Last updated March 24, 2014. Created on April 8, 2010.
Edited by Cottser, xjm. Log in to edit this page.

Taxonomy Access Control (a.k.a. TAC) uses Drupal core's node access system. TAC already provides very fine-grained and flexible access control, so it has not been specifically designed to work with any other access control modules. However, it is possible to install multiple access control modules that all use Drupal's core node access system. This page provides some information on what to expect when you use TAC with other access control modules.

Note: Combining multiple access control modules can be difficult. If at all possible, it is recommended you avoid using multiple access control modules together. If you choose to use multiple modules, test your access control configurations thoroughly on a non-production site.

If you are not familiar with how Drupal's node access system works, see these resources:

It is strongly recommended that you use the Devel module when configuring multiple access control modules. For more information, see Troubleshooting for Taxonomy Access Control.

On this page

  1. Background information: Grants are additive
  2. Grant priority
  3. Examples
  4. Alternative configuration: Module Grants

Background information: Grants are additive

Under normal circumstances, access control modules' grants are additive. This is a feature of Drupal's node access system. For any given node, Drupal asks all installed access control modules whether that module grants View, Update, and Delete permissions to that node (by invoking hook_node_access_records()). Each module returns either true (1) or false (0) for each of View, Update, and Delete.

If any one module returns true for a grant type (View, Update, or Delete), then the user receives that grant for that node. (This is true only when other access control modules return the same grant priority as TAC. See Grant priority below for more information.) In other words, the grants from multiple modules are evaluated together with OR.

This means if TAC does not grant access to a node, but another module does, the user will still have access to that node. This is why it is important to configure core permissions properly: if the core node module grants a user access to edit a node, TAC cannot normally revoke that access. The reverse is also true: if TAC grants access to a node, other modules cannot normally revoke this access. Keep this in mind when configuring TAC's global defaults in particular.

Grant priority

It is possible for access control modules to specify what the priority of their grants should be. (Developers may wish to look at the API documentation of node_access_acquire_grants() for more information.) The node access system looks at only the highest priority grants when determining node access. TAC's priority is zero (0). TAC does not support changing this priority; however, other node access modules may set their priorities higher or lower than zero.

At present, TAC provides node access records for every node. This means that if another module has lower priority than zero for a given node, its grants will be ignored. (Conversely, if any module returns a higher priority for a node, TAC's grants will be ignored.) Untagged nodes use the global default for the role; tagged nodes receive grants according to the permission configuration of the node's term(s). (Remember: Access is denied by default.)

It is a common misconception that changing an access control module's weight changes the priority of its grants. This is not the case. A module's grant priority is determined only by its hook_node_access_records().

Examples

(Examples needed -- please add examples here or suggest them in the comments.)

Alternative configuration: Module Grants

The Module Grants module can change the normal node access behavior so that grants are evaluated together with AND to determine access. For more information, see the Module Grants documentation.

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.