Learn how to create, configure, and remove both backend and frontend users in TYPO3, including permissions, user groups, and best practices for user management.
Understanding TYPO3 User Types
TYPO3 distinguishes between two user types:
- Backend Users: Access TYPO3 administration interface
- Frontend Users: Access restricted frontend content
Backend User Management
Accessing User Management
Backend → System → Backend Users
Or navigate to:
- List Module → Select root page (ID 0) → Backend Users
Adding a Backend User
Method 1: Via Backend Users Module
Navigate to Backend Users
- System → Backend Users
- Click Create new record (+ icon)
General Tab
Username: john.doe Password: [Set strong password] User Group: Editor Real name: John Doe Email: john.doe@example.comAccess Lists Tab
- Limit to languages: Select allowed languages
- Mount points: Select page tree access
- File mounts: Select file folder access
- Allowed excludefields: Select specific fields
Options Tab
DB Mounts: Select root pages user can access File Mounts: Select fileadmin folders TSconfig: Add custom TypoScript configurationSave and Close
Method 2: Via List Module
- List Module → Root page (ID 0)
- Click Create new record
- Select Backend User
- Fill in required fields (same as above)
- Save
Backend User Required Fields
| Field | Required | Description |
|---|---|---|
| Username | Yes | Unique identifier for login |
| Password | Yes | Minimum 8 characters recommended |
| User Group | No | But highly recommended |
| No | For password reset functionality |
Setting User Permissions
Via User Groups (Recommended)
System → Backend User Groups
Create new group or edit existing
General Tab:
Title: Content Editors Description: Can edit pages and content Subgroup: [Optional] Inherit from other groupsAccess Lists Tab:
Modules: Web > Page, Web > List, File > Filelist Tables (listing): pages, tt_content, sys_file Tables (modify): pages, tt_content Page types: Standard, Folder Allowed excludefields: [Select specific fields]Mounts and Workspaces:
DB Mounts: Select accessible page trees File Mounts: Select accessible foldersAssign group to users:
- Edit backend user
- General Tab → User Group
- Select the group(s)
Direct User Permissions (Not Recommended)
Individual permissions can be set on user, but groups are more maintainable.
Common Backend User Configurations
Content Editor
Permissions:
Modules: Page, List, Filelist
Tables (listing): pages, tt_content, sys_file_metadata
Tables (modify): pages, tt_content, sys_file_metadata
Excludefields: Hidden, Start/End time
DB Mounts: Content section (e.g., page ID 10)
File Mounts: /user_upload/
TSconfig:
# Limit page types
options.pageTree.doktypesToShowInNewPageDragArea = 1,4
# Hide modules
options.hideModules = web_layout, web_ts
# RTE configuration
RTE.default.preset = minimal
Administrator (Full Access)
Permissions:
Admin: Yes (checkbox on General tab)
Note: Admin users have full system access, bypassing all restrictions.
Translation Manager
Permissions:
Modules: Page, List
Allowed languages: German, French, Spanish
Tables (modify): pages, tt_content (all languages)
DB Mounts: All content pages
TSconfig:
# Show only translation fields
mod.web_layout.tt_content.translationView = 1
# Limit to specific languages
options.workspaces.considerWorkspaceLanguageRestrictions = 1
Removing Backend Users
Disable User (Recommended)
- System → Backend Users
- Edit user
- General Tab → Check Disable
- Save
Advantages:
- Preserves user history
- Can be re-enabled
- Maintains audit trail
Delete User (Permanent)
- System → Backend Users
- Find user in list
- Click Delete icon (trash can)
- Confirm deletion
Warning: This permanently removes the user and cannot be undone.
