Skip to main content

Adding Permissions To Magento 2 Admin Elements

Jun 10 '16

Magento 2 offers a robust permissions-based role system for administrator users, allowing the creation of various admin roles with different functionality available to them in the admin interface. While this system provides a good way to limit admin user access to major parts of the application, occasionally the need arises to control more granular functionality with admin roles. Luckily the Magento 2 dependency injection system makes this an easy task. This example shows hiding the Gift Cards field on the create order page to only permitted admins.

Identify The Block

The first step is identifying the core block used to render the functionality that needs to be altered. In the case of the create order gift card field, this block lives in Magento\GiftCardAccount\Block\Adminhtml\Sales\Order\Create\Payment, and this is the block we'll override to add our permissions check.

Create A Module

Create a new empty Magento module to contain the changes to be made, along with the needed registration.php and etc/module.xml files. For this example we'll use TAG\AdminPermissions.

Extend The Block

Create a new class in the module to extend the correct block (here we create Block/Adminhtml/Order/Create/GiftCardPayment.php), and inject the Magento Authorization service into the block's constructor. That service can then be used by the block for checking if the current user is granted a particular permission, and altering the output of the block accordingly. For the Gift Card block, we'll check that the user has the Magento_GiftCardAccount::customer_giftcardaccount permission (though additional custom permissions can be added by your module as well). If the user is not granted that permission, we'll display a blank template instead of the regular template:

namespace TAG\AdminPermissions\Block\Adminhtml\Order\Create;
use Magento\Framework\AuthorizationInterface;
use Magento\GiftCardAccount\Block\Adminhtml\Sales\Order\Create\Payment;
 * GiftCardPayment
class GiftCardPayment extends Payment
     * Gift Card Account Permission
     * @const GIFT_CARD_ACCOUNT
    const GIFT_CARD_ACCOUNT = 'Magento_GiftCardAccount::customer_giftcardaccount';
     * Role Authorizations Service
     * @var AuthorizationInterface $_authorization
    protected $_authorization;
     * Constructor
     * @param \Magento\Framework\View\Element\Template\Context $context
     * @param \Magento\GiftCardAccount\Helper\Data $giftCardAccountData
     * @param \Magento\Sales\Model\AdminOrder\Create $orderCreate
     * @param array $data
    public function __construct(
        \Magento\Framework\View\Element\Template\Context $context,
        \Magento\GiftCardAccount\Helper\Data $giftCardAccountData,
        \Magento\Sales\Model\AdminOrder\Create $orderCreate,
        \Magento\Framework\AuthorizationInterface $authorization,
        array $data = []
    ) {
        $this->_authorization = $authorization;
     * getTemplate
     * {@inheritDoc}
     * @return string
    public function getTemplate()
        if ($this->_authorization->isAllowed(self::GIFT_CARD_ACCOUNT)) {

Configure The DI Container

Now that we've created an extension for the block, we need to tell Magento 2 to enable it by configuring the dependency injection settings for our module. This is done in etc/di.xml:

<?xml version="1.0" encoding="UTF-8"?>
<config xmlns:xsi="" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
    <preference for="Magento\GiftCardAccount\Block\Adminhtml\Sales\Order\Create\Payment" type="TAG\AdminPermissions\Block\Adminhtml\Order\Create\GiftCardPayment"/>

Add A Blank Template

The final small step to get everything working is to make sure that our module provides a template file for the blank.phtml template we set to hide the content (or else Magento will log errors while attempting to render it). This can be an empty / blank file added at view/adminhtml/templates/blank.phtml.


After adding the new module, be sure that it's been activated by Magento and clear your caches. You should now be able to log in with your limited role admin account and see that they can no longer see the Gift Card field on create order. Almost any part of the Magento interface can be controlled using this method.