My site (I’m using ModX 3.03) has several different contexts for different domains. I am trying to create a backend user with access to only that context (named www2). I have read the information I have found online, and each time I try to log in I get Access Denied.
I created the user, then created an ACL Group which contains the contexts web, mgr, www2. I then added the user to the group. The user is “Active”.
What step am I missing?
Does your user have all the required permissions set in the role to login? If you set the user temporarily as sudo within the user management, are you then able to login?
If I make them sudo, yes, that user can log in. For Role they are set to Member
Then you’re member role probably does not have all the required permissions to login or to view necessary contents. You might have to check through all of the permissions to see what’s missing. I tend to forget frames sometimes for example.
If you can’t log in to the manager at all, then user group doesn’t have (enough) permission for the “mgr” context.
In the user group (tab “Access Permissions” → vertical tab “Contexts”) what did you choose as the “Access Policy” for the “mgr” context?
I chose Member. I figured anything above that would give super user access.
Are you talking about the role?
I was more interested in the “Access Policy”!
(In my limited understanding it’s best to “ignore” the role. It just makes matters even more complicated.)
Sorry. Member is the role. Content Editor is the policy.
The access policy “Content Editor” should have the permission enabled to access the manager GUI.
Did you check in “Access Control Lists” → tab “Access Policies” if the checkbox for frames is checked in the “Content Editor” policy?
Yes, frames is checked.
I really don’t know what else the problem could be.
When I test it, a user group with only this Context Access
is enough to at least be able to log in to the manager (when the user is added to the group in the tab “Users”). The user can’t do much in the manager, but is able to log in.
Thanks for trying. I really appreciate it. I’m the IT Director for local government. You would think I could figure out an ACL entry.
Don’t be to hard on yourself, ACL’s are tricky sometimes. What you could also do is kind of reverse engineer it by creating your own policy. To do this duplicate the Administrator policy template (so you have all the permissions) and then check what you can disable until your user is not able to login anymore and compare this with the settings in your original policy.
Thanks vibedesign! I took your advice and copied the Administrator policy and finally started to get things to work. For this policy, I’m restricting a user so really all they can do is update a file. I’m getting real close, but when the user goes to save the file, it says permission denied. When updating a text file in a media resource, which permission setting allows saving? I can’t find it.
I figured it out! Thank you to everyone who responded. Your assistance was GREATLY appreciated.
Hey, @leemchildress. I’m so glad you figured it out. I wonder if you might be able to share what the last piece(s) of the puzzle was for folks who might have a similar problem in the future?
Sorry. I had to edit the permission of the user group on the Media Source and elevate the group from Member to Super User.
No need to apologize. That’s helpful. It’s nice to create a complete solution where posisible. This is why we still have our old forums up. 
This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.
