Permissions & access
Understand the two permission modes and how access control works across the component.
Overview
Frontend UserManager supports two permission modes that control who can manage users, user groups and access levels. The mode is selected in component settings.
Both modes share one thing in common: Frontend Superusers always have full access to everything, regardless of the mode.
Mode comparison
| Aspect | Hierarchical (default) | Joomla standard |
|---|---|---|
| User visibility | Only users within the admin's branch of the group tree | All users (subject to hidden groups) |
| Permission source | Frontend UserManager config (frontend superusers + admin groups) | Joomla ACL for com_users |
| User group management | Frontend Superusers only | Users with core.manage on com_users |
| Access level management | Frontend Superusers only | Users with core.manage on com_users |
| Administrator badge | Shown in user group list | Hidden |
| Administrator field | Shown in user group editor | Hidden |
| Backend consistency | Frontend-only permissions (independent of backend) | Same permissions as Joomla backend |
| Best for | Multi-tenant / department-based management | Flat structures or centralised administration |
Hierarchical mode (default)
Hierarchical mode uses a 3-layer access system based on the Joomla user group tree:
Layer 1: Frontend Superusers
Users in groups configured as Frontend Superusers have full access to everything:
- Manage all users regardless of group membership
- Create, edit and delete user groups
- Create, edit and delete access levels
Layer 2: Admin User Groups
Users in groups configured as Admin User Groups can manage users within their hierarchical scope:
- See and manage users who are members of their parent group and all descendant groups
- Create new users within their scope
- Edit and delete users within their scope
- Cannot manage user groups or access levels
Layer 3: No access
Users not in either group are redirected to the user list (if they have basic view access) or the site homepage.
How hierarchical scope works
An admin user's scope is determined by their position in the group tree:
In this example, a user in "Company A Admins" can manage users in "Company A", "Sales" and "Engineering" — but not in "Company B" or "Warehouse".
An admin group can manage its parent group and all groups that are descendants of the parent. This means the admin can manage users at the same level and below in the tree, including other admin groups under the same parent.
Joomla standard mode
Joomla standard mode delegates permissions to Joomla's built-in ACL system for the com_users component. This means the same permissions that control user management in the Joomla backend also apply in the frontend.
| Joomla permission | What it enables |
|---|---|
core.manage |
Access the component; view users, user groups and access levels. |
core.create |
Create new users and user groups. |
core.edit |
Edit existing users and user groups. |
core.delete |
Delete users and user groups. |
To configure these permissions in Joomla:
- Go to Users → Options in the Joomla backend.
- Click the Permissions tab.
- Set the appropriate permissions for each user group.
Even in Joomla standard mode, the Frontend Superusers setting is respected. Users in those groups always have full access, regardless of their Joomla ACL permissions.
Built-in protections
Regardless of the permission mode, these security rules always apply:
| Protection | Description |
|---|---|
| Self-protection | Users cannot edit, delete or block their own account. |
| Joomla Super Users | Members of Joomla's built-in "Super Users" group (ID 8) are never shown and cannot be managed. |
| Frontend Superusers | Members of Frontend Superuser groups cannot be edited or deleted by non-superusers. |
| Login required | Guest users are always redirected to the login page. |
Switching between modes
You can switch between hierarchical and Joomla standard mode at any time in the component settings. The change takes effect immediately.
- Admin group settings are preserved when switching — they are simply ignored in Joomla standard mode.
- The administrator badge and field in user groups are automatically hidden/shown based on the active mode.
- No data is lost when switching.
Choosing the right mode
Use hierarchical mode when:
- You have multiple departments or organisations on the same Joomla site.
- Each department should only manage its own users.
- You want a simple 3-layer system without configuring Joomla ACL.
- Department admins should not see users from other departments.
Use Joomla standard mode when:
- You have a flat organisational structure.
- You want the same permissions in both frontend and backend.
- You need granular per-action permissions (create vs. edit vs. delete).
- All administrators should be able to see all users.
