Users and User Groups in Joomla

26 May 2026

Users are at the heart of every Joomla website. The moment you add a login form, a members area, or a backend editor, you step into Joomla's user system.

That system looks simple on the surface, but it touches almost every part of Joomla: visibility of articles and modules, backend access, editorial workflows, custom fields, security, and even how your extensions behave.

Who you are, what you can see, and what you can do.

This article explains how Joomla users really work. It covers the basics for website owners, the practical setup for administrators, and the technical details for developers. You will learn how user accounts, user groups, viewing access levels, and permissions fit together, and how to avoid the most common mistakes.

The goal is simple: help you understand Joomla's user system well enough to manage it with confidence.

1. The Basics

1.1 Why Users Matter

Without proper user management, every visitor sees the same website. There is no way to restrict admin access, no way to protect content, no membership area, and no separation between editors and visitors. Security incidents tend to follow quickly.

With Joomla's user system, you can run public, members-only, and staff-only content side by side. You can hand specific tasks to specific people, you can offer self-service registration and password reset, and you can enable multi-factor authentication.

1.2 The Three Pillars

Joomla splits user management into three independent building blocks. Understanding these three pillars is the key to the whole system:

Pillar	Answers the question	Where to find it
User Groups	Who are you?	Users → Groups
Viewing Access Levels	What may you see?	Users → Access Levels
Permissions (ACL)	What may you do?	Global Configuration plus every component, category, and item

The rest of this article is about how these three pillars combine.

1.3 Where Do I Find Users?

In the Joomla 6 backend, the user system is managed under the Users menu:

Users → Manage          (all user accounts)
Users → Groups          (user groups)
Users → Access Levels   (viewing access levels)
Users → Fields          (custom profile fields)
Users → User Notes      (internal notes per user)

Permissions live in a separate place: the Permissions tab inside Global Configuration, inside each component's Options, and inside categories and items.

2. The User Account

2.1 What is a Joomla User?

A user is a single account that can log in to the frontend, the backend, or both. Each user is one row in the #__users database table. A user is linked to one or more groups, and may have profile fields, user notes, and multi-factor authentication methods attached.

A user has a unique id, username, and email. A user without any group is technically valid, but cannot log in anywhere.

2.2 Account Fields

Every Joomla user account has these built-in fields:

Name: the display name, shown on articles and contact forms.
Username: used to log in (case-sensitive in Joomla 6).
Email: must be unique across the site.
Password: bcrypt hashed, never stored as plain text.
Registered Date / Last Visit / Last Reset: timestamps that Joomla maintains automatically.
Block: disables login without deleting the account.
Receive System Emails: opt-in for admin notifications.
Require Password Reset: forces a password change on next login.

2.3 Creating a User

There are two ways to create a user in Joomla:

Backend: Users → Manage → New. An administrator creates the account, picks the group, and sets the password. Sending an email is optional.
Frontend: the registration view at /index.php?option=com_users&view=registration. The visitor self-registers and lands in the Registered group by default.

The activation flow for self-registration is controlled in Global Configuration → Users → Component. You can choose none, self-activation, or admin activation.

2.4 Two Ways to Switch Off a User

Option	What it does	When to use
Block	The account stays, but login is refused.	Temporary suspension, or a user who may return.
Delete	The user row is removed from the database.	Account never used, or a GDPR erasure request.

Deleting a user does not delete their content. Articles keep created_by set to the old id, which now points to nothing. If attribution matters, reassign authorship first, then delete.

2.5 User Notes - the Forgotten Feature

Under Users → User Notes you can attach internal notes to any user. User Notes are:

Categorised (yes, User Notes use com_categories too).
Useful for support tickets, membership history, and moderation logs.
Invisible to the user themselves.

Many site owners never discover User Notes, but they are a great audit trail for membership sites and client portals.

3. User Groups

3.1 What is a User Group?

A user group is a labelled bucket of users. The group on its own carries no permissions. Permissions are assigned to the group later, through the ACL.

Three rules to remember:

A user can belong to multiple groups at the same time.
Groups can be nested in a parent-child tree.
A child group inherits its parent's permissions, unless you override them.

