UserPoints uses Joomla's standard Access Control List (ACL) system. Permissions are configured in Components → UserPoints → Configuration → Permissions.
Each permission can be set to Inherited, Allowed, or Denied for any Joomla user group. Permissions set at the component level override the global Joomla defaults, and a Denied setting always wins over an Allowed setting from a parent group.
These two permissions are shared across all Joomla extensions:
| Permission | What it controls |
|---|---|
| Configure (core.admin) | Full access to all UserPoints backend functions, including configuration. Grant only to trusted administrators. |
| Access Administration Interface (core.manage) | Access to the UserPoints administrator backend. Users with this permission can see the component in the backend but are further restricted by the permissions below. |
| Permission | What it controls |
|---|---|
| Rules (core.rules) | Create, edit, publish, and delete point rules. |
| Users (core.users) | View and edit user point balances, run sync and recalculate. |
| Activity (core.activity) | View, approve, combine, and archive activity records. |
| Invitation Templates (core.templatesinvite) | Create and edit invitation email templates. |
| Categories (core.categories) | Manage rule categories. |
| Plugins (core.plugins) | View the installed plugins list. |
| Permission | What it controls |
|---|---|
| User Sync (core.usersynch) | Run the user synchronisation tool. |
| Recalculate (core.recalculate) | Recalculate all user point balances from the activity log. |
| Set Max Points (core.setmaxpoints) | Set per-user maximum point ceilings. |
| Reset All Points (core.resetallpoints) | Reset every user's balance to zero. Grant with care — this is irreversible. |
| Purge Expired Points (core.purgeexpiredpoints) | Delete activity records past their expiry date. |
| Combine Activities (core.combineactivities) | Merge multiple activity records into summary records. |
| Auto-Detect Plugins (core.autodetectplugins) | Scan installed plugins and create missing rule definitions. |
| Permission | What it controls |
|---|---|
| Coupon Codes (core.couponcodes) | Create, edit, and delete coupon codes. |
| Raffles (core.raffles) | Create and manage raffles, draw winners. |
| Permission | What it controls |
|---|---|
| View Statistics (core.viewstats) | Access the Statistics admin pages. |
| Export Active Users (core.exportactiveusers) | Download the active users CSV export. |
| Export Emails (core.exportemails) | Download the email address CSV export. |
| Report System (core.reportsystem) | Run the system diagnostics report. |
| Permission | What it controls |
|---|---|
| Level Rank (core.levelrank) | Create and manage ranks, medals, and levels. |
Grant core.admin to the Super Users group and core.manage plus all specific permissions to the Administrator group. Leave all other groups at Inherited (which defaults to Denied for component-level permissions).
Create a custom Joomla user group (e.g. "Points Manager") and grant:
core.manage — backend accesscore.users — view and adjust balancescore.activity — view and approve activitiescore.couponcodes — create promotionscore.viewstats — view reportsDo not grant core.admin, core.resetallpoints, or core.exportemails to this group.
Grant only core.manage and core.viewstats. The user can log in to the backend and view statistics but cannot modify any data.
After saving permission changes, Joomla rebuilds the ACL immediately. Affected users will see the updated permissions on their next page load or after logging out and back in.