Magento Shiksha

ACL (Access Control List) in Magento 2

What is ACL?

ACL (Access Control List) in Magento 2 is a security mechanism used to control access to different parts of the Admin Panel.

It allows you to define which admin users (roles) can view, edit, delete, or manage specific resources in the system.

This ensures proper role-based access and protects sensitive data from unauthorized users.

Key Concepts of ACL

  • Resource: A permission defined in acl.xml (e.g., view, edit, delete).
  • Role: A group of permissions assigned to admin users.
  • Rule: Mapping between roles and resources.

Where ACL is Used

  • Admin Menu (menu.xml)
  • Admin Controllers
  • UI Components (buttons, grids)
  • Web APIs (webapi.xml)

How ACL Works

ACL in Magento 2 works in a hierarchical structure:

  • All resources must be defined under Magento_Backend::admin
  • Permissions are assigned to roles in Admin Panel
  • Magento checks permissions before allowing access to any resource

Step 1: Create acl.xml

This file defines custom permissions.

(File: app/code/Vendor/Module/etc/acl.xml)

Step 2: Add Menu with ACL

Menu visibility is controlled by ACL resource.

(File: app/code/Vendor/Module/etc/adminhtml/menu.xml)

Step 3: Create Admin Route

This defines the admin URL.

(File: app/code/Vendor/Module/etc/adminhtml/routes.xml)

Step 4: Restrict Controller Access

Use ADMIN_RESOURCE to control access to controller.

Step 5: Restrict UI Components

You can control button visibility using ACL.

Step 6: Restrict API Access

ACL can also be used to secure APIs.

(File: app/code/Vendor/Module/etc/webapi.xml)

How to Create Role in Admin

  • Go to System → Permissions → User Roles
  • Click "Add New Role"
  • Select your custom module permissions
  • Assign role to admin user

Common Mistakes

  • Resource mismatch between acl.xml and controller
  • Parent resource not selected
  • Missing ADMIN_RESOURCE (security risk)
  • Not clearing cache

Best Practices

  • Use granular permissions (view, edit, delete)
  • Keep resource IDs consistent across files
  • Always define ACL for admin controllers
  • Use ACL in UI components and APIs

Conclusion

ACL is a core security feature in Magento 2 that enables role-based access control in the Admin Panel.

By properly implementing ACL, you can ensure your module is secure, scalable, and enterprise-ready.