The group is the single most important ACL concept. Get groups right, and the rest of the system falls into place.

3.2 The Default Groups in Joomla 6

Out of the box, Joomla ships with this group tree:

Public
 ├── Guest
 ├── Manager
 │    └── Administrator
 ├── Registered
 │    └── Author
 │         └── Editor
 │              └── Publisher
 └── Super Users

Each group serves a specific role:

Public: every visitor, logged in or not.
Guest: explicitly not logged in.
Registered: any logged-in frontend user.
Author, Editor, Publisher: increasing content rights on the frontend.
Manager, Administrator: backend access with increasing privilege.
Super Users: unrestricted, can do anything anywhere.

3.3 Inheritance in Practice

A group inherits permissions, not users. This is a common point of confusion. An example:

Adding a user to Editor does not automatically add them to Author.
But the Editor group inherits Author's permissions, so an Editor can do everything an Author can.
If you set "Delete" to Denied on Editor, the inheritance breaks for that one action.

In short: inheritance flows down the group tree, but user assignments are leaf assignments only.

3.4 Creating a Custom Group

Go to Users → Groups → New. Only two fields are required:

Field	Purpose
Group Title	The display name, such as Newsroom Editors.
Group Parent	Where the group slots into the tree.

The parent choice decides which permissions you start with. Pick the closest match, so you have fewer things to override later.

Common real-world custom groups:

Members (parent: Registered): paying members of a community.
Moderators (parent: Editor): forum or comment moderation.
Site Admins (parent: Administrator): backend access without Super User rights.

3.5 Many-to-Many in Action

A single user can sit in several groups at the same time. Example: Jane is a Newsroom Editor on the content side and a Forum Moderator.

Open Users → Manage → Jane → Assigned User Groups.
Tick both groups.
Jane now gets the union of the two groups' permissions.

If one group Allows an action and another group does not, Allow wins, unless a third group explicitly Denies the same action. The "Deny always wins" rule is what makes this combination safe.

4. Viewing Access Levels

4.1 What is a Viewing Access Level?

A viewing access level answers a single question: "Which groups are allowed to see this thing?"

Viewing access levels are found under Users → Access Levels. Each access level has a title and a list of groups that are granted access. The level can then be assigned to articles, modules, menu items, categories, contacts, and almost any other content type.

The difference between groups and access levels is subtle but important:

A group says who you are.
A viewing access level says who is allowed to see this content.

4.2 The Default Access Levels

Out of the box, Joomla provides these access levels:

Level	Granted to	Typical use
Public	Public group	Anyone, logged in or not.
Guest	Guest group	Visible only to anonymous visitors.
Registered	Registered and all child groups	Logged-in members only.
Special	Author and above	Editors, staff, and admins.
Super Users	Super Users only	Sensitive admin-only modules.

4.3 Creating a Custom Access Level

A typical real-world need is: "Premium members can read the full article; everyone else sees only the teaser."

Go to Users → Access Levels → New and configure it like this:

Title:    Premium Content
Groups:   [x] Premium Members
          [x] Super Users        (always include, or you lock yourself out)

Now set the Access field of any article to Premium Content, and only premium members (plus Super Users) will see it.

4.4 The Guest Access Level Trick

The Guest access level is granted only to the Guest group: visitors who are not logged in. This level is a great tool for login-aware websites.

Classic uses:

A "Login" module that disappears once the user is logged in.
A "Sign up for our newsletter" banner aimed at anonymous visitors only.
Teaser content swapped for the full version after login.

You can combine a Guest module and a Registered module on the same position. Joomla shows the correct one based on the visitor's login state.

4.5 Where Access Levels Apply

The same access level dropdown appears in many places. Access levels gate visibility on:

Articles, Categories, and Featured items.
Menu items (a Registered-only menu item disappears for anonymous visitors).
Modules (per position, per page).
Contacts, Newsfeeds, and Banners.
Custom Fields (hide individual fields by access level).

Same dropdown, same effect, everywhere.

