I have been frustrated by the limitations of Drupal's user management. I would love to see Drupal adopt a more sophisticated access control system, with groups and permission inheritance (perhaps along the lines of PEAR::LiveUser). I see something like the following...
- Areas
- Each site is broken up into functional areas, typically associated with an individual module or group of related modules.
- Roles
- Each area has one or more roles associated with it. A role is granted a specific set of user rights. Roles can be implied, so someone in Role-A may automatically gain the rights of Role-B, even though those rights have not been explicitly defined for Role-A. In this case, having Role-A implies that you also have Role-B. By default, every area will include an area admin role that automatically gains all rights associated with every role in that area.
- Rights
- A right is a specific privilege that can be granted to a user. As with roles, rights can also be implied by other rights.
- Groups
- A group is a container for users. Individual Groups can be assigned any combination of roles and rights from any area. Sub-groups can also be defined. For instance, if Group-B is a sub-group of Group-A, then its members are automatically assigned all the rights and roles of Group-A, but they can be assigned additional rights and roles as well that are not shared by the containing group. Site Admin is a special group that automatically gains all rights and roles associated with all areas of the site. Other special groups might include Guest and New User.
- Users
- A user represents an individual person. Users can be put in any number of groups. Users can also be granted rights and roles directly.
This feature would allow for amazing flexibility and power in Drupal's user management, with fine grain control available to those who need it. Some other feature requests, like this one, would become trivial to implement.
The addition of groups and implied rights would allow for a much cleaner, more user friendly, administration interface when managing complex sites with lots of users. It would also allow site administrators to be more creative in the way they use various modules. Module developers would set the area, roles and rights associated with their modules, but the site admin gets to create groups with any combination of rights and roles (across multiple modules) that that they see fit. A site with dozens of modules could be managed simply by assigning users to one of a handful of groups. And the odd user who needs "special" privileges could get them without much trouble.
Comments
Comment #1
jstollerIt occurs to me that this system should include a mechanism to order roles and groups in strict hierarchies. That way rights granted to an administrator role can be given more weight than an authenticated user role.
This is especially important if the system not only allows for rights to be granted or denied (i.e. not granted), but also for rights to be forbidden (as discussed in this feature request). A forbidden right is denied even if the user was granted that right by another role. However, in this case that would only hold true if the other role is lower down on the totem poll than the role forbidding said right.
The logic would be something like this...
If none of the user's roles explicitly define access to Right-A, then they are denied access to Right-A.
If one or more of the user's roles define access to Right-A, then whatever is defined by the highest ranked role sets the user's access to Right-A.
Defining access to a right means either granting or forbidding that right. All rights not granted or forbidden are considered denied by default.
Comment #2
garthee CreditAttribution: garthee commentedexactly this is what I am looking forward to handle here [1], and my road map is
1. implement it as a separate module providing necessary functions (other modules have to call these api /hooks to use them)
2. patch to user module, to effect that and enforce it for all modules with in D6
3. Integration with core in D7, such that user.module will be used for creation and user management (profile and other stuff), and possibly authentication integrated (but with expanding authentication options I hope this is handled separately) and this permission.module to oversee all authorization, role, permission management and policy management related tasks with hooks to implement policies
Comment #3
jstollergarthee, your link didn't come through.
For anyone interested, here is the link to garthee's SoC proposal: http://groups.drupal.org/node/9584
Comment #4
mdupontComment #5
mdupontSee also #1200572: Concept of a hierarchical permission system as a step in this direction.
Comment #6
lpalgarvio CreditAttribution: lpalgarvio commentedComment #7
lpalgarvio CreditAttribution: lpalgarvio commentedComment #8
catchMoving back to a minor release since this is a feature request.
However also tagging for an issue summary update since this could at least use some comparisons to contrib concepts (organic groups, og_roles, spaces etc.).
Comment #21
smustgrave CreditAttribution: smustgrave at Mobomo commentedGoing to close as outdated since this has been in PNMI for 6 years without an update
If you feel this is still an issue please reopen. After searching for any duplicates