Skip to main content
OroSecurityBundle extends Symfony security capabilities to enable a role-based ACL security system in Oro applications. The bundle allows developers to set up access restrictions for entities and non-entity-related actions using PHP attributes and YAML configuration files. It also provides a UI for application administrators to configure entity-specific permissions for user roles based on entity ownership.

Introduction

Introduction to Security

Overview of access control lists, access levels, entity permissions, and the ownership model.

Role-Based Access Control

Understand roles, role hierarchies, and how they map to permissions.

Access Levels and Ownership

Illustrated walkthrough of how access levels and ownership interact in practice.

Access levels

Access is granted at one of the following levels, ordered from most restrictive to most permissive:
LevelConstantDescription
UserBASIC_LEVELAccess to the user’s own records only.
Business UnitLOCAL_LEVELAccess to all records in the user’s assigned business units.
DivisionDEEP_LEVELSame as Business Unit, plus subordinate units.
OrganizationGLOBAL_LEVELAccess to all records within the organization.
GlobalSYSTEM_LEVELAccess to all records in the system (Enterprise only).

Entity permissions

The following permissions can be configured per entity:
PermissionDescription
VIEWWhether a user can view a record.
CREATEWhether a user can create a record.
EDITWhether a user can modify a record.
DELETEWhether a user can delete a record.
ASSIGNWhether a user can assign a record to another user (evaluated on edit).
SHAREWhether a user can share a record with another user (Enterprise only).
Field-level permissions (VIEW, EDIT) are also supported.

Configuring permissions for entities

Use the security scope in the #[Config] attribute on an entity class: 
#[Config(
    defaultValues: [
        'security' => ['type' => 'ACL', 'permissions' => 'All', 'group_name' => '', 'category' => ''],
        'dataaudit' => ['auditable' => true]
    ]
)]
To restrict available permissions to a subset: 
'security' => [
    'type' => 'ACL',
    'permissions' => 'VIEW;EDIT',
    'group_name' => 'DemoGroup',
]
After changing ACL in the #[Config] attribute, run: 
php bin/console oro:entity-config:update

Protecting controller actions

Apply the #[Acl] attribute directly to a controller method:
use Oro\Bundle\SecurityBundle\Attribute\Acl;
use Oro\Bundle\SecurityBundle\Attribute\AclAncestor;

#[Route(path: '/favorite', name: 'acme_demo_favorite_')]
class FavoriteController extends AbstractController
{
    #[Route(path: '/', name: 'index')]
    #[AclAncestor('acme_demo_favorite_index')]
    public function indexAction(): array
    {
        return ['entity_class' => Favorite::class];
    }
}

Manual access checks

Use isGranted() anywhere in your code: 
// Check access to an ACL annotation resource
$this->authorizationChecker->isGranted('some_resource_id');

// Check VIEW access to an entity by class name
$this->authorizationChecker->isGranted('VIEW', 'entity:' . MyEntity::class);

// Check ASSIGN access to a specific entity object
$this->authorizationChecker->isGranted('ASSIGN', $myEntity);

// Check VIEW access to an entity field
$this->authorizationChecker->isGranted('VIEW', new FieldVote($entity, $fieldName));

OroSecurityBundle features

ACL Manager

Programmatically read and modify ACL entries for roles and users.

Field ACL

Control visibility and editability of individual entity fields per role.

Custom Listeners

Implement custom security event listeners for specialized access logic.

Access Rules

Define declarative access rules to restrict data retrieval at the ORM level.

Security Headers

Configure HTTP security response headers (CSP, HSTS, X-Frame-Options, etc.).

CSRF Protection

Enable CSRF token validation for state-changing controller actions.

Custom and configurable permissions

Custom Permissions

Configure and apply custom permissions to an entity beyond the default set.

Configurable Permissions

Define permissions that can be toggled on or off via configuration.

Global View Entities

Mark entities that should always be visible regardless of ownership.

Build docs developers (and LLMs) love

Get started for freeTalk to us