TYPO3 technology icon

Access Control Lists in TYPO3: Research and Planning Improvements

As you may know (through this announcement), since early 2024 we've been working on improvements to TYPO3's Access Control Lists (ACLs). This project stems from a Community Budget Idea for Q1 that was successfully voted on in 2023 (details here). Though we outlined the scope of changes in our proposal, we wanted to ensure our efforts align with community needs and benefit TYPO3 as a whole. Therefore, we conducted essential steps before diving into coding.

AI generated image

Researching the Current Implementation of TYPO3 Access Control Lists

The work began with research into the current implementation of setting permissions in TYPO3. We delved into the code and documented some technical aspects. Then, we examined how the entire process appears from the perspectives of developers and administrators responsible for setting, managing permissions, and keeping them up to date. We aimed to gather answers to the following questions/topics:

  • What does one encounter immediately after a fresh TYPO3 installation?
  • Do the Introduction Package or the Bootstrap Package set any default permissions?
  • What are the common challenges encountered when setting permissions?
  • What steps are required to set up permissions immediately after installation?
  • Are there any documented best practices?
  • Are there any ready-to-use groups?
  • How is ACL maintained during website development?
  • How are permissions set for Workspaces?
  • Are there any community extensions that extend or improve ACL management?

After documenting answers for most of these topics and following internal discussions within our team, we decided to also seek feedback from the community to confirm the direction of the changes we plan to implement.

Survey on Enhancing TYPO3 Access Control Lists

After conducting research on ACLs in TYPO3, we decided to create a survey dedicated to the TYPO3 community. We compiled a total of 16 questions, asking about various aspects of the permission-setting process - how it is viewed from the perspective of other agencies, what challenges they face, and what improvements they would like to see in the core.

The survey was open for about 2 weeks. During that time, we gathered feedback from a total of 69 respondents. We decided to close it after that period because we needed to start working on analyzing the feedback and shaping the first drafts of the changes we plan to propose to TYPO3.

An extended summary of the survey will be available through a blog post on typo3.org, which is expected to be published in the coming days. For now, we are posting a very condensed summary based on the open-ended questions, where respondents shared their feedback.

We asked what are the main challenges users face when configuring permissions for backend users in TYPO3. Here are some of them:

  • Lack of Version Control Systems (VCS) and deployable permissions, requiring manual setup each time
  • Permissions are often incorrectly set in the production environment, requiring post-launch adjustments
  • Difficulty in locating the correct checkboxes due to a vast array of options
  • Users forget to update permissions when new fields are added, without any alerts or notifications
  • User experience and interface issues, including poorly structured sections and suggestions for using tabs for better organization
  • Lack of a search function for finding specific fields or options
  • Difficulty in finding the right items, compounded by mixed sorting of translated and untranslated items
  • Challenges in determining the source of permissions or identifying redundant permissions due to a complex hierarchy of backend groups

Then, we also asked which tools or features would enhance the permission configuration process in TYPO3. The most commonly mentioned ones were:

  • Deployable permissions in config files (instead of DB records) 
  • Support for import/export file based configuration
  • Wizards for setting up groups and certain permissions would help
  • Access to pages by several configurable user groups 

We had a lot of feedback regarding the current UX/UI also. Respondents often mentioned that it could be improved in various areas to simply and make the permission setting much easier. Here are some of the suggestions:

  • Improve the organization of module forms by adopting a more horizontal layout, reducing vertical scrolling, and incorporating more tabs.
  • Simplify permission forms to make them more understandable.
  • Introduce the ability to search/filter fields and options.
  • Combine the list and edit tables sections, adding two checkboxes for each item.
  • Develop a wizard for setting permissions to streamline the process.
  • Provide a better graphical overview of groups and users, including details on the rights they inherit and a visual representation of this inheritance.
  • Enhance the sorting of items in lists so they are grouped in a way that makes them easier to locate.

Where Are We Now, and What Do We Plan Next?

After researching and summarizing the survey results, we have a clear view of the changes that could be made in TYPO3 to simplify and make the permissions management process more user-friendly. The list is very long, and it won’t be possible to implement them all as part of the work for Q1 though.

After consulting with TYPO3 core team member Benjamin Mack, we decided to first implement an option in the TYPO3 installer, which will allow the creation of 2-3 predefined backend user groups that will be ready to use immediately after installation. The second initiative will be a new section in the TYPO3 documentation, describing best practices for setting and managing Access Control Lists in TYPO3. The final shape of this document is not ready yet. We have a first draft, which, after consultation with Benjamin Mack, will be posted on talk.typo3.org and discussed with the community. We want to have it reviewed and accepted by as wide a range of TYPO3 developers and users as possible.

Other changes to the Access Control List, including user interface improvements, implementing permission presets, and deployable permissions, are planned to be split between Q2 and Q3 as separate or follow-up TYPO3 community budget ideas. We aim to align them with other changes/features planned by the core team.

If you are interested in Access Control Lists in TYPO3, read our 2 previous articles where we described them from more technical perspective:

Access Control Lists in TYPO3
How TYPO3 Checks Permissions In The Backend

So, that's all for now, but stay tuned for more details soon! :)