How to Access Control Lists (ACL) in Magento 2

Magento 2 Admin ACL panel use an authentication system and a robust system for create Access Control List Rules (ACL) which allows a store owner to create fine grained roles for each and every user in their system. In this article, we will find how it work and how to add ACL for our custom module.

Magento 2 Access Control List Rules

The Magento 2 Admin ACL resources are visible under the Magento 2 admin System > Permissions > User Roles area. When we click on the Add New Role button or access to a role, you will see the page look like:

magento 2 admin acl

In this resources tab, you can see a tree-list of all the available resources in your system. You can choose all Resource or some of them for this role and select the user for this role in Role Users tab. All of the user who belong to this role will be limit access to the resource which you choose. They cannot see and access to other one.

To Create Admin Admin ACL

Step 1: Create ACL rule

Now, we will see how to add our module to ACL role. We will use a previous simple module HelloWorld to do this. As in the Admin Menu and System Configuration article, you saw that we alway have a resource attribute when create it. Now we will register that resources to the system, so Magento can realize and let us set a role for them. To register the resource, we use the acl.xml file which located in app/code/{namespace}/{module}/etc/acl.xml. Let’s create this file for our simple Module:

File: app/code/Mageplaza/HelloWorld/etc/acl.xml

Contents would be:

<?xml version="1.0"?>
<config xmlns:xsi="" xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
            <resource id="Magento_Backend::admin">
                <resource id="Mageplaza_HelloWorld::helloworld" title="Hello World" sortOrder="51">
                    <resource id="Mageplaza_HelloWorld::post" title="Posts" sortOrder="10"/>
                    <resource id="Mageplaza_HelloWorld::helloworld_configuration" title="Configuration" sortOrder="99" />
                <resource id="Magento_Backend::stores">
                    <resource id="Magento_Backend::stores_settings">
                        <resource id="Magento_Config::config">
                            <resource id="Mageplaza_HelloWorld::helloworld_config" title="Hello World"/>

Our resource will be placed as child of Magento_Backend::admin. Each resource will have an Id, title and sortOrder attribute:

  • Id attribute is the identify of this resource. You can use this when define resource in Admin menu, configuration and limit access to your module controller. This is a unique string and should be in this format: Vendor_ModuleName::resource_name.
  • Title attribute is the label of this resource when showing in resource tree.
  • sortOrder attribute define the position of this resource in tree.

After this done, please refresh the cache and see the result on resource tree

magento 2 admin acl

Step 2: Flush Magento cache

Make sure it admin menu items are displayed on Magento 2 admin, you should try to flush Magento 2 cache.

Step 3: Check ACL rule

There are some place where we put the ACL resource to make it limit the access:

Admin menu: Put the ACL resource to hide the menu if it’s not allowed by store owner.

File: app/code/Mageplaza/HelloWorld/etc/adminhtml/menu.xml

<add id="Mageplaza_HelloWorld::helloworld" title="Hello World" module="Mageplaza_HelloWorld" sortOrder="51" resource="Mageplaza_HelloWorld::helloworld"/>

System configuration: Put the ACL resource to limit access to this section page.

File: app/code/Mageplaza/HelloWorld/etc/adminhtml/system.xml

<section id="helloworld" translate="label" sortOrder="130" showInDefault="1" showInWebsite="1" showInStore="1">

We will use Mageplaza_HelloWorld::helloworld_configuration in Magento 2 How to Create System.xml Configuration

With resource it also use on controller.

In admin controllers: Magento provides an abstract type Magento\Framework\AuthorizationInterface which you can use to validate the currently logged in user against a specific ACL. You can call that object by use the variable: $this->_authorization. In the controller, you have to write a protected function to check the resource:

Example: File: vendor/magento/module-customer/Controller/Adminhtml/Index.php

protected function _isAllowed()
 return $this->_authorization->isAllowed('Magento_Customer::manage');

Admin Permission

Admin Permissions for Magento 2

Customize backend access based on business needs and requirements

Learn more


Image Description
With over a decade of experience crafting innovative tech solutions for ecommerce businesses built on Magento, Jacker is the mastermind behind our secure and well-functioned extensions. With his expertise in building user-friendly interfaces and robust back-end systems, Mageplaza was able to deliver exceptional Magento solutions and services for over 122K+ customers around the world.

People also searched for

  • Magento 2 Admin ACL
  • magento 2 acl
  • role resource tree not displaying in magento2
  • magento 2 admin acl menu
  • magento 2 acl adminhtml.xml
  • magento 2 admin controller acl
  • magento 2 admin acl
  • magento 2 adminhtml xml acl 2
  • magento 2 acl.xml
  • acl.xml magento 2
  • magento 2 acl example
  • acl magento
  • magento acl
  • acl.xml
  • 2.3.x, 2.4.x