5. Permissions (ACL)

5.1 From Visibility to Action

Access levels decide who can see. Permissions decide who can do. The Joomla ACL answers questions like:

May this group create articles?
May they edit only their own articles, or any article?
May they publish?
May they delete articles inside a specific category?
May they log in to the backend at all?

5.2 The Standard Action Set

Most components expose the same set of actions. Some add their own on top:

Action	Meaning
Site Login	May log in on the frontend.
Administrator Login	May log in on the backend.
Offline Access	May see the site while in offline mode.
Super User	Unrestricted, overrides everything below.
Configure	May edit a component's Options.
Access Administration Interface	May open the component in the backend.
Create	May create new items.
Delete	May delete items.
Edit	May edit any item.
Edit State	May publish, unpublish, archive, or trash items.
Edit Own	May edit only items they created themselves.
Edit Custom Field Value	May change values in custom fields.

5.3 The Four Permission States

For every combination of action and group, you pick one of these states:

State	Effect
Inherited	Take whatever the parent context says (this is the default).
Allowed	Explicitly grant the action.
Denied	Explicitly forbid the action, and lock it at all lower levels.
Not Set	Only at the top of the tree, treated as Denied.

After saving, Joomla shows the calculated result next to your setting: Allowed, Not Allowed, or the dreaded Not Allowed (Locked).

5.4 The Permission Hierarchy

Permissions cascade through four levels, each able to override the one above:

Global Configuration
 └── Component Options (for example com_content)
       └── Category permissions
             └── Item permissions (per article)

The practical approach is:

Set a baseline at Global Configuration.
Tighten or loosen per component.
Override per category for sections like "Press Releases - staff only".
Use the item level only as a last resort.

5.5 The Deny Trap

The most important ACL rule in Joomla is short: Deny always wins.

If a group is Denied at Global Configuration, no Allow further down can rescue it. The lower levels will literally show Not Allowed (Locked) and grey out the dropdown.

Practical guidelines:

Default to Inherited everywhere.
Use Allowed to grant rights downward.
Use Denied only when you want the rule to be permanent and absolute, usually at the Global level for safety.
If you lose a permission and cannot figure out why, walk up the tree looking for a Deny.

5.6 Global Configuration: Permissions Tab

Open System → Global Configuration → Permissions. This sets the default for the entire site. A typical baseline looks like this:

Group	Site Login	Admin Login	Super User
Public	Inherited (Not Allowed)	Inherited	Inherited
Registered	Allowed	Inherited	Inherited
Author / Editor / Publisher	Allowed	Inherited	Inherited
Manager	Allowed	Allowed	Inherited
Administrator	Allowed	Allowed	Inherited
Super Users	Allowed	Allowed	Allowed

Get this layer right, and about 80% of ACL "weirdness" disappears.

5.7 Component-level Permissions

Every component has an Options button in the toolbar with its own Permissions tab. For com_content (Articles) you can, for example:

Tighten Create so only Authors and above can write articles.
Allow Edit State for Publishers, but not for Authors and Editors.
Grant Access Administration Interface to a Newsroom group without making them Manager.

This is where most day-to-day ACL configuration lives.

5.8 Category-level Permissions

Open any category and select the Permissions tab. Here you can fine-tune rights for a specific section:

Members may Create articles in the Member Stories category.
Members may Edit Own but not Edit (other people's items).
Newsroom may Edit State in Press Releases but nowhere else.

Category permissions are the right tool for multi-team editorial workflows. They let you separate newsroom, blog, and member-content teams without ever giving anyone "Edit" globally.

5.9 Item-level Permissions

Every article (and many other items) has its own Permissions tab. Use it sparingly: lock down a single sensitive article, or open one item to a wider group as an exception. If you find yourself overriding permissions on many individual items, the better solution is usually a new category.

5.10 Worked Example: Newsroom Editors

The goal is a Newsroom Editors group that can fully manage the Press Releases category, and nothing else. The steps:

Group: create Newsroom Editors with parent Registered.
Global Configuration → Permissions: grant Newsroom Editors both Site Login and Administrator Login as Allowed.
Articles Options → Permissions: grant Newsroom Editors Access Administration Interface as Allowed. Leave everything else as Inherited.
Press Releases category → Permissions: grant Newsroom Editors Create, Edit, Edit State, and Delete as Allowed.
All other categories: leave inherited. The newsroom can see other categories, but cannot touch them.

