Understanding Access Control List In nopCommerce

In this article we will cover Access Control List (ACL) feature of nopCommerce that is an open-source E-commerce solution based on ASP.NET MVC.

Access Control List (ACL) according to Wikipedia definition:
"ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation."

In nopCommerce, Access Control List (ACL) is basically a list of permissions attached to an object. This list specifies the access rights of users to objects. This list is managed by administrators. Therefore, the user must have administrator rights to access it.

The access list contains the following characteristics:
  • Access control list is role-based (such as, Content Managers, Global Administrators and more) - This list can be managed in the Administration Area in the Customers Roles.
  • Access control list appears in the Administration area - Ensure the user is an administrator in order to access it.
  • Predefined administrator actions exist - These include Manage Orders or Manage Customers and much more.
We can view the ACL in nopCommerce as follows:

Managing ACL permissions in administration section

To manage an access control list:

From the Configuration menu, select Access Control List. The Access control list window is displayed, as follows:

access control list

Select the required role beside the Customer action item.

  • Administrators
  • Forum Moderators
  • Guests
  • Registered
  • Vendors 
Note: These customer roles are not hard-coded and can be configured in the Administration area, by selecting Customer Roles from the Customers menu.

Using Access Control List (ACL) for products, categories & manufacturers

Sometimes, online businesses (e-Commerce stores) sell certain types of products to specific customers only. In those cases, it is quite important for e-Commerce stores to make use of feature like ACL (Access Control List) so that the front-end experience for the online shoppers will be seamless.


Amazon offers a great variety of products on their store site and shipping options vary for different products, categories and manufacturers/brands depending on the location of the item (or warehouse). Amazon offers a paid service known as “prime membership” to online shoppers that comes with many perks including fast shipping. If a product is applicable for “prime shipping”, how does Amazon site knows that which customers should be able to see and select the prime shipping option during checkout process? Well, the answer is “Access Control List”. When any customer becomes a prime member, a special role is assigned to that customer in the database. Now, based on that role, the customers gets the permission to see the prime shipping option during the checkout process. On the other hand, customers with no prime membership role do not see that option during the checkout. This is a perfect example of ACL in online business.

To configure ACL:

From the Catalog menu, select Products > Manage Products.

The Manage Products window is displayed.

Click Edit beside the product to edit. The Edit product details window is displayed - Select the Access Control List tab, as follows:

Select the Subject to ACL checkbox, to enable configuring the access control at the product level (showing specific products based on customer roles).

The window is expanded, as follows:

Select the required customer roles having access to this product.

  • Administration
  • Forum Moderators
  • Guests
  • Registered
  • Vendors 

Note: These customer roles are not hard-coded and can be configured in the Administration area, by selecting Customer Roles from the Customers menu.

You can do the same for product categories and manufacturers.

Using Access Control List (ACL) for topic pages

This option will help store owners to give restricted access to different topic pages based on the user roles. Hence, it is a great feature in regard to security of the store store and keeping the private pages hidden from the public.

Go to: Administration section > Content Management > Topics (Pages)

Once you are on the topics (pages) section, select any topic for which you would like to setup the access control list (ACL). In this example, we will select "About us" topic page.

Now, select "Access control list" tab like this:

You should be able to see these options:

Subject to ACL: [CHECK]

Determines whether the topic is subject to ACL (access control list).

Customer roles: [SELECT ROLE]

Select customer roles for which the topic will be shown.

After configuring the access control list (ACL) for your topic, go to public store, login with user role that you just selected and you should be able to see the result depending on the permission you gave to the user role.

Steps for hiding menu items in administration section via ACL based on roles

Since nopCommerce offers a great feature called "Access control list", it does makes sense that an administrator of any website (or store site) would like to show or hide some pages or menu item to give limited access to other users who are maintaining the site or have access to the admin section.

Having an option to hide menu items based on roles is a very useful feature and it can be used in many different scenarios / situations where administrator gives access to other users to maintain the site or to add data/content but do not want those users to see private pages. This feature of hiding menu items is NOT available in nopCommerce by default as it is a custom feature that can vary for each website administrator.

The best way (or cleanest way) to accomplish this is by adding "Permission name" so that you can manage this feature in your admin side also and you don't have to rely on changing code every now and then.

Right now it is visible to everyone like this:

Step 1: If we look into the code in this location: Nop.Admin > sitemap.xml (Open this sitemap file).

Many users might think that they can simply remove the menu item from the sitemap but the only problem of this approach is that it will remove the menu item for all roles (including Administrator).

In your sitemap, if you observe other menus, you will see a property "Permission Name" and if you compare other menus with Help menu, you will not see that property. Add this property in your help menu like this:

  1. <siteMapNode SystemName="Help" nopResource="Admin.Help" PermissionNames="ManageHelpMainMenu" ImageUrl="~/Administration/Content/images/ico-help.png">  
  2.     <siteMapNode SystemName="Help topics" nopResource="Admin.Help.Topics" PermissionNames="ManageHelpSubMenu1" url="http://docs.nopcommerce.com/display/nc/nopCommerce+Documentation?utm_source=admin-panel&utm_medium=menu&utm_campaign=admin-panel" />  
  3.     <siteMapNode SystemName="Community forums" nopResource="Admin.Help.Forums" PermissionNames="ManageHelpSubMenu2" url="http://www.nopcommerce.com/boards/?utm_source=admin-panel&utm_medium=menu&utm_campaign=admin-panel" />  
  4.     <siteMapNode SystemName="Premium support services" nopResource="Admin.Help.SupportServices" PermissionNames="ManageHelpSubMenu3" url="http://www.nopcommerce.com/p/541/nopcommerce-premium-support-services.aspx?utm_source=admin-panel&utm_medium=menu&utm_campaign=admin-panel" />  
  5. </siteMapNode>   

P.S. If you notice, I have named "PermissionNames" property differently for each menu item in "Help" menu. The only reason is to show you how it can work for complete menu item or its sub-menu items in case you would like to hide only the sub-menu items for any user based on his/her role.

Step 2: Now go to your Now to your nopCommerce database table and look for the table "PermissionRecord"

Add this as a new line / record (for Main menu "Help"):

  • Name: Admin area. Manage Help Main Menu
  • SystemName: ManageHelpMainMenu
  • Category: Configuration 

In the same manner, I am adding new line / record for each sub menu like this:

Step 3: Now restart your complete project again and login as admin. You will notice that you will not see "Help" menu. The reason is because you have added a new property and by default you are not allowed to see it. Go to Access Control List and you should see a new properties that you just added like this:

Step 4: Check these properties for your role "Administrator" and once you save it you will see the Help menu.

Same way you can give control / hide menus for other users based on roles from the access control list.

  • Access to only “sub-menu 1”,

  • Access to only “sub-menu 2

  • Access to only “sub-menu 3

  • Access to only “main menu” (no sub-menus)

  • download nopCommerce
  • nopCommerce Version (used in this article): Version 3.70
Read more articles on Open Source:


Build smarter apps with Machine Learning, Bots, Cognitive Services - Start free.

Start Learning Now