When creating a site that will allow users to log in, it is a great idea to also restrict what users can and can not do once logged in. This is where user roles and permissions come in.
This article is going to look at what come with a standard Drupal install in regard to users, roles and permissions. Then look at how easy it is to add a role and give the new role permissions. Then we will have a quick look at users and how to add roles to a user.
But why would you want to use permissions and restrict users?
When setting up a new site, it may seem like a hassle to set up users and granting roles. Why not add users and to be with it? Below are two good reasons why it is worth thinking about restricting users when setting up a site.
- Allowing full access to configuration settings is a security risk. And even if you trust your users not to be adding malicious code, they could unknowingly change settings that allow others to add malicious code. Or their user and password might get shared or stolen that will allow bad actors to gain access.
- De-clutter the interface to make the users' life happier. As well as being unsafe to allow users open access to the site, limiting the functionality for users makes for a better user experience. Only want someone to add and edit their content? Set up role for that. Have some users that are editors or moderators? Then grant them slightly more access. With the main goal to keep the UI clean and void of unnecessary functionality for the job at hand.
Okay, now we know why setting up restricted roles is a good idea, let's have a look at how this is done in Drupal.
Drupal Roles
The first thing we will look at is the roles page. This can be found in the administration section using the manage link in the toolbar.
Manage > People > Roles
/admin/people/roles
If you are new to Drupal, I suggest you add the admin toolbar module, as it gives you easier access to administration tasks by providing dropdown menus.
You will see there are 4 roles.
There is an administrator role. This should only be used by developers and site-builders, as it gives full control over the site configuration. Most of the configuration really only needs to be touched when setting up functionality or modifying.
The other 3 roles we have are content editor, authenticated user and anonymous user. You can check the permissions for the roles on the permissions page. The permission page is easily accessed using the permissions tab.
If you check out the permissions page, you will see what things each role can do. I say things, but these are called permissions.
You will see that the permissions get progressively more as the roles move from anonymous user through to administrators.
The 4 provided roles are a great starting point and if you have just set up a site you probably don't need to change anything.
That said, if you intend on having content editors and then content creators, you may want to set up a fifth role.
The role of content editor can only edit their own content, amongst other things. So adding a role that can editor anyone's content maybe a good idea.
Note: If you plan on developing a site that has a content creation and publishing workflow, there are other modules you may want to explore that provide content moderation and workflow management. Such modules that ship with Drupal are Content Moderation module and Workflow module. You can find and enable them on the extend page of the administration section of your Drupal site. You may want to add some custom modules as well. Please check the
getting started with content moderation (coming soon)article for more information.
Creating a New Role
Creating a new role is easy.
- Click on the add role button. (See above top image).
- Add the role name and machine name.
That's it, now you have a new role, you now need to add the permissions.
Changing or Adding Permission for a Role
To change the permissions for a role, visit the permissions page. You will want to add permissions to new roles when setting them up.
When granting permissions to a role, only grant 100% necessary permissions. You can always change this later if more permissions are needed.
For each possible task or permission, there is an excellent title and description telling you what each permission is. You will see for content types or node you have a slew of permissions from view to create to edit own to edit all. These fine grain permissions are one of those powers of Drupal, and it can be done all in the UI.
You will also notice on some tasks it says only grant trusted roles. Things such as administer block content has such warning: Warning: Give to trusted roles only; this permission has security implications. View, edit and delete all block content regardless of permission restrictions. I would heed this advice.
Other times you may want to change or add permissions to a role is when creating a new content or entity type or when adding a new module. When adding a new module, you will usually be advised that permissions need to be set up. Remember that administrator gets granted all permission by default.
Assigning Roles to Users
Assigning roles to users is done on the people page. This page has an overview of all users.
Manage > People
/admin/people
You can assign roles in bulk on this page, or you can do it on the individual user admin page (I.e. /user/2/edit) by using the edit operation.
Adding a new user
Adding a new user can be done on the people page, as you can see in the above image.
Manage > People > + Add user
/admin/people/create
On the create user page, you can add all the info needed for a new user and send an automated notification to the new user that their new account is ready to use.
New users created manually are assigned an authenticated user role by default. This allows users to comment on the site and a few other things. If you checked out the permission page, you will be aware that an authenticated user is fairly restricted. You can easily add the content editor role when setting up, all you need to do is check the checkbox.
Anonymous users can set up a new account on the register page
[example.com]/user/register
Anonymous users that apply for an account will be blocked by default. They will be sent a message that their account is pending approval. It is up to a site administrator, or a custom role you may have set up with the correct permissions, to make the account active and assign the role(s).
Since single users registration and role assignment could be quite complex, I will cover this in more details in another article. As it is, a standard installation of Drupal is set up well for a small community site or company intranet. However, if you want to build a larger social community with automatic role assignments and free-for-all posting and commenting, you will need to set up a more robust system. Otherwise, you will get spammed, a lot.
Comments
By default, commenting is only allowed by registered authenticated users, but you can allow anyone to comment if you like and set new comments unpublished by default.
APIs and Permissions
I believe it should be obvious, but I will mention it all the same, the permissions granted to roles are strictly enforced with the APIs. This is great as it means that your new Drupal site is ready to be used as a headless CMS.
Summary
That's it. Now you have a broad overview of Drupal roles, permissions, and users. You have learnt why permissions are useful; for security of your site and to make a clutter-free user experience for your user. You also know how to add a role and granted permission, and about creating users and assigning roles to build your community or intranet.
Thanks for reading. I write about Drupal to make it easier for new adopters to find their way around. I also write about front-end development, design, and UX/UI. Please enter your email below to get a weekly newsletter on the web development.
Until next time, seize the day.