Done. No Super User, no over-privilege.

6. Putting It All Together

6.1 The Full Picture

The relationship between the four ACL concepts is best visualised as a flow:

USER  →  belongs to  →  GROUP(s)
                              │
                              │ grants visibility through
                              ▼
                       ACCESS LEVEL  →  Article / Module / Menu Item
                              │
                              │ grants actions through
                              ▼
                       PERMISSIONS (ACL)
                       ├── Global Configuration
                       ├── Component
                       ├── Category
                       └── Item

In short: a user is in a group; a group unlocks access levels and carries permissions; access levels gate visibility; permissions gate actions.

6.2 Frontend vs Backend Access

Goal	How to configure
Visitor can read public articles	Default settings, Public access level.
Visitor must log in to read	Set the article Access field to Registered.
Logged-in user can submit articles	Group has Create permission on the category, plus a frontend menu item for submission.
User can manage articles in /administrator	Group has Administrator Login plus Access Administration Interface on the component.

Frontend and backend are gated by the same ACL. Only the permission flags differ.

7. Multi-Factor Authentication and Security

7.1 Native MFA in Joomla 6

Joomla 4 introduced native multi-factor authentication, and Joomla 6 refines it further. The supported methods are:

TOTP: time-based one-time passwords, used by Google Authenticator and similar apps.
WebAuthn: passkeys and hardware security keys.
YubiKey: a hardware token.
Email OTP: a code sent by email.
Fixed code: only useful for testing.

Each user can opt in to MFA, or you can enforce it for entire groups through the Captive MFA plugin. Backup codes are generated automatically, and you should always remind users to store them in a safe place.

7.2 The Captive Login Flow

Joomla uses a captive model: a logged-in user without a satisfied MFA requirement is trapped on the MFA setup page until they complete it. They cannot navigate away.

You can configure this under Users → Manage → Options → Multi-factor Authentication. It is a powerful way to enforce an organisational security policy without writing a single line of code.

7.3 Useful User-related Plugins

Several plugins extend Joomla's user system. You can find them under System → Manage → Plugins filtered by User and Authentication:

User - Joomla: core profile sync, do not disable this one.
User - Profile: extra profile fields, such as date of birth or terms of service acceptance. You can use Joomla's custom fields in Users for that too.
User - Contact Creator: automatically creates a Contact entry for every new user. It does NOT synchronize data after the user/contact have been created.
Authentication - Joomla / LDAP / Cookie: different login methods.
Multi-factor Authentication - ...: one plugin for each MFA method.

For custom logic, you can write your own User plugin that hooks into events such as onUserBeforeSave, onUserAfterSave, onUserLogin, and onUserLogout.

7.4 Custom Profile Fields

There are two ways to add custom profile data to users:

Custom Fields under Users → Fields: a point-and-click way to add text, list, calendar, media, and other field types. Each field can have its own Access level, so only specific groups see it.
User Profile plugin: a code-defined approach, ideal for required structured data such as date of birth or terms of service acceptance.

In Joomla 6, Custom Fields are usually the right answer. Reach for the plugin only when you need server-side validation logic.

8. Under the Hood (Developer View)

8.1 Getting the Current User

The recommended way to access the current user in Joomla 6 is through the application object:

use Joomla\CMS\Factory;

$app  = Factory::getApplication();
$user = $app->getIdentity();

if ($user->guest) {
    // not logged in
}

echo $user->id;
echo $user->username;
echo $user->name;

The older Factory::getUser() still works, but it is deprecated. Use $app->getIdentity() in new code.

8.2 Checking Permissions in Code

The authorise() method is the heart of the ACL on the PHP side:

$user = Factory::getApplication()->getIdentity();

// Can this user edit any article?
if ($user->authorise('core.edit', 'com_content')) {
    // ...
}

// Can they edit articles in category 7?
if ($user->authorise('core.edit', 'com_content.category.7')) {
    // ...
}

// Can they edit this specific article?
if ($user->authorise('core.edit', 'com_content.article.42')) {
    // ...
}

The asset string (com_content.category.7) walks Joomla up the hierarchy automatically. You do not need to check Global, Component, Category, and Item yourself.

