When setting permissions, you need to consider multiple levels and 2 different permission systems ( https://docs.joomla.org/J3.x:Access_Control_List_Tutorial) - access permissions for all actions but view (edit, delete, create) and view levels for view action. First let's take a look at the later:
View Levels
Is simplified permission system used just for view action. There is no inheritance between levels - user either has access or not on each level, system works as a filter that keeps away those without access.
Menu - first step to consider is menu based permission - you need to set the right level on the menu, which is the first step for users trying to access some URL - if a there is no access on the menu level user won't be able to view anything.
Search & List type - here we need to consider access level set on the whole Search&List type, which is a first step and a second step - individual access levels set on each field. But remember - you can't grant access on the lower level to someone that was already denied access on the higher level, so e.g. with special set on type, public level on the individual fields has no effect.
Article (Joomla setting) - comes into play when you view single item in content view, either linked from menu directly or from Seblod Search/List. With Seblod single article functions as container around content view, so if user does not have the right to access the article he also won't have access to the Seblod content that displays inside the article.
Form & Content type - same as on Search&List there is Form&Content type level and individual fields settings. Field level setting makes things very flexible, e.g. you can show different fields/content to the public user than to logged in users, for instance just show intro-text and a link to registration form for public and the whole text to the logged in - registered group.
Access Control List
Is a real permission system used for all (other) actions. Main difference compared to the view levels is inheritance - each setting is calculated from multiple levels of settings, which effectively means that you don't have to set anything if higher levels suit your requirements. Joomla uses "first deny wins" rule, so if something is denied to the user on the higher level it can't be allowed on the lower. Beside direct levels described bellow, you also need to consider group inheritance - child groups inherit settings from their parent.
Global Permissions and Component Permissions - this are top levels that come from Joomla and pre-determine permissions that can be set on the Form&Content/Search&List types and fields. Global permissions are set in Joomla configuration and Component permissions are set in Seblod component options. See article on Joomla docs for details. In short - to be able to set certain permission, e.g. edit or create in Seblod, leave this permission set to Inherited on this higher levels.
NOTE: As described in the linked article, there are also Category and Article permissions, but they are only used to calculate access when one is using Joomla functionality to link to content - one example would be native edit button on the article. This permissions are not used to calculate access to the S&L/F&C types (on the individual fields level ACL Restriction plugin from ACL pack bring an exception to this rule, see bellow)
Form & Content type
Permissions for the whole type are set in the type configuration slider (click a small arrow on the top right)
This is the primary way to set permissions in Seblod, so let's take a look at the individual permissions set here and their meaning:
- Create - permission to create new content. You can also set total maximum allowed number of items in parent content type (Max. in Parent), maximum allowed number of items in parent content type per author (Max. in Parent/Author) and maximum allowed number of items per author in this content type (Max. / Author)
- Delete - permission to delete any content from this content type. Delete Own only allows deletion of own items (where author is set to current user).
- Edit - permission to edit any content from this content type. Edit Own limits this ability to users items.
Additionally you can apply permissions on the field level using ACL Restriction plugin from ACL Pack.
Using
this plugin you can show different fields to different type of users,
e.g. show only content related fields on the form to the registered
users and additional publishing fields to the editors. This plug-in also allows to apply
Content-based permissions (i.e. "Can Edit" / "Can Edit Own”
permissions set on individual articles)
You can also combine this field with Seblod break plugin, which will apply restriction to all fields that follow it, so that you don't have to set it to the each individual field, see Using the plugin Field SEBLOD Break for details.
Search & List
By default there is no permission setting on the search and lists, but using ACL Restriction plugin you can implement permission based restrictions on the individual fields, this way you can show or hide a field to users with certain permission, same way as in Form&Content type