This module allows site builders to set up fine-grained permissions for allowing "sub-admin" users to edit and delete other users — more specific than Drupal Core's all-or-nothing 'administer users' permission. It also provides and enforces a 'create users' permission.
See the README.txt file for a full explanation of the permissions.
Version 2 of the module was sponsored by AlbanyWeb.
The maintainer is out of contact for much of Dec 2016/Jan 2017 but this project is not abandoned!
Recent fixes have improved the compatibility with other modules that alter the permissions or interface for user admin. Even so, if you are using other modules please test the combined function carefully. See the following issues that document the interaction with particular modules:
- Administration Views - now secure and fully functional. Note that this module tends to report success even when an operation is blocked.
- User Protect - should now work better thanks to chain_menu_access
The D8 version of this module is available as an alpha release, but not yet ready for live sites.
Version 2 of the module fixes various security problems in version 1. There is a new version because the instructions and permissions are a little different.
Upgrading from version 1.x to 2.x
Your permissions should upgrade automatically, but it's important to check.
This version has a dependency on chain_menu_access which you will need to add if you upgrade from version 1. This handy module gives much better co-operation when using multiple access modules together, plus it simplifies the code.
Older versions are no longer supported and are insecure. Version 1 of the module was originally written assuming sub-admin users would have the permission 'administer users', which was later discovered to be insecure.
If you choose to continue using older versions, you either need to
- grant the sub-admins 'administer users' permissions and trust them not to exploit the insecurity
- leave 'administer users' off, and accept various functions won't work.
To allow sub-admins to assign roles, try Role Delegation.
- Maintenance status: Actively maintained
- Development status: Under active development
- Module categories: Administration, Security, User Access & Authentication, User Management
- Reported installs: 11,165 sites currently report using this module. View usage statistics.
- Downloads: 50,805
- Automated tests: Enabled
- Last modified: December 1, 2016
- Stable releases are covered by the security advisory policy.
Look for the shield icon below.