Joomla allows site administrators to place Users into multiple Groups. The Permission Settings article explains that Permissions are applied to Groups and not to individual Users. Thus, a User receives Permissions based on the Group or Groups that he or she belongs to. If a User is placed into one User Group, that User only has the Permissions belonging to that group. It s a simple concept. However, it is less clear when the User is a member of multiple Groups. This article explains how Permissions are assigned to a user that is a member of multiple Groups, as well as how to view the Permissions that are assigned to an individual User. We recommend that you read the our article on Permissions Inheritance; many of the concepts explained in that article are relevant here.
As explained earlier in this series of articles, Permissions in Joomla can be set to one of three settings: Not Set, Allowed, and Denied. The "Allowed" settings grant that Permission, and the"Not Set" and "Denied" settings take away Permission. But what happens when a User is assigned to two or more groups and Permissions in one Group are set differently than they are in the other Group? In that scenario, the "Allowed" setting will override the "Not Set" setting, and the "Denied" setting will override both the "Allowed" and "Not Set" settings.
To illustrate how this works, let’s create an example. Let’s say you have created a Group called Contributors which has the Create and Edit Own permissions set to "Allowed", the Delete permission set to "Denied", and all other Permissions set to "Not Set". You have also created a user named Bob, and placed him into the Contributors and Registered Groups. The Registered Group is a preset group within your Joomla! application. It has the Site Login Permission set to "Allowed", and all other Permissions set to "Not Set". With this setup, Bob will receive the Site Login, Create, and Edit Own Permissions.
Now let’s say you add Bob to the Manager Group which has Site Login, Admin Login, Create, Delete, Edit, Edit State, and Edit Own Permissions set to "Allowed". The other Permissions are set to "Not Set". At this point, Bob will now receive the Site Login, Admin Login, Create, Edit, Edit State, and Edit Own Permissions. You may be wondering why Bob does not receive the Delete permission since the Manager Group has the Delete Permission set to "Allowed". This is due to the fact that the Contributors Group (which Bob is a part of) has the Delete Permission set to "Denied" - this will override the "Allowed" setting in the Manager Group. To make it easier to see how these settings are applied to Bob, the table below lists the settings for each Permission in each of the groups that Bob is assigned to and the end result:
As you can see, figuring out which Permissions have been given to an individual User that is in multiple Groups can become difficult rather quickly. To make things a bit easier, Joomla includes a built-in tool to view all of the Permissions that have been assigned to an individual User. To turn this feature on, go to Global Configuration are from the control panel in the Administration area (the back end) of your site.
Go to the System tab, and enable the Debug System option by clicking on "Yes". Be sure to save your work when you're done.
Next, go to the User Manager.
Once inside the User Manager, you'll notice a Debug Permissions Report button next to each User's name.
You will also see this button next to each Group in the Group Manager.
The Debug Permissions Report will show you which Permissions that User or Group has for each area of your site including Articles, Categories, Contacts, Menus and Menu Items, Modules, and Components.
We take a great deal of pride in our knowledgebase and making sure that our content is complete, accurate and useable. If you have a suggestion for improving anything in this content, please let us know by filling out this form. Be sure to include the link to the article that you'd like to see improved. Thank you!