BackendMenu
RC 2
This is the documentation for the AAM 7.0.0-rc.2 release. We are actively working on the documentation that may change before stable release announcement.
Syntax
BackendMenu:<slug>BackendMenu:* - Premium Feature
Definition
The WordPress core does not have the true concept of a unique menu id. The uniqueness of each menu or submenu item determines by its URI (e. g. edit.php?post_type=page or options-reading.php).
To find a correct menu item identifier, navigate to the Backend Menu tab, and each menu item includes the "more details" link. The Slug attribute is the one that you should use with the BackendMenu resource.
The following statement hides and denies direct access to the "Tools->Import" page.
{
"Statement": [
{
"Effect": "deny",
"Resource": "BackendMenu:import.php"
}
]
}
When you need to restrict access to the whole menu item with all the sub-items (e. g. "Plugins" or "Appearance"), then prepend the menu ID with the menu/ prefix. In the example statement below, we deny access to see or manage the "Plugins" menu with all submenus.
{
"Statement": [
{
"Effect": "deny",
"Resource": [
"BackendMenu:menu/plugins.php"
]
}
]
}
FYI!
AAM restricts direct access to a page linked to the protected menu item.
With the premium add-on we also added the ability to use the wildcard * denotation to target the entire menu or menu items that match specific pattern. It is helpful when you need to grant access only to a few menu items and ensure that if a new or existing plugin introduces a new menu, it is protected unless you explicitly allow it.
For instance, the statement below restricts access to all the menu items except the "Posts".
{
"Statement": [
{
"Effect": "deny",
"Resource": [
"BackendMenu:*"
]
},
{
"Effect": "allow",
"Resource": [
"BackendMenu:menu/edit.php"
]
}
]
}
Note!
AAM does not allow restricting access to the "Dashboard" menu /wp-admin/index.php because it is the default redirect page all users after login. To completely restrict access to the entire backend area, consider locking down the backend area.
Sometimes, you may need to manage access to menu items that share a common URI pattern. For example, all post types (including custom post types) use the same edit.php page, differing only by the post_type query parameter. The URI edit.php?post_type=page directs to the admin section for managing pages, while edit.php?post_type=product leads to the product management area for a custom post type.
The following policy restricts access to all backend menu items except those related to managing custom post types:
{
"Statement": [
{
"Effect": "deny",
"Resource": [
"BackendMenu:*",
"BackendMenu:menu/edit.php?post_type=page"
]
},
{
"Effect": "allow",
"Resource": "BackendMenu:menu/edit.php?post_type=*"
}
]
}
Key points about this policy:
- The
BackendMenu:menu/edit.php?post_type=pageresource is explicitly denied, even thoughBackendMenu:*is already specified. This is necessary because the second statement allows access to all URIs matchingmenu/edit.php?post_type=*, including the pages URI. - Backend menu URIs are prefixed with
menu/to ensure access restrictions apply to the entire menu item and its subitems. Without this prefix, the restriction would apply only to the list of custom post types, not the menu itself.
Common Menu IDs
Below you can find the list of most common admin menu item IDs.
- Posts:
menu/edit.php - Media:
menu/upload.php - Pages:
menu/edit.php?post_type=page - Comments:
menu/edit-comments.php - Appearance:
menu/themes.php - Plugins:
menu/plugins.php - Users:
menu/users.php - Tools:
menu/tools.php - Settings:
menu/options-general.php
Virtual Assistant