Setting up user group permissions
We will look into managing user permissions by editing the "Advanced editors" user group.
Table of contents
"General" tab - backend user groups
On the "General" tab you can edit the group's title and write a short description. As mentioned before, permissions from sub-groups will be inherited by the current group.
Content of the "General" tab when editing a backend user group
Note
Setting permissions is not just about access rights.
It can also help to declutter the backend, ensuring that backend users only see and have access to the modules they require.
Inherit settings from groups" section of tab "General" in backend user groups
If you chose groups in the "Inherit settings from groups" section of tab "General", the current group inherits all the permissions of the parent group and can add additional permissions. It is not possible to revoke permissions granted by the parent group.
User TSconfig of the parent group gets overridden by TSconfig of the child group and then, in turn, by the specific TSconfig of the backend user. See also Setting user TSconfig.
"Record Permissions" tab - backend user groups
"Allowed page types" section in Record permissions of user group
You should allow at least the "Standard" page type if you want your editors to be able to create new pages.
See also Editors Guide, page types.
"Table permissions" section in Record permissions of user group
This section allows you to grant "read" or "read and write" permissions for different database tables.
If your user should be able to upload and reference images, for example use the content element "Text & Images", it is important that they also be able to read and write the tables "File Reference" and "File" beside also having permissions to actually write saved files.
"Allowed fields" section in Record permissions of user group
When defining table fields in TYPO3, you can mark them as excluded in TCA. Such fields are hidden from backend users (except administrators) unless they are explicitly granted access. This field manages that access by displaying a list of all tables and their excluded fields.
Click on a table name and select allowed fields
Tip
You can hide fields from a backend group by setting page TSconfig option disabled.
"Explicitly allow field values" section in Record permissions of user group
By default you can choose which content element types are allowed for a backend group in this section. Some extensions might add additional tables and their values here.
A content element type not checked in this section cannot be added or edited by a user of this group.
Tip
You can remove options from select fields with page TSconfig option removeItems (blacklist) or keepItems (whitelist).
"Limit to languages" section in Record permissions of user group
In a multilingual web site, it is also possible to restrict users to a specific language or set of languages.
"Module Permissions" tab - backend user groups
The section "Allowed modules" grants access to different backend modules.
If you allow the module "Dashboard" you should also explicitly choose "Allowed dashboard widgets" in the next section.
MFA is only possible if you allow at least one provider in section "Allowed multi-factor authentication providers".
"Mounts and Workspaces" tab - backend user groups
The next tab contains very important fields which define which parts of the page tree and the file system the members of the group may have rights over.
We will cover only mounts here. Detailed information about workspaces can be found in chapter Users and groups for workspaces
"DB Mounts" in tab "Mounts and Workspaces"
Unless at least one DB mount is chosen your user does not have rights to any page record and will not be able to do anything in the backend.
Each mount corresponds to a page in the tree. The user will have access only to those pages and their sub-pages.
Warning
A user is only able to make changes to a page if they have rights to the db mount of that page and at least "Show page" permissions for that page: See chapter page permissions
You can grant additional entry pages in the database record of the backend user. If option "Mount from groups" is not set for "DB Mounts" you can even override all db mounts.
"File Mounts" in tab "Mounts and Workspaces"
File mounts are similar to DB mounts but instead are used to manage access to files.
File mounts need to be created first, for example using the context menu on the file tree in module "Filelist", or in the File mounts submodule of the Backend Users module
They can then be selected when editing a backend user group:
Select the File mount by clicking on the right and adding them to the left.
Warning
Adding a file mount is not sufficient for your editors to upload and use files. Due to the File Abstraction Layer users also need permissions to read and write tables "Files" and "File references". Set those in the "Table permissions" section in Record permissions of user group.
It is also necessary to grant Directory and File operation permissions in section File operation Permissions.
Just like DB mounts, you can grant additional file mounts in the database record of the backend user. If option "Mount from groups" is not set for "File Mounts" you can even override all file mounts.
"File operation permissions" in tab "Mounts and Workspaces"
Specific operations on files and directories must be allowed. Choose either "Directory" or "Files" and start checking boxes.
Category mounts
It is possible to limit the categories that a user can attach to a database record by choosing the allowed categories in the field "Category mount". If no category is selected in the category mount, all categories are available.
Tip
If you want to disallow categories, remove the read and write permissions for table categories in the "Table permissions" section in tab "Record permissions".