Master TYPO3's Access Control List (ACL) system to create secure, role-based access controls for backend and frontend users using user groups, TSconfig, and page permissions.
Understanding TYPO3 Access Control
TYPO3 uses a sophisticated ACL system with multiple layers:
- User Groups - Primary permission containers
- Page Permissions - Control access to page tree
- Table/Field Permissions - Control database record access
- Module Access - Control backend module visibility
- TSconfig - Fine-grained permission control
Backend User Groups
Creating User Groups
System → Backend User Groups
Click Create new group and configure:
General Tab
Title: Content Editors
Description: Users who can edit pages and content elements
Subgroup: [Optional] Base Users (inherits permissions)
Non-exclude-fields: [Fields available by default]
Access Control Levels
Module Access
Control which backend modules users can access:
Available Modules:
☑ Web > Page
☑ Web > List
☑ File > Filelist
☐ Admin Tools
☐ System
☐ Site Management
Common Role Configurations:
Content Editor:
- Web > Page
- Web > List
- File > Filelist
Developer:
- Web > Template
- Web > Info
- System > DB Check
- Admin Tools > Extensions
Administrator:
- All modules (check "Admin" on user directly)
Table Permissions
Tables (listing)
Tables user can view:
☑ Pages (pages)
☑ Content (tt_content)
☑ File Metadata (sys_file_metadata)
☑ News (tx_news_domain_model_news)
Tables (modify)
Tables user can edit/create/delete:
☑ Pages (pages)
☑ Content (tt_content)
☑ File Metadata (sys_file_metadata)
Example Configuration:
Content Editor:
Listing: pages, tt_content, sys_file_metadata
Modify: pages, tt_content, sys_file_metadata
News Manager:
Listing: pages, tx_news_domain_model_news, tx_news_domain_model_category
Modify: tx_news_domain_model_news, tx_news_domain_model_category
SEO Manager:
Listing: pages, sys_file_metadata
Modify: pages (only SEO fields via excludefields)
Page Types
Control which page types users can create:
☑ Standard (1)
☑ Folder (254)
☑ Link to External URL (3)
☐ Backend User Section (6)
☐ Mount Point (7)
Exclude Fields
Control access to specific fields within tables.
Common Excluded Fields:
Pages:
- Hidden
- Start/End time
- Backend Layout
- TSconfig
- PHP Tree Stop
Content (tt_content):
- Header Layout
- Space Before/After
- Access tab (visibility)
Example Configurations:
Junior Editor (Limited):
Exclude ALL fields except:
- Header
- Bodytext
- Image
Senior Editor (More Access):
Allowed excludefields:
- Pages: Hidden, Start/End time
- Content: Header Layout, Frame Class
Mount Points
DB Mounts (Page Tree Access)
Limit which parts of page tree users can access:
- Access Lists Tab → DB Mounts
- Click Browse for records
- Select root page(s) user can access
Examples:
Regional Editor:
DB Mounts:
- Europe Site (PID 10)
- Asia Site (PID 50)
Department Editor:
DB Mounts:
- Marketing Content (PID 100)
File Mounts (Folder Access)
Control access to fileadmin folders:
Create File Mount
- File → Filemounts
- New record
- Configure:
Mount Name: User Uploads Path: /user_upload/ Base: fileadmin/ Read-only: No
Assign to User Group
- Access Lists Tab → File Mounts
- Select created file mount(s)
Common File Mount Configurations:
Content Editors:
- /user_upload/images/
- /user_upload/documents/
News Managers:
- /news/images/
- /news/files/
Marketing Team:
- /marketing/ (full access)
Allowed Languages
Restrict users to specific languages:
Access Lists Tab → Limit to languages
☑ Default (0)
☑ German (1)
☐ French (2)
☐ Spanish (3)
TSconfig for Advanced Permissions
Page TSconfig
Add custom permissions via TSconfig field in user group or page properties.
