I’m new to Drupal and have recently installed Drupal 7 rc4 and the Organic Groups (OG) module. However, I can’t seem to be able to configure permissions and roles to facilitate our access control specifications. I appreciate your help in providing me with a guideline to enable me to satisfy the following access control specifications. Access control should be implemented for a knowledgebase system that facilitates collaborative knowledge management and research in a particular medical domain.

1. We need to create groups that represent entities with knowledge and expertise in the particular medical domain
2. Every group has a “coordinator” that can add members to the group
3. Group members can submit patient cases to the knowledgebase as content for the corresponding group
4. Patient personal information such as name, address,etc are only visible to the member that submitted the case to the
group; other group members can only access clinical information for the patient case
5. Only members of the group can view the group contents
6. Contents loaded/added to a group cannot be viewed by members of other groups
7. Members can only add content to the group/s of which they are a member
8. Specific content in a group may need to be visible only to some members of the group
9. Roles assigned to members of a group should be restricted to only that group unless the group coordinator specifically
assigns that role to the user in another group.

I tried configuring these access requirements through the Group tab for every group but the Roles and Permissions are read-only. Not sure if this is a bug or a feature. If this is a feature, then how can Roles and Permissions be configured for every group?

Also, tried installing the content access and acl modules, which provides an "Access Control" configuration tab for both the Group content type and for every group created. However, this tab doesn't work for Group level configuration; i.e. I get the following error when I click on the "Access Control" tab for every group. I have tried disabling the overlay module, but that also results in an http 500 error.

Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
Timestamp: Wed, 9 Feb 2011 01:45:07 UTC
Message: Permission denied
Line: 267
Char: 3
Code: 0
URI: http://localhost/drupal7/modules/overlay/overlay-parent.js?v=1.0

Your help is very much appreciated. I also looked at using OG User Roles (OGUR) ; however, this module isn’t available for Drupal 7.

Kind Regards,


femrich’s picture

I would begin by upgrading core to 7.x-1.0, which was released in early January:

femrich’s picture

Sorry, the correct core version number is 7.0

tebb’s picture

@Hziaim, did you get this working?

amitaibu’s picture

Version: 7.x-1.0 » 6.x-2.x-dev

This seems to be about 6 version.

sowmya2205’s picture

Priority: Normal » Major


i have a similar requirement.I need group admins for each group.Main Admin will have all the permissions.Contents of the group is editable only by main admin and group admin.Main admin decides the group admins.But how can assign such a role.The group admin can be a normal member of another group.He cannot edit content of another group in which he is a normal member.

Pls anyone help


tebb’s picture

Version: 6.x-2.x-dev » 7.x-1.x-dev
Priority: Major » Normal


D7 yes? ... "installed Drupal 7 rc4 and the Organic Groups (OG) module" ... "I also looked at using OG User Roles (OGUR) ; however, this module isn’t available for Drupal 7."


Note: I don't have this enabled, so I'm doing it from memory, but should be about right.

To make the permissions and roles changeable for a group, you need to add that feature to the 'group entity' via this page: http://www.example.com/admin/config/group/fields

The first two drop down boxes select where and what you are adding. The area below with the tabs allows you to see what is already configured.

Your group entity is probably a content type that you have defined.

To allow roles and permissions to be set for groups you:

- select your entity representing groups (probably a content type) from the first box.
- select the 'feature' (you want "Group roles and permissions") from the second box.
- click 'Add field'
- (Now you see the new options on the group edit page)
- edit a group (not the group content type) and enable Group roles and permissions for that group

The roles and permissions should now be read/write instead of read-only.

To understand a little more, you can check that the field was added by looking at the fields on the content type's manage fields tab.

It's worth watching Amitaibu's video about OG7. In the video, Amitaibu says he will probably redesign this part of the admin interface, so this may be out of date soon.

Hope that helps.

sowmya2205’s picture

Thanks, but i want this drupal 6 also.Is separate content type used for each group.

mckinleymedia’s picture

Brilliant! This did it for me. Thanks!

BrightBold’s picture


Also, tried installing the content access and acl modules...

You should definitely uninstall these. Drupal does not do well when you have more than one access control module installed — they conflict and the you won't get the results you want. See http://drupal.org/node/270000 for more information. So I would start with uninstalling those modules and seeing if you have inadvertently installed any other node access modules.

To configure the roles and permissions, you have to go to the global settings, rather than from within the group where, as you point out, they are read-only.
Roles: /admin/config/group/roles
Permissions: /admin/config/group/permissions

4. Patient personal information such as name, address,etc are only visible to the member that submitted the case to the group; other group members can only access clinical information for the patient case

I'm not sure how this can be achieved. I looked at the OG Field Access sub-module, which allows you to determine access to specific fields by role, but it doesn't seem to distinguish between fields on documents created by the user and not. Maybe someone else will have a good solution.

jmussi’s picture

I'm having some similar issues. I followed the instruction to override field permission and I can change the default now.
The problem is that this does not seem to resolve the following problem:
when non-members first access the groups home page, they can view all the groups articles.
I need to allow only members access to that view.
How can I configure my group to block access to content between group members and non-members?

BTW, I'm using OG v 7.x-1.4 and Drupal v7.7

UPDATE - I've figured out how to do it... thank you

Thank you
Jose Mussi

MohamedAli’s picture


UPDATE - I've figured out how to do it... thank you

can you tell us what was wrong?


jmussi’s picture

It was simple - just assign the group's visibility parameter to 'private'
The default is 'public' which allows total access. Now, only group members see the posting.

MohamedAli’s picture

sorry it was my mistake also, I was trying another thing..

Anonymous’s picture

I have tried with these settings with D7 but action block is viewing by non-member and creating content too not in group but global but through group.
So how can i solve this problem.

jaspm2004’s picture

#6 did it for me. thanks!

hanksterr7’s picture


I finally made sense of the interplay between OG roles and Core user roles. I wanted a way to control which members of a group could post content to the group, and to do this based on Core user roles.

Please see my post https://drupal.org/node/2073397 that discusses this.

From the final comment:
Found a work-around (but I don't like that I had to do this)

Did the following:
-- Removed ability for group members to create group posts
-- Created a new Group Role called Group Author. This role has Create Group Post permissions
-- Installed the OG Role Override module.
-- Granted 'Act as role "group author" in OG Node Group groups' to my desired user role (called "content manager")

Now, authenticated users can join groups but they can not post content to the group. If the user gets the content manager user role, they automatically get the Group Author group role, and (assuming the group is using default roles and permissions), they can now create group posts to the group. An authenticated user can also be manually granted the Group Author role in one or more of their groups. When this is done, and they try to create Group Posts, the Group Audience box will show only those groups for which they have the Group Author group role (nice!)

So permissions linked to OG roles for content create/edit/delete override permissions linked to user roles. But with this workaround, via the OG Role Override module, I can get the two permissions systems to work together in the way I want.

-- hanksterr7