AdminUser
The AdminUser entity extends the User entity. It is created to enable administrator accounts that have access to the administration panel.
How to create an AdminUser programmatically?
The AdminUser is created just like every other entity, it has its factory. By default, it will have an administration role assigned.
Administration Security
In Sylius by default you have got the administration panel routes (/admin/*
) secured by a firewall - its configuration can be found in the security.yaml file.
Only the logged-in AdminUsers are eligible to enter these routes.
Access Control via Administrator Roles (ACL/RBAC)
RBAC (Role Based Access Control) or ACL (Access Control Layer) is an approach to restricting system access for users using the roles system. It is required by the majority of companies on the enterprise level, thus it is provided in the Sylius Plus edition.
A Role is a set of permissions to perform certain operations within the system, which is assigned to a chosen Administrator.
In Sylius Plus implementation of this system, we are basing on routing to determine what kind of permissions are there to be assigned. This allows us to for example give a role access to only show actions of a chosen entity (like Products or Orders).
It is important to know that one Administrator can have multiple roles assigned.
The RBAC system in Sylius Plus let’s you also to temporarily disable the Permission Checker for a chosen Administrator.
You can disable the permission checker for administrator not only via the UI but also with a Symfony command:
bin/console sylius-plus-rbac:disable-admin-permission-checker <email>
The Sylius Plus fixture suite provides a few roles as examples of how you can shape the roles in your system:
SUPER_ADMIN
with access to everything including role managementPRODUCT_MANAGER
with access to product catalog management with inventory, associations, options, taxons, etc.FULFILLMENT_WORKER
with access to order management, product catalog show, inventory management, and shipments
Customizing the permissions tree
How to add a new permission?
Let’s assume that you would like to add a new permission to ACL. You will need to add these few lines to the config.yml
:
You can also add permission while defining the route. However, this will not work when you have defined or imported permissions with the same id in the config.yml
:
For this permission you will need to add translations:
How to modify permission?
If you would like to modify an existing permission of for example the permission to payment complete:
You can also modify the permission if the route is overwritten, only this will not work when you have defined or imported permissions with the same id
in config.yml:
You can find the default configuration of some permissions in the src/Resources/config/permissions.yaml
file.
How to delete permission?
If you want to remove a permission, you have to overwrite the permission configuration and and set the enabled field to false:
or for overwriting a route, although this will not work when you have defined or imported permissions with the same id
in the config.yml
:
“Access denied” view customization
When an administrator does not have access to a given route, the Twig’s path()
and url()
functions will return ACCESS_DENIED
. You can adjust the view using the CSS and JavaScript selectors. For example:
More examples can be found in the src/Resources/public/*
path.
You can also use a twig function:
Administrators per Channel
It is possible to choose a channel to which an Administrator has access. It is done on the Administrator’s configuration page. If a channel is not chosen for an Administrator then they will have access to all channels.
Having chosen a channel on an Administrator, their access will get restricted within the Sales section of the main menu in the Admin Panel. Thus they will see only orders, payments, shipments, return requests, invoices and credit memos from the channel they have access to.
Additional Admin User Fixtures
Three new fields have been added to the Admin User fixtures: channel
, roles
and enable_permission_checker
. They can be configured as below:
Last updated