Initial Phase of the ACL Enhancement Initiative

Categories: Development, Community, TYPO3 CMS Created by Marcin Sągol
Work has begun on the access control list (ACL) enhancement initiative, with analysis and research phases complete, we now have an initial set of insights to draw on. Next up is finalizing the scope with the TYPO3 Core Team and then starting the implementation. Read on for the full update.

As many of you may know, last year, our team at Macopedia proposed a budget idea for enhancements in the access management system of TYPO3. This proposal was accepted for implementation in the first quarter of 2024 following a voting process, allowing us to commence our work. However, before diving into the code modifications, we needed to undertake several essential preparatory steps. Let's explore what has been accomplished so far and where we currently stand with our efforts.

Phase 1: Technical Analysis of the Current Implementation of ACLs in TYPO3

When we proposed the idea, we had several areas for improvement in mind. Although we were familiar with the general concept of ACLs in TYPO3, we aimed to conduct a more in-depth technical investigation to understand the underlying implementation. To this end, we began by analyzing the code, compiling technical documentation for future reference, and undertaking various other research activities. Our goal was to find answers to the following questions:

  • What do you get just after installation?
  • Does the Introduction Package or the Bootstrap Package set any default permissions?
  • What are the common challenges encountered when setting permissions?
  • What steps are required to set up permissions immediately after installation?
  • Are there any documented best practices?
  • Are there any ready-to-use groups?
  • How is ACL maintained during website development?
  • How are permissions set for Workspaces?
  • Are there any community extensions that extend or improve ACL management?

As a result of this research, we have compiled a document summarizing everything from the analysis phase.

Phase 2: Outline the MVP for the ACL Improvements

As a second step, we drafted the minimum viable product (MVP) for the budget idea. This draft was based on our initial discussion at the end of 2023 (before submitting the idea proposal), and the result of the research described above. 

For Q1 2024, we want to:

  • Update documentation to describe best practices for setting ACLs, possibly including a tutorial within the TYPO3 backend.
  • Create default backend user groups that can be created during the installation process.
  • Assign default groups to newly created pages.

Given our limited timeframe for more complex changes in Q1, we have outlined some ideas for Q2 which include:

  • Deployable permission sets.
  • UI/UX enhancements in the backend module for better management of ACLs, including an improved overview of backend users and groups
  • Enable extension developers to define configuration presets for their features, which can then be manually applied to backend user groups.
  • Implement a notification mechanism to alert administrators about new permissions available for configuration or updates.

We will submit these initiatives for upcoming budget ideas in 2024.

Phase 3: Gather Feedback From the Community

After drafting our proposed changes, we decided to seek feedback from the vibrant TYPO3 community. This step ensures that the direction of our changes aligns with the needs and desires of developers and agencies, confirming that our efforts are both valuable and supported.

We created a poll titled TYPO3 ACL - Setup Experience Survey, comprising a total of 16 questions. The survey was announced on January 23, 2024, through the Access Control List Usage and Improvements — Community Survey blog post on the typo3.org website, as well as on various social media channels. We asked respondents to share their level of experience with TYPO3, describe their typical projects in terms of ACL management, and outline the challenges they encounter in this area. We also asked them to  

highlight the good practices they adhere to, and identify potential areas for improvement. 

A summary of the results are included in this article. Read on to see the insights we gathered.

Next Steps: Establishing the Scope

Now that we have gathered feedback from the community and understand the challenges developers typically encounter when managing ACLs in TYPO3, we are set to finalize the MVP version for Q1. Additionally, we are likely to submit proposals for the Q2 budget to continue with the changes.

The extent of the changes we plan to implement in Q1 will be discussed with members of the TYPO3 Core team. We aim to schedule a meeting with Core team members to review the survey results, propose our changes, and ultimately agree on the MVP scope that will be implemented.

As we are progressing with two ideas that were approved for Q1, we are adhering to our internal schedule. Below is the plan for the ACL improvements in the upcoming weeks:

Plan

  • Schedule a call with Core team members. We would like to share our insights, proposals for scope of improvement implementation. We will prepare documents based on survey results and internal research that will be an entry point for discussion. Based on feedback from Core team members we want to define scope of changes to implement. Result of this meeting will be MVP scope.
  • MVP Implementation phase
  • Code review and feedback from Core team on MVP
  • Final fixes and changes based on feedback from Core team
  • Blog post about budget idea summarizing whole work

Summary of the TYPO3 ACL — Setup Experience Survey

The community survey ran from 23 January to 1 February, 2024. After closing it, we began analyzing the results, which included responses from 69 participants representing various agencies and end users. Here we share some key highlights.

