Magento Website – Restricting Admin Access to Specific System Configuration Fields.

Magento enterprise has some amazing features out of the box that allow you to restrict roles to specific web sites and sections. Unfortinately the system out of the box doesn’t let you micro manage the configuration fields. Imagine that you have a senario where you want an admin user to be able to edit certain configuration fields, but not all of them. Out of the box magento lets you limit the roles to certain sections like “Store Email Addresses” or “Contacts” but it doesn’t let you limit each individual item.

For example, I want an admin group to be able to go into the backend and edit the “Store E-mail Addresses” but I don’t want them to be able to edit anything but the fields “Custom E-mail 1” and “Custom Email 2”. Well I have down and dirty way to limit fields from your admin users. Follow my steps and you will be able to limit the system configuration on your admin web site past the out of the box norm.  This tutorial requires you to know a bit about css and php.

Step one, create the user that you want to limit. To do this login as your super-admin, that admin that has permissions to every section of the magento backend. Navigate to System > Permissions> Roles. Next Click on “Add New Role”. Name the role to anything you want like “limitedadmin”. Then click on the “Role Resources” tab and select the resources you want the admin to have access too. For me in this example I want to limit my admin to only the “Store Email Addresses” located in the “System > Admin” section. To this I uncheck all of the resources except “Configuration” and “Store Email Address Section”. Next hit Save. You are done with step one… Yay!

Step two, give a user the new admin role. To do this go to “System > Permissions > Users”. Click on “Add New User”. Enter in the require information and then select “User Roles” .  On the next page you might see a few user roles make sure you select the one you just created. So for me I selected “limitedadmin”.  Then hit “Save User”. You are done with step 2!!

Step three, find out what your default admin user role. To do this go to “System > Permissions > Roles”. Next where you see the list of roles, on the left hand side you should see a section that says “ID”. Write down the role name that has an id of “1”. Now you are done with step three and we can start coding!

Login to your ftp and navigate to the following directory:

You are going to be editing the file head.phtml. Make sure you back this file up before you edit it.
Open the file and paste in the following code at the very very bottom of the file:

$roleId = implode(”, Mage::getSingleton(‘admin/session’)—–>getUser()->getRoles());
$roleName = Mage::getModel(‘admin/roles’)->load($roleId)->getRoleName();
if ($roleName != “your-super-admin-role-name-here”) {echo ”;}

Where you see your-super-admin-role-name-here change that code with the role name you wrote down before. This should be your master admin role and make sure you keep the quotations around the name. Basically we are telling the system that when you login if you NOT the super admin role then post a css file called css_not_super_admin.css in the page’s head. The css file will be located in the base skin url of your admin site and is where we will be editing the display of the fields. Now save the file and upload it to the server.

Next navigate to the following in your ftp client /app/code/core/Mage/Adminhtml/Block/System/Config/Form find the file Fieldset.phtml and copy it to your local machine. We will be editing this file but placing it in the app/code/local directory of the site. Why? Because you don’t want to mess with the core files. If anything happens to them you are screwed. So next navigate to app/code/local.

Now if you see the this directory then navigate to it: /app/code/local/Mage/Adminhtml/Block/System/Config/Form

If the follow directory doesn’t exist on your server then make it!  Go to your ftp client and navigate to app/code/local.  Then add the folder Mage, then go into Mage and add the folder Adminhtml… Continue this until you make the directory Form. Copy the Filedset.phtml into the Form directory.

Now open up the Fieldset.phtml file you just copied.  and look for the following line:

$html = ‘<div  class=”entry-edit-head collapseable” ><a id=”‘.$element->getHtmlId().’-head” href=”#” onclick=”Fieldset.toggleCollapse(\”.$element->getHtmlId().’\’, \”.$this->getUrl(‘*/*/state’).’\’); return false;”>’.$element->getLegend().'</a></div>’;

Replace it with the following:

$html = ‘<div  class=”entry-edit-head collapseable ‘.$element->getHtmlId().’-adminroll” ><a id=”‘.$element->getHtmlId().’-head” href=”#” onclick=”Fieldset.toggleCollapse(\”.$element->getHtmlId().’\’, \”.$this->getUrl(‘*/*/state’).’\’); return false;”>’.$element->getLegend().'</a></div>’;

You will notice that we changed the div’s class code to read class=”entry-edit-head collapseable ‘.$element->getHtmlId().’-adminroll”.  Basically we are adding a class that is the elements-id hyphen adminroll. This arbitrary class will let us add css code to control elements we want to hide.  I made the system produce something arbitrary like element-id-adminroll so that it would not conflict with any other css we might already have.  Save the file and upload it to the server!

Now login to the backend of your magneto web site using the roll that you want to limit!  When you login, right click on your browser and go to view source code.  Scroll down the just above the </head> and confirm that the css code you added appears.  If it doesn’t you did something wrong.

It should look something like:

<link rel=”stylesheet” type=”text/css” href=””/>

This will give you a hint on where to add your css file.  So in this case, since I am using magento enterprise addition, it is located in the enterprise directory.  For your web site it might be default/base or default/default.  Once you find out what directory you need to place your css navigate to it using your ftp client.

Once the directory create a new .css file named css_non_admin.css.  Now you can use basic css to limit what fields you the admin to see.  So for me I used the following…

/* Store E-mail Addresses */
#config_edit_form .trans_email_ident_general-adminroll, #config_edit_form .trans_email_ident_sales-adminroll, #config_edit_form .trans_email_ident_support-adminroll {display:none !important}

Now when I navigate to the score e-mail addresses when using my non-super admin on my Magento web site I only see the fields custom e-mail 1 and custom e-mail 2.

I hope this helps your magento experience!