Use case: Role based access control by content type

A client asks you to set up access control to the company's invoices. Only accountants in the company shall be able  to see the invoices.

• First create the content type "Invoice" (machine name invoice) with the appropriate fields. (unless it already exists).
• Next, create user role called "accountants", and assign any users who are working for the company as accountants to this role.
• After creating the user role and content type, you should enable the Content Access extension.
• To make sure users that are not accountants are denied access to invoices, revoke the permission View published content from all roles (including Anonymous).
• Then, go to the content type edit page for this content type (e.g. in Drupal 7, if your site is named "mysite.com": mysite.com/admin/structure/types/manage/invoice). There you'll find a new tab called Access Control.
• You find inside Access Control these basic Role Based Access Control Settings, for working with published content of this content type:
  • View any invoice content: Allow the checked role(s) to view the nodes (content) of this content type.
  • View own invoice content: Allow the author (from the selected roles) of the node to view it.
  • Edit any invoice content: Allow the selected role(s) to edit nodes of this content type.
  • Edit own invoice content: Allow the author (from the selected roles) of the node to edit it.
  • Delete any invoice content: Allow the selected role(s) to delete nodes of this content type.
  • Delete own invoice content: Allow the author (from the selected roles) to delete the author's own node of this content type.

  Back to our use case: Select View any invoice content for the accountants role.

  You may want to give the Anonymous and Authenticated user roles the permission View any X content for all content types X that should not have access to them restricted.

• Now published invoices will be only visible to people (users) that belongs to this role. Test your configuration by logging out or logging in as a user belonging to this role, trying to view an invoice node.