How to Define Access Control List

Access control consists of two steps:

  • Creating ACL resources
  • Enforcing the rights

Creating ACL resources

You can create two types of ACL resources: action and entity.

There are two ways of defining the ACL:

  1. In YourCustomBundle/Resources/config/acl.yml

    # YourCustomBundle/Resources/config/acl.yml
        type: entity
        class: YourCustomBundle:CustomEntity
        permission: EDIT
        type: action
        label: Your custom action
    // YourCustomBundle/Controller/CustomController.php
    use Oro\Bundle\SecurityBundle\Annotation\AclAncestor;
    class CustomController extends AbstractDoctrineController
         * @AclAncestor("your_custom_entity_edit")
        public function editAction()
         * @AclAncestor("your_custom_action")
        public function customAction()
  2. Directly in the controller using annotations

    // YourCustomBundle/Controller/CustomController.php
    use Oro\Bundle\SecurityBundle\Annotation\Acl;
    class CustomController extends AbstractDoctrineController
         * @Acl(
         *      id="your_custom_entity_edit",
         *      type="entity",
         *      class="YourCustomBundle:CustomEntity",
         *      permission="EDIT"
         * )
        public function editAction()
         * @Acl(
         *      id="your_custom_action",
         *      type="action",
         *      label="Your custom action"
         * )
        public function customAction()

To use the entity ACL type, you must also add a @Config annotation to your entity:

// YourCustomBundle/Entity/CustomEntity.php
use Oro\Bundle\EntityConfigBundle\Metadata\Annotation\Config;

 * @Config(
 *  defaultValues={
 *      "entity"={"label"="Custom entity", "plural_label"="Custom entities"},
 *      "security"={
 *          "type"="ACL",
 *          "group_name"=""
 *      }
 *  }
 * )
class CustomEntity

For a more complete explanation of the ACL options, refer to OroSecurityBundle.

Enforcing the rights

Controller actions with @Acl or @AclAncestor annotations are already protected. To allow conditional access to other resources, you can either use the SecurityFacade component or enforce rights directly in templates.

  • Using SecurityFacade:
    # YourCustomBundle/Resources/config/services.yml
        class: YourCustomBundle\Controller\CustomController
        parent: pim_catalog.controller.abstract_doctrine
            - [ setSecurityFacade, ['@oro_security.security_facade'] ]
    // YourCustomBundle/Controller/CustomController.php
    use Oro\Bundle\SecurityBundle\SecurityFacade;
    class CustomController extends AbstractDoctrineController
        private $securityFacade;
        public function setSecurityFacade(SecurityFacade $securityFacade)
            $this->securityFacade = $securityFacade;
        public function removeAction()
            if ($this->securityFacade->isGranted('your_custom_action')) {
                // Access is granted, execute the custom action
  • In Twig templates:
    {% if resource_granted('your_custom_action') %}
        {# Some protected content here #}
    {% endif %}