Hide Modules
# Hide specific backend modules
options.hideModules = web_layout, web_ts, file_edit
Limit Page Types
# Only allow standard pages and folders
options.pageTree.doktypesToShowInNewPageDragArea = 1,254
# Hide page types in dropdown
TCEFORM.pages.doktype.removeItems = 3,4,6,7
Customize RTE (Rich Text Editor)
# Minimal RTE toolbar
RTE.default.preset = minimal
# Custom RTE configuration
RTE.config.tt_content.bodytext {
buttons {
bold = 1
italic = 1
underline = 0
link = 1
table = 0
}
}
Content Element Restrictions
# Hide content element types
TCEFORM.tt_content.CType.removeItems = uploads,table,menu_abstract
# Only allow specific content elements
TCEFORM.tt_content.CType.keepItems = text,textmedia,header,bullets
Disable Fields
# Remove fields from forms
TCEFORM.pages.hidden.disabled = 1
TCEFORM.tt_content.header_layout.disabled = 1
# Make field read-only
TCEFORM.pages.slug.config.readOnly = 1
Clipboard Restrictions
# Disable copy/paste
options.enableCopyToClipboard = 0
# Disable delete
options.disableDelete = 1
User TSconfig
Override permissions for specific users (less common, use groups instead).
# Add to User TSconfig field
options.pageTree.showPageIdWithTitle = 1
options.defaultUploadFolder = 1:user_upload/images/
# Custom labels
mod.web_layout.defaultLanguageLabel = English (US)
Page Permissions
Permission System
Each page has 5 permission levels:
- Owner - User who created the page
- Group - Primary user group
- Everybody - All backend users
Permission Types:
- Show - View page in tree
- Edit Page Content - Edit content elements
- Edit Page Properties - Edit page settings
- Delete Page - Remove page
- New Pages - Create sub-pages
Setting Page Permissions
Web → Info → Page TSconfig → Permissions
Or: Web → Page → Page properties → Access Tab
Example Configuration:
Owner: admin (User #1)
Group: Content Editors
Permissions:
Owner: Show | Edit Content | Edit Page | Delete | New
Group: Show | Edit Content | Edit Page | | New
Everybody: Show | | | |
Permission Visualization
Permission Matrix:
Show Edit Content Edit Page Delete New Pages
Owner ✓ ✓ ✓ ✓ ✓
Group ✓ ✓ ✓ ✗ ✓
Everybody ✓ ✗ ✗ ✗ ✗
Changing Page Ownership
- Web → Info → Page TSconfig → Permissions
- Click Edit icon
- Change owner/group
- Save
Recursive Permissions
Apply permissions to all sub-pages:
- Web → Info → Page TSconfig → Permissions
- Select page
- Edit recursively
- Set permissions
- Choose depth level
- Apply
Common Role Configurations
1. Content Editor
Purpose: Create and edit content, manage images
Modules:
- Web > Page
- Web > List
- File > Filelist
Tables:
Listing: pages, tt_content, sys_file_metadata
Modify: pages, tt_content, sys_file_metadata
Page Types:
- Standard (1)
- Folder (254)
Allowed Excludefields:
Pages:
- hidden
- starttime, endtime
Content:
- header_layout
- space_before_class, space_after_class
DB Mounts:
- Content Section (e.g., PID 10)
File Mounts:
- /user_upload/content/
TSconfig:
# Limit content elements
TCEFORM.tt_content.CType.keepItems = text,textmedia,header,bullets,image
# Simplified RTE
RTE.default.preset = default
# Show page ID in tree
options.pageTree.showPageIdWithTitle = 1
2. News Manager
Purpose: Manage news articles and categories
Modules:
- Web > Page
- Web > List
- File > Filelist
Tables:
Listing: pages, tx_news_domain_model_news, tx_news_domain_model_category, tx_news_domain_model_tag
Modify: tx_news_domain_model_news, tx_news_domain_model_category, tx_news_domain_model_tag
DB Mounts:
- News Storage (PID 50)
- News Categories (PID 51)
File Mounts:
- /news/images/
- /news/files/
TSconfig:
# News module configuration
module.tx_news {
settings {
list {
paginate.itemsPerPage = 25
}
}
}
# Limit to news records
options.pageTree.showOnlyCurrentPageInEditmode = 1
3. SEO Manager
Purpose: Optimize SEO settings across site
Modules:
- Web > Page
- Web > Info
- Site Management > Redirects
Tables:
Listing: pages, sys_redirect
Modify: pages (SEO fields only), sys_redirect
Allowed Excludefields:
Pages:
- seo_title
- description
- og_title, og_description
- twitter_title, twitter_description
