Access Control Lists
acls.yml file of a bundle can contain a map with access control lists. Each key of the map
is the unique name of an ACL while the values for each ACL is a map of options:
acls: # an ACL used to protect an action password_management: label: Password Management type: action group_name: "" # an ACL used to grant removal permissions to users user_delete: label: Delete Users type: entity class: Acme\Bundle\DemoBundle\Entity\User permission: DELETE
When a controller action should be protected by an ACL, its method must be bound to the ACL. The
bindings option expects a map with two keys that refer to the controller to be protected:
The fully qualified class name of the controller class.
The name of the controller action method.
When the type option is set to
class option is used to decide whether or not
the ACL has to be evaluated when checking if a user has access to a certain object. Each object ACL
is only responsible for protecting access to a certain kind of objects.
A human-readable label that can be presented to the users. For example, this label is shown in the role management section of the OroPlatform UI.
Access can be granted based on the action that should be performed with a domain object. There are four types of permission which can be granted to a user:
By default, when a user creates a new entity, they will be the owner of the newly created object. But if they are granted the
ASSIGNpermission to other users, organizations, or business units, they can transfer ownership to users for which they have this permission.
This permission is not meant to be used in an ACL.
The user can create new objects of this entity.
The object can be deleted by the user.
The user can modify a particular entity.
New in version 1.9: Support for the
SHAREpermission will be introduced in OroPlatform release 1.9.
If a user is granted the
SHAREpermission on other users, organizations, or business units, they can share an entity with those users which means that those users can then view the entity too.
The user is able to see the data of an object.
The type of resource that should be protected. Possible values are:
A certain action in the user interface that is not bound to a particular domain object or a the type (class) of a domain object.
When using the
actiontype, it is only possible to grant or deny access to a user for a given action. If you want to grant them access for a certain action only for a subset of the data, you can configure ACLs for each object individually by setting the
entityand then control the allowed action with the permission option.
typeis set to entity, each domain object can be protected individually which means that access can be granted based on a particular domain object.
The name of a group to which an ACL belongs to.
The identifier of an ACL category in which an ACL should be shown in the role management UI.
The configuration of ACL categories is described in Access Control List Categories section.