Via CLI
# Disable user
./vendor/bin/typo3 backend:user:disable john.doe
# Delete user
./vendor/bin/typo3 backend:user:delete john.doe
Frontend User Management
Accessing Frontend User Management
Web → List → Navigate to user storage folder (typically sys_folder)
Adding a Frontend User
Method 1: Via List Module
Create User Storage Folder
- Web → Page
- Create Folder page type (doktype 254)
- Title: "Website Users"
Create Frontend User
- Web → List
- Select user storage folder
- Click Create new record
- Select Website User
General Tab
Username: customer1 Password: [Set password] User Group: Customers Name: John Smith Email: john@example.comExtended Tab (Optional)
Title: Mr. First Name: John Last Name: Smith Address: 123 Main St ZIP: 12345 City: Springfield Country: USA Phone: +1-555-0123Save
Method 2: Frontend Registration Form
Using felogin or femanager extension:
Install femanager:
composer require in2code/femanager
Configure TypoScript:
plugin.tx_femanager {
settings {
# Storage PID for new users
new.userGroup = 1
new.redirectAfterRegistration = 15
# Email confirmation
new.confirmByUser = 1
new.confirmByAdmin = 0
}
}
Add plugin to page:
- Create page for registration
- Add Content Element → Plugin → femanager: Registration
- Configure plugin settings
Frontend User Groups
Create Frontend User Group:
- Web → List → User storage folder
- Create new record → Website User Group
- Configure:
Title: Premium Members Description: Full access to premium content Subgroup: [Optional] Base Members
Setting Frontend Access Restrictions
Page Access
- Web → Page → Select page
- Edit page → Access Tab
- Configure:
Visibility: - Show at login: Yes - Hide at login: No Access: - User Group: Premium Members
Content Element Access
- Web → Page → Edit content element
- Access Tab
User Group: Premium Members
Frontend User Login
Install and Configure felogin:
composer require typo3/cms-felogin
Add Login Plugin:
- Create login page
- Add Content Element → Plugin → Login Form
- Configure:
User Storage Page: [Select folder with users] Redirect After Login: [Target page] Redirect After Logout: [Login page] Show logout form: Yes
TypoScript Configuration:
plugin.tx_felogin_pi1 {
# Storage page
storagePid = 123
# Redirects
redirectMode = groupLogin
redirectPageLogin = 25
redirectPageLogout = 1
# Templates
templateFile = EXT:your_sitepackage/Resources/Private/Templates/FELogin.html
}
Removing Frontend Users
Disable User
- Web → List → User storage folder
- Edit user
- Check Disable
- Save
Delete User
- Web → List → User storage folder
- Find user
- Click Delete icon
- Confirm deletion
Bulk Operations
Using List Module:
- Web → List → User storage folder
- Enable clipboard (top of list)
- Select multiple users
- Choose action: Delete, Disable, Move
User Session Management
View Active Sessions
System → Backend User Sessions
Shows:
- Currently logged-in backend users
- Session start time
- Last activity
- IP address
Force User Logout
CLI:
# Kill all backend sessions
./vendor/bin/typo3 backend:session:cleanup
# Specific user
./vendor/bin/typo3 backend:session:destroy john.doe
-- View backend sessions
SELECT * FROM be_sessions;
-- Delete specific session
DELETE FROM be_sessions WHERE ses_userid = 123;
Password Management
Password Reset (Backend)
Admin Reset
- System → Backend Users
- Edit user
- General Tab → Password
- Enter new password
- Save
User Self-Reset
Enable password reset link:
Install/Settings → Extension Configuration → backend
[BE][showRefreshLoginPopup] = 1
Add to login screen template.
Password Policies
LocalConfiguration.php:
'BE' => [
'passwordPolicy' => [
'minimumLength' => 12,
'upperCaseCharacterRequired' => true,
'lowerCaseCharacterRequired' => true,
'digitCharacterRequired' => true,
'specialCharacterRequired' => true,
],
],
Or via TypoScript for FE:
plugin.tx_femanager {
settings {
validation {
password {
minimumLength = 10
upperCaseCharacterRequired = 1
lowerCaseCharacterRequired = 1
digitCharacterRequired = 1
}
}
}
}
Security Best Practices
1. Use Strong Passwords
- Minimum 12 characters
- Mix of upper/lowercase, numbers, symbols
- No dictionary words
- Different for each user
2. Regular Account Reviews
- Audit users quarterly
- Remove/disable inactive accounts
- Review permissions regularly
3. Limit Admin Accounts
- Create admin accounts only when necessary
- Use specific permissions instead
- Separate accounts for different roles
4. Enable Two-Factor Authentication
Install TOTP extension:
composer require r3h6/typo3-oauth2-server
Configure in User Settings → Enable TOTP
5. Monitor User Activity
Enable logging:
'BE' => [
'debug' => true,
'loginSecurityLevel' => 'normal',
],
'SYS' => [
'systemLog' => 1,
],
Check logs:
# Backend user login attempts
grep "backend user" var/log/typo3_*.log
Automation and Bulk Management
CLI User Creation
Create script: create_users.sh
#!/bin/bash
# Create backend user via CLI
./vendor/bin/typo3 backend:user:create \
--username=john.doe \
--password=SecurePass123! \
--email=john@example.com \
--real-name="John Doe" \
--user-group=2
echo "User created successfully"
Import Users from CSV
Using Extension: ig_ldap_sso_auth or custom import script
Custom PHP Script:
<?php
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Core\DataHandling\DataHandler;
// Read CSV
$csv = array_map('str_getcsv', file('users.csv'));
foreach ($csv as $row) {
$data = [
'be_users' => [
'NEW123' => [
'pid' => 0,
'username' => $row[0],
'password' => password_hash($row[1], PASSWORD_DEFAULT),
'email' => $row[2],
'realName' => $row[3],
'usergroup' => $row[4],
],
],
];
$dataHandler = GeneralUtility::makeInstance(DataHandler::class);
$dataHandler->start($data, []);
$dataHandler->process_datamap();
}
Troubleshooting
User Cannot Login
Check:
- Username/password correct
- User not disabled
- User group assigned
- DB mounts configured
- No IP restrictions
- Session not expired
Debug:
# Check user in database
./vendor/bin/typo3 backend:user:list
# View user details
./vendor/bin/typo3 backend:user:show john.doe
User Cannot See Pages/Content
Check:
- DB mounts assigned
- User group has table permissions
- Page not hidden
- Access restrictions on page
- Start/end time not exceeded
Cannot Delete User
Possible reasons:
- User is referenced in logs
- User owns content
- Database constraints
Solution: Disable instead of delete