- sitemap_priority
- canonical_link
DB Mounts:
- All sites (root level)
TSconfig:
# Show only SEO tab
TCEFORM.pages {
# Hide most page fields
title.disabled = 1
doktype.disabled = 1
# Show only SEO fields
seo_title.disabled = 0
description.disabled = 0
}
# Enable SEO module
options.enableBookmarks = 1
4. Translation Manager
Purpose: Translate content to multiple languages
Modules:
- Web > Page
- Web > List
Tables:
Listing: pages, tt_content
Modify: pages, tt_content (translation only)
Allowed Languages:
- German (1)
- French (2)
- Spanish (3)
TSconfig:
# Show translation view by default
mod.web_layout.tt_content.translationView = 1
# Hide default language editing
TCEFORM.tt_content.hidden {
disabled = 1
}
# Localization settings
options.workspaces.considerWorkspaceLanguageRestrictions = 1
5. Developer
Purpose: Technical configuration, templates, extensions
Modules:
- All Web modules
- Site Management > Sites
- Admin Tools > Extensions
- System > DB Check
Tables:
Listing: All tables
Modify: pages, tt_content, sys_template, sys_file_storage
TSconfig:
# Show technical fields
options.showDatabaseFields = 1
# Enable Template module
options.clearCache.pages = 1
options.clearCache.all = 1
# Database tools
options.enableShowPalettes = 1
6. Read-Only Auditor
Purpose: View content without editing
Modules:
- Web > Page (view only)
- Web > List (view only)
Tables:
Listing: pages, tt_content, sys_file_metadata
Modify: [none]
TSconfig:
# Disable all editing
options.disableDelete = 1
options.enableCopyToClipboard = 0
# Read-only mode
TCEFORM {
pages.title.config.readOnly = 1
tt_content.header.config.readOnly = 1
}
# Hide edit buttons
options.hideRecords = 1
Frontend User Roles
Basic Member
Access:
- View members-only content
- Download resources
- Access profile page
Configuration:
User Group: Basic Members (FE)
Page Access: Member Pages (PID 100-110)
Premium Member
Access:
- All Basic Member access
- Premium content sections
- Exclusive downloads
- Member forums
Configuration:
User Group: Premium Members (FE)
Subgroup: Basic Members
Page Access: Premium Pages (PID 200-220)
Contributor
Access:
- Submit content for review
- Manage own submissions
- View analytics of own content
Configuration:
User Group: Contributors (FE)
Page Access: Contributor Dashboard (PID 300)
Custom Extension: Content submission form
Testing Permissions
Simulate User
- System → Backend Users
- Click Simulate icon next to user
- Browse backend as that user
- Exit simulation when done
Check Effective Permissions
# Via CLI (TYPO3 12+)
./vendor/bin/typo3 backend:user:permissions john.doe
# Shows:
# - User groups
# - DB mounts
# - File mounts
# - Allowed tables
# - Module access
Debug TSconfig
Web → Info → Page TSconfig
Shows all active TSconfig for current page and user.
Security Best Practices
1. Principle of Least Privilege
Grant minimum permissions needed:
# Start restrictive, add as needed
TCEFORM.tt_content.CType.keepItems = text,textmedia
# Not:
TCEFORM.tt_content.CType.removeItems = # (allowing all by default)
2. Use Groups, Not Individual Permissions
Always assign permissions via groups, not directly to users.
Good:
User: john.doe
Groups: Content Editors, News Managers
Bad:
User: john.doe
Groups: [none]
Individual permissions: [configured directly]
3. Regular Permission Audits
- Review user groups quarterly
- Remove unused permissions
- Check for privilege creep
4. Separate Admin Accounts
Never use admin accounts for daily work:
john.doe (Content Editor) - Daily work
john.doe.admin (Admin) - Emergency only
5. Document Roles
Maintain documentation of each role's purpose and permissions.
Troubleshooting
User Can't See Module
Check:
- Module enabled in user group
- Extension providing module is installed
- User has necessary table permissions
- TSconfig not hiding module
User Can't Edit Content
Check:
- Table in "Tables (modify)" list
- Page permissions allow editing
- User has DB mount to page
- Content not outside allowed area
Changes Don't Apply
Try:
- Clear all caches
- Re-login user
- Check TSconfig inheritance
- Verify group assignment