8.3 Checking Access Levels in Code

To check what a user is allowed to see, ask for their authorised view levels:

$user       = Factory::getApplication()->getIdentity();
$viewLevels = $user->getAuthorisedViewLevels();   // array of level IDs

if (in_array($article->access, $viewLevels, true)) {
    // user is allowed to see this article
}

In database queries, the same array is the right-hand side of an IN(...) filter:

$query->whereIn($db->quoteName('a.access'), $user->getAuthorisedViewLevels());

Every core Joomla query that returns content does exactly this.

8.4 Declaring Your Own Actions: access.xml

A custom component declares its action set in administrator/components/com_yourcomp/access.xml:

<?xml version="1.0" encoding="utf-8"?>
<access component="com_yourcomp">
    <section name="component">
        <action name="core.admin"      title="JACTION_ADMIN" />
        <action name="core.options"    title="JACTION_OPTIONS" />
        <action name="core.manage"     title="JACTION_MANAGE" />
        <action name="core.create"     title="JACTION_CREATE" />
        <action name="core.delete"     title="JACTION_DELETE" />
        <action name="core.edit"       title="JACTION_EDIT" />
        <action name="core.edit.state" title="JACTION_EDITSTATE" />
        <action name="core.edit.own"   title="JACTION_EDITOWN" />
    </section>
    <section name="category">
        <action name="core.create"     title="JACTION_CREATE" />
        <action name="core.delete"     title="JACTION_DELETE" />
        <action name="core.edit"       title="JACTION_EDIT" />
        <action name="core.edit.state" title="JACTION_EDITSTATE" />
        <action name="core.edit.own"   title="JACTION_EDITOWN" />
    </section>
</access>

These actions show up as columns on the Permissions tab automatically.

8.5 Useful Database Tables

The Joomla user system uses several core tables:

Table	Holds
`#__users`	User accounts.
`#__usergroups`	The group tree, stored with `lft`/`rgt`.
`#__user_usergroup_map`	Many-to-many mapping of users to groups.
`#__viewlevels`	Access levels with a serialised group list.
`#__assets`	The asset tree, one row per component, category, or item.
`#__user_notes`	User notes, with their own categories.
`#__user_profiles`	Key and value pairs from the User Profile plugin.
`#__user_mfa`	MFA methods per user.

8.6 Inspecting ACL in the Database

The rules column on #__assets is plain JSON. Once you can read it, ACL stops being a black box. Example:

{
  "core.edit":       { "3": 1, "5": 0 },
  "core.edit.state": { "5": 1 },
  "core.delete":     { "8": 1 }
}

Value	Meaning
`1`	Allow
`0`	Deny
Key missing	Inherit from the parent asset

So this asset Allows core.edit for group 3 (Author), Denies it for group 5 (Editor, which means locked), and leaves all other groups inheriting.

8.7 Three SQL Queries Every Joomla Developer Should Know

The following queries help you debug user, group, and ACL issues directly in the database:

1. All groups a user belongs to

SELECT u.username, g.title
  FROM jos_users u
  JOIN jos_user_usergroup_map m ON u.id = m.user_id
  JOIN jos_usergroups g         ON g.id = m.group_id
 ORDER BY u.username;

2. Viewing levels and their group lists

SELECT id, title, rules
  FROM jos_viewlevels;

3. Every asset that has explicit, non-inherited rules

SELECT id, name, rules
  FROM jos_assets
 WHERE rules != '{}';

Swap jos_ for your real database prefix.

9. Common Mistakes and Pitfalls

9.1 Deny is Forever

A Deny at Global Configuration cannot be Allowed lower down. The lower levels will show Not Allowed (Locked) and grey out the dropdown. Use Deny only when you want a rule to be absolute.

9.2 Confusing Group Inheritance with User Inheritance

Inheritance applies to permissions, not to users. Adding a user to Editor does not also add them to Author. But the Editor group still inherits Author's rights for each action.

