want: on whichever actions for whichever groups.
![Page 49: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/49.jpg)
1.5 vs 2.5/3.x
Since 2.5 we can set permissions at the category and object levels.
![Page 50: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/50.jpg)
1.5 vs 2.5/3.x
And the new ACL allows developers to declare a rich set of actions that arespecific to the component.
![Page 51: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/51.jpg)
1.5 vs 2.5/3.x
Whereas the old ACL gave us only 3 access levels …that imposed levels (no sibling items) ...and we could not change
In the new ACL we have real access lists …we create as many as we want …each item is a sibling (no imposed levels) …we can configure each as we want/need
![Page 52: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/52.jpg)
The new ACL offers so much more than the old one did.
So why does the 2.5 and 3.x ACL look so similar!?!
![Page 53: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/53.jpg)
1.5 2.5/3.xThe new ACL offers so much more than the old one did.
But to help users understand the ACL, the out-of-the-box configuration mimicked what users knew from 1.5.
…The unintended consequence is that many 2.5 users maintained their 1.5 mindset about the new ACL. But the new ACL was not meant to be limited to that!
![Page 54: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/54.jpg)
1.5 2.5/3.x role-based
The role-based approach exploits the new features of Joomla’s ACL and it leads us to a different look.
![Page 55: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/55.jpg)
What does a role-based system look like
just enough
![Page 56: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/56.jpg)
What does a role-based system look like
isolated and typically non-overlapping
![Page 57: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/57.jpg)
What does a role-based system look like
assigned to more than one role
![Page 58: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/58.jpg)
What does a role-based system look like
share the same role
![Page 59: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/59.jpg)
What does a role-based system look like
business concept
of its roles
name,capabilities
![Page 60: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/60.jpg)
Each user can be assigned his own set of roles.
![Page 61: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/61.jpg)
What does a role-based system look like
easily added, removed, or transferred among users
![Page 62: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/62.jpg)
What does role-based buy us?
![Page 63: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/63.jpg)
What does role-based buy us?
Security – for the client and stake holders
principle of least privileges
![Page 64: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/64.jpg)
What does role-based buy us?
Usability – for those using the CMS
![Page 65: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/65.jpg)
What does role-based buy us?
Flexibility
– as staff and staff assignments change over time
![Page 66: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/66.jpg)
What does role-based buy us?
Ease of Comprehension– for business people using the CMS
A staff person does not have to understand ACL and permissions to quickly and easily assign a person to a role.
![Page 67: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/67.jpg)
Setting up a role-based system
![Page 68: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/68.jpg)
roles
permissions personalization
Now its time to look at the other side of the coin – using roles to reflect personalization of the user’s experience with the CMS.
![Page 69: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/69.jpg)
Role-Based Joomla!We can leverage roles to reflect what the user sees when logging in to the backend
![Page 70: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/70.jpg)
County Auditor’s dashboard
I built a site for a county that had over 20 departments. Each department was represented by a role (user group). When a staff member logged in, she would see the quick links for the department to which she belonged.Here is what the staff for the Auditor/Treasurer would see.
![Page 71: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/71.jpg)
Auditor’s department pages
And each link led to a list of items with the filter preset to those of that department’s category.
![Page 72: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/72.jpg)
Auditor’s JCE settings
The JCE editor was preset so that its image manager and document manager would give that user access only to the directory dedicated to that department.
A user could not add or delete assets only for any department but his own.
![Page 73: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/73.jpg)
County Sheriff’s dashboard
Here is the view of the Sheriff’s department, which contains two additional roles.
![Page 74: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/74.jpg)
County Webmaster’s dashboard
The person who is a site’s webmaster usually includes multiple administrative roles – including access to site reports.
![Page 75: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/75.jpg)
beforeafter
HikaShop product pageOne can use roles to show only the form fields that a user needs to access. This usually takes a little bit of code in a layout override.I am developing a tool that allows a site integrator to configure this per role, without having to code the solution.
![Page 76: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/76.jpg)
Setting up Roles
![Page 77: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/77.jpg)
I first create a base usergroup that grants nothing but access to the backend. All backend roles will extend from this.
![Page 78: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/78.jpg)
![Page 79: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/79.jpg)
Role-based implies:
Then I create a user group (white) for each role, and an access level item (red) for each of these role-based user groups. Each of these access level items includes only it’s associated user group.
![Page 80: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/80.jpg)
![Page 81: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/81.jpg)
Typically, a role will be associated with only one component. Set the permissions on this role only for that component and for that role’s user group. Leave all other permissions as inherit.
![Page 82: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/82.jpg)
Create an access level item for each role. For each of these access level items, assign it to include only the corresponding user group.
![Page 83: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/83.jpg)
My preference is to prefix each role-based access level with a tilde ~. It helps me navigate the dropdown list when assigning an access level.
![Page 84: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/84.jpg)
Then I create an admin module of quick links for each role. The access level for each of these access levels is set accordingly.
![Page 85: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/85.jpg)
The admin template uses module positions, so identify the position to use for each of your role-based admin modules.
![Page 86: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/86.jpg)
As a result, one sees only the quick links modules for the roles to which she is assigned.
![Page 87: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/87.jpg)
assignment
Often overlooked is the important role of user manager. This itself should be a role, and whoever is assigned it has the power of your ACL in his hands.
![Page 88: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/88.jpg)
User ManagerLet’s make a role for User Manager…
![Page 89: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/89.jpg)
![Page 90: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/90.jpg)
![Page 91: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/91.jpg)
![Page 92: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/92.jpg)
Now, anyone assigned to just the role of User Manager will see this
![Page 93: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/93.jpg)
…and have access to set things like password, a changed email address, user groups, the backend template that a user should see, etc.
![Page 94: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/94.jpg)
Personalization of the client’s user experience is a major part of the work that I’m exploring and developing through the iCue Project.
![Page 95: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/95.jpg)
Areas to personalize
dashboard: personalized linkspre-filtered listedit screenedit toolbarmedia manager
![Page 96: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/96.jpg)
Dashboard - links
![Page 97: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/97.jpg)
Pre-filtered lists
![Page 98: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/98.jpg)
tailored edit form
![Page 99: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/99.jpg)
tailored edit form
This is Form Field Manager, a tool being developed through the iCue Project
![Page 100: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/100.jpg)
Edit Toolbar
![Page 101: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/101.jpg)
iCueProject.com
a suite of extentions to provide role-based personalization.to be available through the iCue Project
![Page 102: Role Based ACL](https://reader036.vdocument.in/reader036/viewer/2022062303/55898860d8b42a0c278b46a9/html5/thumbnails/102.jpg)
Role-Based ACLto improve content management
Randy Carey
iCueProject.com