Last updated 11 January 2015. Created on 12 October 2009.
Edited by Propaganistas, LeeHunter, rfay, ilo. Log in to edit this page.

Access to almost all Drupal modules can be controlled by either enabling or disabling permissions for a given role. This has been the root of access control in Drupal since the beginning, but sometimes it is not enough. You need more granular permissions, a hierarchical approach, or just provide new permissions to actions existing in your site. Fortunately, there are many Drupal contribution modules providing more advanced access control facilities.

Access Control in Drupal

From a non-technical point of view, "Access Control" modules affect users, or the way they interact with your site. Some modules restrict all kind of access, others control the access to a simple feature or functionality of the web site.

These are the main topics relating "Access Control" in Drupal:

  • Node Access Control: This is the basic style of Access Control extensions in Drupal. Most of the time access control should focus on content, and content in Drupal means nodes. You will find many of these modules in the project repository. It is generally not possible to run more than one of these at a time, since ACL modules grant permissions, so the first one that grants permission wins.
  • Taxonomy Access Control: Instead of using node attributes to for access control, taxonomy can be used.

Other modules provide additional controls for more specific features. You will find modules defining permissions to alter some node attributes (e.g. the Authoring of content) or other modules providing access to administration features. They could be so complex to categorize, that the best effort could be to put some examples, and let you discover the rest:

  • Menu Access Control: Sometimes just disabling access to the menu entries will limit the access to the content behind.
  • User Access Control: limiting the access to users information is also covered by Access Control modules. They can alter the list of existing users, hidding those who should not be discovered, or provide permissions to perform administrative actions not requering full User Administration privileges.

Finally, A special set of modules has grown up around Organic Groups, the Organic Groups family modules. They provide Groups for Drupal users, and management of Access Control based on these groups.

Combining multiple access control modules

Using multiple access control modules together may produce undesirable results since access is granted as soon as only one module grants it. This is a direct consequence of the whitelisting philosophy behind Drupal's grant system. There exists a module for Drupal 7 (Access Control Bridge) that solves this by requiring all controlling modules to grant access before allowing access.

Looking for support? Visit the forums, or join #drupal-support in IRC.