Persistence ACL feature overview

Edit on GitHub

With the Persistence ACL feature, you can manage authorization at the database entity level, or even within a set of entities or segments. This feature enables a flexible system of inheritance of rights, simplifying the configuration of access.

Persistence ACL runs in the Persistence layer, as its name suggests.


The module is based on the Propel ORM (namely Propel Behavior and Propel Hooks). If you are not using PropelOrm to interact with data in your system, this module will not work.

How it works

Persistence ACL supports permission checks both when executing queries and when performing actions on Active Record models. Upon installation and configuration, code is injected into the Active Record model and Query classes that check the user’s permissions for the appropriate actions. This module uses Propel hooks.

The module in application layers


If you execute queries outside of Propel API, they WILL NOT be handled by Persistence ACL.

During model operations, the following hooks are used:

  • preInsert

  • preUpdate

  • preDelete

Query execution is performed using the following hooks:

  • preSelectQuery

  • preUpdateQuery

  • preDeleteQuery

A query sent to the database is intercepted and modified with additional joins to limit the results of the query to only those records available to the current user. If the user attempts to perform a restricted action on an Active Record model (such as updating, deleting, or creating), then \Spryker\Zed\AclEntity\Persistence\Exception\OperationNotAuthorizedException is thrown.

Learn more

Install the ACL feature Persistence ACL feature configuration HowTo: Split products by stores
Execution flow
Rules and scopes
Global scope
Segment scope
Inherited scope
Composite entity