Security: How to Restrict Access to Your Module Using Magento 2 ACLs
Securing the Magento 2 admin panel is critical for protecting sensitive store data and preventing unauthorized actions. One of the most powerful security mechanisms Magento provides is Access Control Lists (ACLs).
ACLs allow you to control which admin users or roles can access specific modules, menu items, and actions. In this guide, you will learn how to restrict access to a custom Magento 2 module using ACLs, following Magento best practices.
Table of Contents
- Understanding Access Control Lists (ACLs)
- Types of Access Control Lists
- Creating the acl.xml File
- Defining Resources and Permissions
- Managing Admin Menu Items
- Implementing ACL Rules
- Testing and Verifying Access Restrictions
- Conclusion
Understanding Access Control Lists (ACLs)
An Access Control List (ACL) is a set of rules that determines who can access a resource and what level of permission is granted. In Magento 2, ACLs are primarily used to secure the admin panel.
ACLs define which admin users or roles can view, edit, or manage specific sections of the backend such as modules, configuration pages, menus, and controller actions.
Magento ACLs follow a hierarchical structure, allowing you to define permissions at multiple levels with fine-grained control. This hierarchy makes it easy to manage access logically and securely.
Types of Access Control Lists
In general computing, ACLs are categorized into two main types:
-
File System ACLs
Control access to files and directories at the operating system level. They define what actions users can perform once authenticated. -
Network ACLs
Manage network traffic by specifying which data packets or connections are allowed through routers and switches.
In the context of Magento 2, ACLs focus on application-level access, specifically within the admin panel.
Creating the acl.xml File
To define access rules for your custom Magento 2 module, you must create an
acl.xml file. This file declares the resources and permissions
that govern access to your module.
The ACL configuration file must be placed in the following directory:
app/code/Vendor/Module/etc/adminhtml/acl.xml
This ensures the ACL rules apply only to the admin area and do not affect frontend behavior.
Defining Resources and Permissions
In Magento 2, a resource represents something that can be protected—such as a module, menu entry, configuration page, or controller action.
Resources are defined hierarchically and typically extend from the
Magento_Backend::admin resource.
Each resource represents a permission that can be assigned to admin roles. When defining ACL resources, clarity and consistency in naming are important for long-term maintainability.
Managing Admin Menu Items
Admin menu items are closely tied to ACL resources. Each menu item can be associated with a specific ACL resource, which determines whether the item is visible and accessible to a given user role.
If a user does not have permission for the associated ACL resource:
- The menu item will not be visible
- Direct URL access will be denied
- The user may see an “Access Denied” message
This makes ACL-based menu association a critical part of securing your module’s admin interface.
Implementing ACL Rules
ACL rules connect defined resources to actual permissions. These rules determine whether a given admin user role is allowed to access a resource.
Once ACL resources are defined:
- They appear under System → Permissions → User Roles
- Administrators can assign or revoke access per role
- Magento automatically enforces access restrictions
Magento also supports advanced ACL configurations such as inherited permissions and wildcard rules, enabling precise control over complex admin structures.
Testing and Verifying Access Restrictions
Testing ACL configurations is essential to ensure security rules work as expected. Improper ACL setup may lead to accidental access denia