| Drupal

drupal user permissionsFor large sites with large numbers of users, permissions can become a difficult issue.

One common situation is that site owners want to allow some users to control the permissions of other users.

In this tutorial, I'll show you Drupal's default user control permissions. Then I'll show you 5 modules for creating more sophisticated user control permissions.

Default User Control Permissions

By default, Drupal has two permissions that allow you to modify other people's accounts:

media_1376597869241.png
  • Administer permissions: this gives full access to change the permissions for every user role. You get access to the "Permissions" tab as shown below.
  • Administer users: this gives full access to change the account details for every user. You get access to the "List" tab as shown below.

In short, Drupal is not kidding when it says "this permission has security implications."

media_1376599433604.png

#1. Administer Users by Role

Modules required:

Administer Users by Role allows to decide which roles can edit which other roles. For each role, you get 4 permissions:

  • Edit users with this role
  • Edit users with this role and others
  • Cancel users with this role
  • Cancel users with this role and others

It also allows you to control the important permission, Create new users.

media_1376685200387.png

One thing this module doesn't allow you to control whether people can move users from role to another.

If you try to edit a user who you don't have permission to edit, you'll see this message:

media_1376685604832.png

#2. RoleAssign

Modules required:

The RoleAssign module is relatively straightforward and easy to set up. There is only one permissions provided by this module, the ability to assign roles:

media_1376602881559.png

Here's how RoleAssign works. Once it's enabled, click on teh People menu link and you'll see a Role Assign link in the top-right corner.

media_1376602758641.png

In this Role assign area, you can choose which roles can be given out to other users. In the example below I'm allowing people to give out the administrator role. I don't recommend trying this on a live site:

media_1376602788866.png

When you create or edit a user, you'll now see a box labeled Assignable roles:

media_1376602843002.png

#3. Role Delegation

Modules required:

Role Delegation is very, very similar to RoleAssign.

This module allows site administrators to grant some roles the authority to assign selected roles to users, without them needing the administer permissions permission.

role-delegation

#4. User Settings Access

Modules required:

User Settings Access has a slightly confusing name which is a carryover from Drupal 6. The actual name of the module for Drupal 7 should be Account Settings Access

This module controls access to the Configuration > Account settings page which is located at /admin/config/people/accounts. Normally, permission to access this page is contained within the "Administer users" permissions. However, as we saw at the beginning of the article, "Administer users" allows you to everything about all users.

The User Settings Access module adds a specific permission only for this Account settings page. Here are the two permissions:

media_1376599981588.png
  • Administer account settings: This controls whether someone has access to the Account settings page.
  • Administer Administrator Role: This controls whether people have access to box "Administrator role" in the screen below.
media_1376599959282.png

#5. Subuser

Modules required:

As you can tell from the number of modules involved, Subuser is a significantly more powerful and complicated module than any of the others we've looked at so far.

Subuser also does something more sophisticated than the other modules we've looked at. Subuser allows you to create users and then have permission to manage them.

With the Subuser module you're creating “parent” and “child” users. For example, an “Chief Editor” might create an “author” or a “Site Manager” might create a “intern”.

Here are the permssions provided by Subuser:

media_1376600984917.png

However, I'll admit that I had a hard time trying to whip this module into shape. It's only available in Alpha for Drupal 7, it's used on less than 450 sites.

There were several bugs out-of-the-box. For example, if you see an error message that says "missing style plugin in views". go to Settings > Views > edit the Subuser view > Choose a format for the view. That solves an message about a missing style plugin in views.

It also got me to the point where I could see the intent of the module. On user profile pages, there was now a Subusers tab:

media_1376687825013.png

Click on that tab and you can see the subusers assigned to you. The Add user link is here too.

media_1376687844894.png

However, those subusers were showing for everyone. Inside Views there seems to have been a relationship but now it's marked Broken/missing handler. A possible solution seems to be here, but I couldn't get it to work: https://drupal.org/node/1241934

All in all, Subuser is a potentially promising and powerful module, but there have been no updates for over a year and you'll probably need to do quite a lot of troubleshooting to make it work.


About the author

Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.