Understanding Roles and Permissions in Drupal

For many people who are new to Drupal or to site management in general, understanding users, roles, and permissions can be confusing. At the most basic level, a user is anyone who is going to go on your site (pretty simple, huh?)

You can divide users into several different groups, each of which is called a Role. A Role specifies who they are and what you want them to be able to do (or not do, as the case may be) on your website. For example, you might not want random anonymous people online making modifications to articles or adding comments to your website, but it is perfectly okay for them to view all of your content. An anonymous user is an example of a "Role" in Drupal.

When you tell Drupal to let or not let a certain group of folks do certain things, what you are doing is setting Permissions. Permissions are exactly what they sound like -- rules specifying who gets to do what.

Finally, there is a slightly more advanced topic in Drupal user management called Access Rules. Basically, this is a way of setting your site so that certain Roles can't see your site at all or register an account. This is a useful technique to use when you want to create a private or invitation-only site or message board.

Now that you've gotten the basic vocabulary, let's work through a simple example of setting roles and permissions in Drupal. You need to start by navigating to your admin page and then to User Management >> User Settings.

User Settings is a page where you can access and modify some settings that apply to everyone who goes onto your site. Most of the options here are pretty self explanatory -- you can determine who is allowed to create an account on your site, whether the new account needs approval, and whether new users get a welcome email. Go ahead and play with these options and set them however you like depending on the needs of your site.

Next, return to User Management and go to Permissions. On the Permissions page, you will notice that Drupal has already defined two roles for you! They are "anonymous user" and "authenticated user". Basically, anonymous user is the role we described above (random anonymous person online), while authenticated user is someone who has registered and logged in to your site.

Let's set those permissions now. First, decide what you would like your registered users to do. This will depend on the type of site you have. If you have a blogging site where anyone can register and then create their own blog, you might want to give authenticated users a lot of privileges -- though maybe you will still not want to give them the ability to, say, "delete any blog entry" since that might make some of your other bloggers angry. On the other hand, if your site doesn't use user-provided content (say, it's your personal site), you will want to just check "access comments", "post comments" and maybe "post comments without approval" if you don't mind getting spammed.

Now, decide what unregistered users can do. Most likely, you don't want to give them too much power -- you will most likely want to just check "access comments" and perhaps you will let them "post comments".

Okay, so you've set up the predefined roles. What if you want to add a different role? Perhaps you want to add a group of moderators who have the ability to do powerful things like delete other people's blog entries. You can do this by returning to the User Management screen and clicking on Roles. Enter a name for the new role, click add role, and then either return to the Permissions page or click "edit permissions" directly from the Roles page. Set permissions for Moderators the same way you did it for the other roles.

A final task you should know how to do is how to track your users and roles. Go to your test site and set up a couple of accounts. Now return to the User Management page and go to Users. You'll see a list of the accounts you've created, and each user has some identifying information. This is also where you can play god by blocking or unblocking users, as well as manually adding any users you wish.