If you’re not the only person running your TYPO3 website, you’ve probably needed to think about TYPO3 user roles. TYPO3 comes with a user role management system that defines what a specific user can and cannot do on your website. Knowing these TYPO3 user roles and TYPO3 permissions are essential as your TYPO3 site grows.
TYPO3 Backend Access user roles are essential for controlling what actions the various users at your site are permitted to take. By smartly assigning TYPO3 user roles, you ensure that no one has more “power” than they need. And this helps make your site more secure and streamline your workflow.
Assigning TYPO3 User Roles and Permissions are a way forward to TYPO3 Security, but if you’re looking for in-depth TYPO3 security guide, I recommend you reading this amazing article, https://t3planet.com/blog/typo3-security/
Read on to this guide that explains what TYPO3 Access, User roles, and permissions are, why they matter and how to assign them.
TYPO3 user roles define what actions each user at your site is allowed to perform. For example, the ability to publish a TYPO3 post is one capability of the Editor role, while the ability to install a new plugin is another “capability” of another TYPO3 role.
So at a simple level, user roles are just a collection of different actions that a user with that role is allowed to perform.
TYPO3 user roles are important because they:
- Enhance TYPO3 security of your TYPO3 site by ensuring that users don’t have access to things they shouldn’t have. For example, you don’t want an untrusted user to have the ability to install new extensions on your site.
- Can help you define your workflows. For example, TYPO3 has pre-made user roles that you can apply to authors on your site to give them access to only the functionality they need to write TYPO3 editor posts.
You should only give a backend user as much access as is needed. This makes the job easier by automatically deactivating modules and GUI elements the user does not have access to. It also makes it impossible for a user to damage the system by accidentally doing things he or she should not have been able to do in the first place.
Before TYPO3 version 9, there was only admin and non-admin. Now we have the additional access privilege “system maintainer”.
- admins have access to the SYSTEM module (including Access, Backend User, Log etc. modules)
- admin user privilege can be added by clicking the “admin” checkbox when creating or changing a backend user
The first backend admin created during installation will automatically be a system maintainer as well. System Maintainers are the only users who are able to see and access the Install Tool and the Extension Manager.
To give other users system privileges, you can add them in the ADMIN TOOLS > Settings > Manage System Maintainers configuration.
Let’s start by looking at each default user role and its permissions.
Each user of the backend must be represented with a single record in the table “be_users”. This record contains the username and password, other metadata, and some permissions settings. It is possible to assign rights directly to a user, but it is much better done using groups. Furthermore, groups offer far more options.
Each user can also be a member of one or more groups (from the “be_groups” table) and each group can include sub-groups. Groups contain the main permission settings you can set for a user. Many users can be a member of the same group and thus share permissions.
When a user is a member of many groups (including sub-groups) then the permission settings are added together so that the more groups a user is a member of, the more access is granted to him.
Database Mount groups
„DM_” = Database Mount groups contain the entry point to the page tree. These groups define which part, of the page tree may be viewed (and edited) by this user. Besides the database mount, nothing may be set here.
Page Groups will be used in the page module to set permissions. The access module defines which permissions, the owner, the group, and everybody has. The permissions are:
- Show and copy page and content
- Change, add, delete and move content
- The details, which tables may be edited, is defined in the ACL groups
- Change and move page
- Delete page and content
- Create a new page under this page
Access Control List Groups
Groups with the prefix ACL provide the permissions to modules, plugins, and tables, which enable the editors and authors to do their work.
Every installed extension has its own ACL group. This group contains all permissions that are necessary to work for a backend user with this extension. This includes every aspect, which can be configured in a group: modules, tables for listing and editing, allowed exclude fields, and so on.
Basically, it is possible to add all these groups defined in the last chapter to single users. But usually, you have several users with the same permissions. A best practice is to group the permissions with “Role Groups”.
The Admin User
There is a special kind of backend user called “Admin”. When creating a backend user, just check the “Admin!” box in the “General” tab and that user will become an administrator. In Web > List view, the different icons for admin users.
All systems must have at least one “admin” user and most systems should have only “admin” users for the developers - not for any editor. Make sure to not share TYPO3 accounts with multiple users but create dedicated accounts for everyone. Not even “super users” should be allowed “admin” access since that will most likely grant them access to more than they need.
Admin users are differentiated with an orange icon.
Basic Page Access
The Basic Page Access user group is there to make sure new content and pages can be seen, edited, etc. by all editors according to the configuration within the access module. The default configuration in TYPO3 only gives access to members of the same backend user group as the creator of a given page. Without the Basic Page Access user group in place, other editors in other groups would not have access.
Create this user group at the very beginning, then base other backend user groups on the next level above this for the whole site. The backend user group “Basic Page Access” needs to be set for all pages within the TYPO3-configuration (in TCEMAIN.permissions).
There will be special requirements for complex installations in which you cannot use this group as a basis. The user group “Basic Page Access” will not get any further configuration or permissions beyond basic page access (e.g., for modules or content types).
The Standard Editors' user group sets the configuration for all “standard” editors. Meaning, you can set all the configurations suitable to most editors here—e.g., all basic content types, extensions, etc. that all editors should be able to see and edit.
Editors with specific access
In cases, while having backend users from different categories that only need access to a specific part of the page tree for example blogger who only accesses the blog pages, or similar.
These editors can do everything Standard Editors can do— and always inherit the settings of Basic Page Access. In addition, they can access their specific part of the page tree and the filemount in their specific editor group.
- First, you have to create a backend group, if the desired group already exists move to Section 2
- Go to List (You should be in root)
- Create a new record and create a Backend user group.
- Fill in Group title
- In the Access List tab, check “Include Access Lists:” Here you will select what access the group will have. Example:
- In Modules, check the modules you have the group to have access to. (Basic: Web, Page, View, List, Workspaces, Info, Functions, File, Filelist)
- Check everything in Tables, Page types, and Allowed exclude fields.
- In the Mounts and Workspaces tab, you will select what access the user group will have when uploading or viewing the files in the system
- Check Edit Live (Online)
- Create or Select a File Mount.
- Check File operation permissions.
- Save and tada!
- Go to System/Backend users and create a user
- Fill in Username, Password and select group (If you want the user to have all-access, check “Admin(!)”)
- In the Mounts and Workspaces tab
- Check all for Workspace Permissions and Mount from groups.
- Select DBMounts by clicking the folder on the right side. Here you will choose what pages the user will have access to.
- Go to Root and Select Web/Access in the left menu.
- Here you will check that the page you want the user to access has the right permissions. (Make sure Depth is high so you can see all the pages). An owner should either be the user group (if you only want that user group to access that page) or a BE user or none. The group should be set to the user group.
The key to managing an effective team is clearly defining each person’s role and responsibilities. Fortunately, TYPO3 offers a built-in way to do this. Through careful use of TYPO3 user roles, you can enhance security and efficiency on your site.
Do you have any questions about how TYPO3 user roles work? Ask away in the comments section below! We'd be happy to answer you!