As many of you may know, last year, our team at Macopedia proposed a budget idea for enhancements in the access management system of TYPO3. This proposal was accepted for implementation in the first quarter of 2024 following a voting process, allowing us to commence our work. However, before diving into the code modifications, we needed to undertake several essential preparatory steps. Let's explore what has been accomplished so far and where we currently stand with our efforts.

Phase 1: Technical Analysis of the Current Implementation of ACLs in TYPO3

When we proposed the idea, we had several areas for improvement in mind. Although we were familiar with the general concept of ACLs in TYPO3, we aimed to conduct a more in-depth technical investigation to understand the underlying implementation. To this end, we began by analyzing the code, compiling technical documentation for future reference, and undertaking various other research activities. Our goal was to find answers to the following questions:

• What do you get just after installation?
• Does the Introduction Package or the Bootstrap Package set any default permissions?
• What are the common challenges encountered when setting permissions?
• What steps are required to set up permissions immediately after installation?
• Are there any documented best practices?
• Are there any ready-to-use groups?
• How is ACL maintained during website development?
• How are permissions set for Workspaces?
• Are there any community extensions that extend or improve ACL management?

As a result of this research, we have compiled a document summarizing everything from the analysis phase.

Phase 2: Outline the MVP for the ACL Improvements

As a second step, we drafted the minimum viable product (MVP) for the budget idea. This draft was based on our initial discussion at the end of 2023 (before submitting the idea proposal), and the result of the research described above. 

For Q1 2024, we want to:

• Update documentation to describe best practices for setting ACLs, possibly including a tutorial within the TYPO3 backend.
• Create default backend user groups that can be created during the installation process.
• Assign default groups to newly created pages.

Given our limited timeframe for more complex changes in Q1, we have outlined some ideas for Q2 which include:

• Deployable permission sets.
• UI/UX enhancements in the backend module for better management of ACLs, including an improved overview of backend users and groups
• Enable extension developers to define configuration presets for their features, which can then be manually applied to backend user groups.
• Implement a notification mechanism to alert administrators about new permissions available for configuration or updates.

We will submit these initiatives for upcoming budget ideas in 2024.

Phase 3: Gather Feedback From the Community

After drafting our proposed changes, we decided to seek feedback from the vibrant TYPO3 community. This step ensures that the direction of our changes aligns with the needs and desires of developers and agencies, confirming that our efforts are both valuable and supported.

We created a poll titled TYPO3 ACL - Setup Experience Survey, comprising a total of 16 questions. The survey was announced on January 23, 2024, through the Access Control List Usage and Improvements — Community Survey blog post on the typo3.org website, as well as on various social media channels. We asked respondents to share their level of experience with TYPO3, describe their typical projects in terms of ACL management, and outline the challenges they encounter in this area. We also asked them to  

highlight the good practices they adhere to, and identify potential areas for improvement. 

A summary of the results are included in this article. Read on to see the insights we gathered.

Next Steps: Establishing the Scope

Now that we have gathered feedback from the community and understand the challenges developers typically encounter when managing ACLs in TYPO3, we are set to finalize the MVP version for Q1. Additionally, we are likely to submit proposals for the Q2 budget to continue with the changes.

The extent of the changes we plan to implement in Q1 will be discussed with members of the TYPO3 Core team. We aim to schedule a meeting with Core team members to review the survey results, propose our changes, and ultimately agree on the MVP scope that will be implemented.

As we are progressing with two ideas that were approved for Q1, we are adhering to our internal schedule. Below is the plan for the ACL improvements in the upcoming weeks:

Plan

• Schedule a call with Core team members. We would like to share our insights, proposals for scope of improvement implementation. We will prepare documents based on survey results and internal research that will be an entry point for discussion. Based on feedback from Core team members we want to define scope of changes to implement. Result of this meeting will be MVP scope.
• MVP Implementation phase
• Code review and feedback from Core team on MVP
• Final fixes and changes based on feedback from Core team
• Blog post about budget idea summarizing whole work

Summary of the TYPO3 ACL — Setup Experience Survey

The community survey ran from 23 January to 1 February, 2024. After closing it, we began analyzing the results, which included responses from 69 participants representing various agencies and end users. Here we share some key highlights.

Experience Level and Ease of ACL Setup

Firstly, we asked participants to share their level of experience with TYPO3. Of those, 88.4% indicated they have an advanced level of expertise, while 11.6% described their experience level as intermediate. Based on this, we can confidently infer that the feedback received largely comes from highly experienced users who have been working with TYPO3 for a long time and are well-acquainted with it. This means we also need to acknowledge that our feedback does not adequately cover the perspectives of new users who are just starting with TYPO3.

Next, we asked respondents to rate on a scale from 1 (very difficult) to 5 (very easy) how straightforward they find the process of setting permissions in TYPO3. The two most common responses were that 40.6% found it difficult (rating it a 2) and 39.1% thought it was normal (rating it a 3). Additionally, 15.9% of respondents considered it easy (rating it a 4), while the extreme values together accounted for 4.3% (with 1.4% rating it very difficult (1) and 2.9% finding it very easy (5)). These results indicate that the current process is not among the simplest and could benefit from some improvements.

Roles, Projects, and Process

Next, we aimed to collect feedback on the systems and projects with which users and agencies are involved. These results are presented in the form of charts. It's important to note that we created custom ranges to group the answers effectively, given the diversity of responses received.