Managing access control with permissions and user roles
Roles, a way of assigning specific permissions to a group, allow you to fine tune the security, use and administration of Drupal. Users assigned to the role, or group, are granted those permissions assigned to the role. Common examples of roles used with which you may be familiar include: anonymous user, authenticated user, moderator, and administrator.
By default, Drupal 6 automatically defines two roles as a part of site installation:
- anonymous user -- readers of the site who either do not have an account or are not logged in.
- authenticated user -- the role assigned to new accounts on a Drupal site.
Drupal 7 creates a third role of Administrator when you use the standard installation profile. This has all permissions enabled by default. If you want to have an Administrator role using the Minimal installation profile, create a new role and select this as the admin role in admin/config/people/accounts.
The anonymous user role should typically have the least access to the site of all roles. Authenticated users, because they took the time to register, might be given more permissions, such as the ability to create some types of content. If administrator approval is required for new users, or if they match certain criteria (such as having a company email address), you may be able to grant more permissions.
The first Drupal account created on a new installation, sometimes referred to as the "root user", always has full permissions for all Drupal activities, including administration and content creation, editing and removal.
More trusted users might be granted special privileges through an administrator-created role, and must be manually added to that role through the user administration interface.
To create a new role
- Navigate to /admin/user/roles (Drupal 6) or /admin/people/permissions/roles (Drupal 7).
- Enter a label for the new role in the available text field at the bottom of the current list of roles.
- Click Add Role.
To assign permissions to a role
- Navigate to /admin/user/permissions (Drupal 6) or admin/people/permissions (Drupal 7).
- Your new role will be listed as a new column in the permission matrix. Grant permissions to the new role.
To add or remove a user from a role
- Navigate to /admin/user/user (Drupal 6) or admin/people (Drupal 7)
- Enable the checkbox beside one or more user names.
- In the Update Options dropdown box, select a role to add or remove.
Note: Although all roles you create yourself receive any permissions you give to authenticated users automatically, neither roles you create yourself nor the authenticated user role receives permissions given to anonymous users. If you check any of the permissions boxes for anonymous users in the access control page, you should almost always also check the equivalent box for authenticated users to avoid odd site behavior.