9.3 Over-using Super User

Super User overrides every Deny and every restriction. It is tempting to grant Super User "just to make it work", but it removes all safety nets. Keep the Super Users group to one or two trusted people.

9.4 Forgetting Super Users in a Custom Access Level

When you create a new viewing access level, always include Super Users in the group list. Otherwise you can lock yourself out of content that only your custom group can see.

9.5 Mixing Up Guest and Public

These two look similar but mean different things:

Public: everyone, logged in or not.
Guest: explicitly not logged in.

A Public module is shown to all visitors. A Guest module is hidden the moment a user logs in.

9.6 Deleting a User Keeps Their Content

If you delete a user, their articles, contacts, and other items remain in the database with a created_by field pointing to a non-existent user. Reassign authorship first, then delete the account.

9.7 Putting Public Inside Custom Access Levels

If you tick the Public group inside a custom access level, that level becomes equivalent to "Public". Anyone can see the content, which defeats the purpose of the custom level.

9.8 Skipping Rebuild After Direct Database Changes

If you bulk-edit rules directly in #__assets or import users through SQL, you may need to rebuild the asset tree and clear the cache. Otherwise the UI keeps showing stale results.

10. Best Practices and Quick Reference

10.1 A Safe ACL Workflow

Plan your groups first, on paper. Draw the tree.
Set Global Configuration permissions to a known-good baseline. Save and test.
Set component-level permissions per component. Save and test.
Only then create custom Access Levels and use them.
Use category-level permissions for editorial workflows.
Touch item-level permissions only as a last resort.
Document every custom group and every custom access level in the site handover document.

A practical rule: if you cannot draw your ACL on one sheet of A4, it is too complex. Simplify.

10.2 Performance Tips

Large ACL trees do cost performance. Common causes of slow sites:

Hundreds of user groups (try to keep it under twenty).
Deeply nested group hierarchies (more than four levels gets slow).
Per-article rule overrides multiplied across thousands of articles.
Too many viewing levels referenced by every query.

If a Joomla site feels slow after a permissions refactor, look at the ACL tree first.

10.3 Cheat Sheet

USER           Users → Manage
GROUP          Users → Groups
ACCESS LEVEL   Users → Access Levels
PERMISSIONS    Global Config + Component Options + Category + Item

GROUP RULE     Multiple groups per user, child inherits parent's permissions
DENY RULE      Deny always wins, no Allow lower down can rescue it
INHERIT FIRST  Default to Inherited everywhere
INCLUDE SU     Always include Super Users in custom access levels
REBUILD        After direct DB changes, rebuild and clear cache
MFA            Users → Manage → Options → Multi-factor Authentication

PHP CURRENT    Factory::getApplication()->getIdentity()
PHP AUTHORISE  $user->authorise('core.edit', 'com_content.category.7')
PHP VIEWLEVELS $user->getAuthorisedViewLevels()
ASSET RULES    #__assets.rules column (JSON: 1 = Allow, 0 = Deny)

10.4 Quick Mental Model

Users are who you are.
Groups bundle users.
Access levels say what you can see.
Permissions say what you can do.

11. Summary

In Joomla, the user system is much more than a login form. It controls almost every layer of the website:

Identity: who can log in and how.
Visibility: which content is shown to whom.
Authority: who can create, edit, publish, and delete.
Security: multi-factor authentication and group-based hardening.
Workflow: editorial teams with clear boundaries.
Developer integration: a shared API for users, groups, and ACL.
Compliance: GDPR, audit trails, and access control.

A well-planned user setup makes a Joomla website safe, predictable, and easy to maintain for years. A bad setup leads to security risks, frustrated editors, and ACL puzzles that grow over time.

If you are planning a new Joomla site, migrating from an older version, or trying to clean up a permissions tangle on an existing site, Check the usersgroups, access levels, and permissions first. Use those three pillars correctly, and Joomla works with you instead of against you.

Peter Martin

Joomla en Linux specialist voor snelle, veilige en schaalbare websites.

12 May 2026