Experience Level and Ease of ACL Setup

Firstly, we asked participants to share their level of experience with TYPO3. Of those, 88.4% indicated they have an advanced level of expertise, while 11.6% described their experience level as intermediate. Based on this, we can confidently infer that the feedback received largely comes from highly experienced users who have been working with TYPO3 for a long time and are well-acquainted with it. This means we also need to acknowledge that our feedback does not adequately cover the perspectives of new users who are just starting with TYPO3.

Next, we asked respondents to rate on a scale from 1 (very difficult) to 5 (very easy) how straightforward they find the process of setting permissions in TYPO3. The two most common responses were that 40.6% found it difficult (rating it a 2) and 39.1% thought it was normal (rating it a 3). Additionally, 15.9% of respondents considered it easy (rating it a 4), while the extreme values together accounted for 4.3% (with 1.4% rating it very difficult (1) and 2.9% finding it very easy (5)). These results indicate that the current process is not among the simplest and could benefit from some improvements.

Roles, Projects, and Process

Next, we aimed to collect feedback on the systems and projects with which users and agencies are involved. These results are presented in the form of charts. It's important to note that we created custom ranges to group the answers effectively, given the diversity of responses received.

On average, how many backend users do you typically have?

Out of all your backend users, how many are administrators?

On average, how many root pages (sites) do your projects typically have?

On average, how many file mounts do your projects typically have?

How do you manage ACL (Access Control Lists) during your website development process? Do you set and update permissions immediately after new features appear in the testing environment, or do you handle this only in the pre-production or production enviro

Challenges and Suggestions for Improvement

We included several open-ended questions in our survey, allowing respondents to freely share their knowledge on topics such as best practices for setting up permissions, main challenges encountered during the setup process, any missing tools or features that could improve permission configuration in TYPO3, and suggested improvements. Often, responses were duplicated across these areas, with the same suggestions appearing multiple times. Due to the voluminous feedback received (for which we are thankful!), we will not detail every response here. Instead, we will summarize those suggestions that were most frequently mentioned.

What are the main challenges you face when configuring permissions for backend users in TYPO3?

  • Lack of Version Control Systems (VCS) and deployable permissions, requiring manual setup each time
  • Permissions are often incorrectly set in the production environment, requiring post-launch adjustments
  • Difficulty in locating the correct checkboxes due to a vast array of options
  • Users forget to update permissions when new fields are added, without any alerts or notifications
  • User experience and interface issues, including poorly structured sections and suggestions for using tabs for better organization
  • Lack of a search function for finding specific fields or options
  • Difficulty in finding the right items, compounded by mixed sorting of translated and untranslated items
  • Challenges in determining the source of permissions or identifying redundant permissions due to a complex hierarchy of backend groups
  • Developers have to create custom extensions to address these issues

Are there any features or tools you believe would enhance the permission configuration process in TYPO3?

  • Deployable permissions in config files (instead of DB records) 
  • Support for import/export file based configuration
  • Wizards for setting up groups and certain permissions would help
  • Access to pages by several configurable user groups 
  • Scriptable REST API / PHP API to CRUD groups or page permissions
  • A lot of suggestions regarding changes to UX/UI in the backend module (simplify the interface, reorganize it, use tabs, allow searching/filtering fields etc.)

What improvements would you suggest to make the process of setting up permissions more user-friendly and efficient?

In this question respondents pointed out that they provided some hints in previous questions. But again many of them opted for deployable permissions sets stored in VCS-able files and some for an option to export / import them (maybe GUI and commands). 

Other things like allowing extensions to provide pre-defined ACLs, add default groups and a lot of suggestions regarding UI/UX improvements. Since it would be hard to mention them all, please check the list under. In general the suggestions are about:

  • Improve the organization of module forms by adopting a more horizontal layout, reducing vertical scrolling, and incorporating more tabs.
  • Simplify permission forms to make them more understandable.
  • Introduce the ability to search/filter fields and options.
  • Combine the list and edit tables sections, adding two checkboxes for each item.
  • Develop a wizard for setting permissions to streamline the process.
  • Provide a better graphical overview of groups and users, including details on the rights they inherit and a visual representation of this inheritance.
  • Enhance the sorting of items in lists so they are grouped in a way that makes them easier to locate.

We also directly inquired about two of our proposed ideas for implementation in this community budget for Q1. We were interested in the respondents' opinions on having 2–4 pre-configured backend user groups and introducing a feature that would allow extension developers to offer permission presets. Here are the results:

Do you think having 2-4 pre-configured backend user groups would be helpful in streamlining the process of configuring access permissions in TYPO3?

Do you think a feature that allows extension developers to define permission presets (for modules, tables etc.) applicable to backend user groups would be helpful?

Thank you to all the survey participants for your invaluable feedback. Your insights and contributions have been incredibly valuable to us. We greatly appreciate the time and effort you took to share your experiences and suggestions!

Additional contributors for this article
  • Copy Editor : Felicity Brand
  • Content Publisher : Mathias Bolt Lesniak