Managing access control with permissions and user roles

Last updated on
17 March 2017

Roles enables you to assign specific permissions to a group and to fine-tune the security, use and administration of modules, therefore of Drupal in general. Users assigned to the role or group, are granted those permissions as assigned to the role. Common examples of roles used with which you may be familiar include: anonymous user, authenticated user, moderator, and administrator.

By default, Drupal 6 automatically defines two roles as a part of site installation:

  • anonymous user -- readers of the site who either do not have an account or are not logged in.
  • authenticated user -- the role assigned to new accounts on a Drupal site.

Drupal 7 creates a third role Administrator when you use the standard installation profile. This has all permissions enabled by default. If you want to have an Administrator role using the Minimal installation profile, create a new role and select this as the admin role in admin/config/people/accounts.

The first Drupal account created on a new installation, sometimes referred to as the "root user", always has full permissions for all Drupal activities, including administration and content creation, editing and removal.

Take note, however, that installation and enabling of additional, contributed modules DOES NOT automatically grant module permissions to the administrator role and its users. Such default Drupal setting is primarily for security purposes. Therefore, after installation and enabling of additional contrib modules, you need to manually assign and grant module permissions to the administrator role, or as required, to other roles. 

The Anonymous user role should typically have the least access and permissions among other roles. Authenticated user may be given more permissions depending on the nature and requirements of the website. Such instances may be the ability to create some types of content. If administrator approval is required for new users, or if they match certain criteria (such as having a company email address), you may be able to grant more permissions.More trusted users might be granted special privileges through an administrator-created role, and must be manually added to that role through the user administration interface.

To create a new role

  1. Navigate to /admin/user/roles (Drupal 6) or /admin/people/permissions/roles (Drupal 7).
  2. Enter a label for the new role in the available text field at the bottom of the current list of roles.
  3. Click Add Role.

To assign permissions to a role

  1. Navigate to /admin/user/permissions (Drupal 6) or admin/people/permissions (Drupal 7).
  2. Your new role will be listed as a new column in the permission matrix. Grant permissions to the new role.

To add or remove a user from a role

  1. Navigate to /admin/user/user (Drupal 6) or admin/people (Drupal 7)
  2. Enable the checkbox beside one or more user names.
  3. In the Update Options dropdown box, select a role to add or remove.


Although all roles you create yourself receive any permissions you give to authenticated users automatically, neither roles you create yourself nor the authenticated user role receives permissions given to anonymous users. If you check any of the permissions boxes for anonymous users in the access control page, you should almost always also check the equivalent box for authenticated users to avoid odd site behavior.