For large sites with large numbers of users, permissions can become a difficult issue.
One common situation is that site owners want to allow some users to control the permissions of other users.
In this tutorial, I'll show you Drupal's default user control permissions. Then I'll show you 5 modules for creating more sophisticated user control permissions.
Default User Control Permissions
By default, Drupal has two permissions that allow you to modify other people's accounts:
- Administer permissions: this gives full access to change the permissions for every user role. You get access to the "Permissions" tab as shown below.
- Administer users: this gives full access to change the account details for every user. You get access to the "List" tab as shown below.
In short, Drupal is not kidding when it says "this permission has security implications."
#1. Administer Users by Role
- Administer Users by Role: https://drupal.org/project/administerusersbyrole
Administer Users by Role allows to decide which roles can edit which other roles. For each role, you get 4 permissions:
- Edit users with this role
- Edit users with this role and others
- Cancel users with this role
- Cancel users with this role and others
It also allows you to control the important permission, Create new users.
One thing this module doesn't allow you to control whether people can move users from role to another.
If you try to edit a user who you don't have permission to edit, you'll see this message:
- RoleAssign: https://drupal.org/project/roleassign
The RoleAssign module is relatively straightforward and easy to set up. There is only one permissions provided by this module, the ability to assign roles:
Here's how RoleAssign works. Once it's enabled, click on teh People menu link and you'll see a Role Assign link in the top-right corner.
In this Role assign area, you can choose which roles can be given out to other users. In the example below I'm allowing people to give out the administrator role. I don't recommend trying this on a live site:
When you create or edit a user, you'll now see a box labeled Assignable roles:
#3. Role Delegation
- Role delegation: https://drupal.org/project/role_delegation
Role Delegation is very, very similar to RoleAssign.
This module allows site administrators to grant some roles the authority to assign selected roles to users, without them needing the administer permissions permission.
#4. User Settings Access
- User Settings Access: https://drupal.org/project/user_settings_access
User Settings Access has a slightly confusing name which is a carryover from Drupal 6. The actual name of the module for Drupal 7 should be Account Settings Access
This module controls access to the Configuration > Account settings page which is located at /admin/config/people/accounts. Normally, permission to access this page is contained within the "Administer users" permissions. However, as we saw at the beginning of the article, "Administer users" allows you to everything about all users.
The User Settings Access module adds a specific permission only for this Account settings page. Here are the two permissions:
- Administer account settings: This controls whether someone has access to the Account settings page.
- Administer Administrator Role: This controls whether people have access to box "Administrator role" in the screen below.
- Subuser: https://drupal.org/project/subuser
- Relation: https://drupal.org/project/relation
- Views: https://drupal.org/project/views
- Chaos Tools: https://drupal.org/project/ctools
- Views Bulk Operations: https://drupal.org/project/Views_bulk_operations
As you can tell from the number of modules involved, Subuser is a significantly more powerful and complicated module than any of the others we've looked at so far.
Subuser also does something more sophisticated than the other modules we've looked at. Subuser allows you to create users and then have permission to manage them.
With the Subuser module you're creating “parent” and “child” users. For example, an “Chief Editor” might create an “author” or a “Site Manager” might create a “intern”.
Here are the permssions provided by Subuser:
However, I'll admit that I had a hard time trying to whip this module into shape. It's only available in Alpha for Drupal 7, it's used on less than 450 sites.
There were several bugs out-of-the-box. For example, if you see an error message that says "missing style plugin in views". go to Settings > Views > edit the Subuser view > Choose a format for the view. That solves an message about a missing style plugin in views.
It also got me to the point where I could see the intent of the module. On user profile pages, there was now a Subusers tab:
Click on that tab and you can see the subusers assigned to you. The Add user link is here too.
However, those subusers were showing for everyone. Inside Views there seems to have been a relationship but now it's marked Broken/missing handler. A possible solution seems to be here, but I couldn't get it to work: https://drupal.org/node/1241934
All in all, Subuser is a potentially promising and powerful module, but there have been no updates for over a year and you'll probably need to do quite a lot of troubleshooting to make it work.