User protect admin screen for version 8.x-1.x

This module allows fine-grained access control of user administrators, by providing various editing protection for users. The protections can be specific to a user, or applied to all users in a role.

Note: Up until the D7 version, User Protect has a complicated configuration -- please take the time to read the very extensive module help before using it!

Provided protections

The following protections are supported:

  • Username
  • E-mail address
  • Password
  • Status
  • Roles
  • Edit operation (user/X/edit)
  • Delete operation (user/X/delete or user/X/cancel)

Additionally, the following protections are supported in 7.x-1.x and earlier:

  • OpenID identities

How it works

There are two types of protection rules:

  • User based protection rules
    These apply to a single user.
  • Role based protection rules
    These apply to all users that have that role.

A protection rule prevents any user to perform the selected editing operations (such as changing password or changing mail address) on the specified user. There are two exceptions in which a configured protection rule does not apply:

  1. The logged in user has permission to bypass the protection rule.
    In Drupal 8, this can be configured with an user permission. In Drupal 7, by adding a bypass rule at /admin/config/people/userprotect/administrator_bypass (for one specific user) or by changing the "Administrator bypass defaults" at /admin/config/people/userprotect/protection_defaults (for all users, except the ones for which a bypass rule exists).
  2. The specified user is the current logged in user.
    Protection rules don't count for the user itself. Instead, there are permissions available to prevent an user from editing its own account, username, e-mail address or password.

Protected fields will be disabled or hidden on the form at user/X/edit. The edit and delete operations are protected by controlling access on the paths user/X/edit and user/X/delete.
The protections also apply on bulk operations provided by Drupal core and (for Drupal 7 only) on bulk operations provided by Views Bulk Operations.

No protection to the role itself, only to users in the role

User protect does *not* limit an user in assigning/revoking certain roles in general. A role based protection rule only limits access to users that currently have that role. It does not protect the role itself. For limiting the roles that can be assigned/revoked, try the RoleAssign module or the Role delegation module.


The module is compatible with the following modules:

For compatibility with the Role Delegation module, there is an issue: #1984520: "User Role Delegation" module overrides User Protect settings, but I would like the opposite behavior.

Similar modules

See for a comparison of user edit protection modules.

Authors, maintainers

Versions 4.7.x-1.x - 7.x-1.x were written by Chad Phillips.
Version 8.x-1.x is written and maintained by MegaChriz.

Project information