Aller directement à la fin des métadonnées
Aller au début des métadonnées
CiviCRM Documentation
Return to Access Control Main Page
Access Control not Available in Joomla! Installations

Access Control functionality is not available for CiviCRM in Joomla! We expect to address this in a future release.

Context - Uses for Permissions, Roles and Access Rules

Access Control is used to control access to CiviCRM data and functionality. This is done through Access Control Lists (ACL's). An ACL consists of:

1. A Role that has permission to do this operation ('Administrator', 'Team Leader'),
2. An Operation (e.g. 'View' or 'Edit'), and
3. A set of Data that the operation can be performed on (e.g. a group of contacts)

EXAMPLE: "Team Leaders" (Role) can "Edit" (Operation) all contacts in the "Active Volunteers Group" (Data).

CiviCRM provides built-in access control for contact groups, profiles and custom data.

CiviCRM for Drupal includes additional access control features for specific tasks (Administer, Import, etc.), and for component data (contributions, membership, and events). It should be noted that in Drupal you only need to use CiviCRM's ACLs if you wish to control access of certain contacts to certain groups; if you simply want to control the types of data and actions a user can see/perform you can use the Drupal permissions Administer » User Management » Access Control.

Overview - Built-in CiviCRM Access Control

CiviCRM's built-in Access Control is managed by Access Control Lists (ACL's). ACL's allow you to control who can view and edit specific contact groups, specific profiles and/or specific sets of custom data.

For example, you might want to allow only staff on your Development Team to view or edit contacts in your "High Value Donor" group. The basic steps for this are:

  1. Create a group ("Development Team") - Manage Groups.
  2. Add development team contacts to the group - Add Members to Group.
  3. Create an ACL Role ("Development") - Administer CiviCRM » Access Control » Manage Roles » New ACL Role.
  4. Create an ACL (a "permission") which allows the "Edit" operation on the "High Value Donor" group for the "Development" role - Administer CiviCRM » Access Control » Manage ACLs » New ACL.
  5. Assign the "Development" role to users in the "Development Team" group - Administer CiviCRM » Access Control » Assign Users to CiviCRM Roles » New Role Assignment.

Overview - Drupal Access Control

Users and Contacts

"Users" is the name Drupal and Joomla use to describe either people who have an account and can log into the website (authenticated/registered user), or a website visitor who has not logged in (anonymous/public user). In CiviCRM, "users" refers to anyone who has been assigned a role with specific permissions to take actions in CiviCRM. "Contacts" is the name CiviCRM gives to the Individuals, Organizations and Households that you create and store in CiviCRM. For more information on the Drupal functioning, see the Drupal Handbook


PERMISSIONS let you control what users can do on your site. Each user ROLE (see ROLES below) has its own set of permissions. View the default permissions here.


ROLES allow you to fine tune the security and administration of Drupal. A role defines a group of users that have certain privileges as defined in PERMISSIONS. Examples of ROLES include: anonymous user, authenticated user, moderator and administrator.

You will need to decide which roles you need, based on your workflows (see PLAN)


These rules allow you to limit accounts that are allowed to be created or logged in.

If there are staff members who you want to allow to view basic contact info, but not contribution info, you would check view all contacts and not access CiviContribute. If you do this, staff members with permissions set in this way won't see the CiviContribute tab when viewing contacts. In this example, you would also want to create a Group for those staff members you DO want to allow to access CiviContribute information. If you wanted to then restrict the permissions of the group that can access CiviContribute to say, not view contributors tagged as "High Value", you could do this through CiviCRM ACL's. You would also want to be sure you have a group that CAN access those "High Value" contributors.

Overview - How Permissions, Roles and Access Rules work

If you are giving multiple users access to CiviCRM data and tasks, it's a good idea to assign/limit which tasks and/or groups of contacts each user can manipulate. You will use ROLES and PERMISSIONS to determine what each user can see and do.

ROLES are a way of assigning one or more specific PERMISSIONS to a group. Users assigned to the ROLE are granted specific permissions assigned to the role. You can create as many roles as needed and users can be assigned to one or more roles. You can only assign ROLES to groups of contacts.

PERMISSIONS are the actual tasks which are granted to a ROLE. These may be functional - e.g. edit (all) contacts, or they may relate to a specific subset of your data, e.g. a defined group of contacts (enewsletter subscribers). You could allow only enewsletter subscribers' to view custom data (enewsletter subscriber interests) by assigning the PERMISSION "View enewsletter subscriber interests" to the ROLE of enewsletter subscriber.

  • Aucun
  1. Nov 12, 2008

    Hi there,

    It would be great if this documentation was a bit more specific on what you can't do with ACL.

    ACL is hard to get to grips with, and when you are wondering can I do X, and you are told that it can do Y and Z, then you still don't know whether you can do X (sourire).

    I think I am right in assuming that whilst you can apply AC to view/edit a custom data group attached to a membership form, for example, you can't say apply AC to a certain type of membership, or a certain type of activity, but its hard to know that for certain.  Obviously you can't account for every scenario, but I think it would be worth compiling the you cannot do X with ACL questions.

    Also you might want to be more specific about what edit means here and also in the UI.  I think edit means "create, update, delete", but a layperson might think it just meant update.

Creative Commons License
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-Share Alike 3.0 United States Licence.