Adding & Removing Users on ExpressionEngine | OpsBlu Docs

Adding & Removing Users on ExpressionEngine

Adding & Removing Users on ExpressionEngine — setup, configuration, and best practices for ExpressionEngine.

ExpressionEngine (EE) stores all members in a MySQL database and manages them through the Control Panel (CP) at /admin.php (or your custom CP URL). EE has a rich role-based system with configurable Member Roles (called Member Groups in EE5 and earlier). Members serve as both backend editors and frontend site members.

Adding Members via the Control Panel

Creating a New Member

  1. Log in to the ExpressionEngine Control Panel
  2. Navigate to Members > All Members
  3. Click New Member (top right)
  4. Fill in the required fields:
    • Username (alphanumeric, underscores allowed)
    • Screen Name (display name, can contain spaces)
    • Email Address (must be unique)
    • Password (and confirmation)
  5. Select a Primary Role from the dropdown:
    • Super Admin -- Unrestricted access to everything
    • Admin -- Full CP access except system-level settings
    • Content Editors -- Create and edit content in assigned channels
    • Members -- Frontend access only (no CP access by default)
    • Custom roles as configured
  6. Optionally assign additional Roles (EE7 supports multiple role assignment)
  7. Click Save

Understanding Member Roles

ExpressionEngine 7 introduced a flexible role system. Manage roles at Members > Roles:

Default Role CP Access Typical Use
Super Admin Full (cannot be restricted) Site owner, primary developer
Admin Full with configurable limits Site managers
Content Editors Channel entry management Writers, editors
Members No CP access Frontend registered users
Pending No access Awaiting activation
Banned No access Blocked accounts

Each role has granular permission toggles:

Members > Roles > [Role Name] > Edit

Permission categories:
├── Website Access (can view site, can view offline system)
├── Control Panel Access (can access CP, which sections)
├── Channel Entries (create, edit own, edit others, delete)
├── File Manager (upload, edit, delete files)
├── Template Manager (edit templates, create groups)
├── Member Management (create, edit, delete, ban members)
├── Add-on Management (install, configure add-ons)
└── System Settings (general, content, security settings)

Adding Members via the CLI

ExpressionEngine 7 includes a CLI tool:

# Create a new member via CLI
php system/ee/eecli.php make:member \
  --username=jsmith \
  --screen-name="John Smith" \
  --email=jsmith@example.com \
  --password="SecurePass123!" \
  --role="Content Editors"

# List all members
php system/ee/eecli.php list:members

# Reset a member's password
php system/ee/eecli.php reset:password jsmith

Direct Database Creation

-- Create a member directly in the database
-- Note: EE uses bcrypt for passwords

INSERT INTO exp_members (
  username, screen_name, email, password, role_id,
  join_date, ip_address, total_entries, total_comments
) VALUES (
  'jsmith',
  'John Smith',
  'jsmith@example.com',
  -- Generate with: php -r "echo password_hash('Pass123!', PASSWORD_BCRYPT);"
  '$2y$12$hashed_password_here',
  (SELECT role_id FROM exp_roles WHERE name = 'Content Editors'),
  UNIX_TIMESTAMP(),
  '0.0.0.0',
  0, 0
);

-- Get the new member_id
SET @mid = LAST_INSERT_ID();

-- Add to the member roles table (EE7 multi-role support)
INSERT INTO exp_members_roles (member_id, role_id)
VALUES (@mid, (SELECT role_id FROM exp_roles WHERE name = 'Content Editors'));

-- Create the member data row
INSERT INTO exp_member_data (member_id) VALUES (@mid);

Registration and Self-Service

EE supports frontend member registration. Configure at Settings > Members:

Settings > Members:
├── Allow new member registrations: Yes/No
├── Require email activation: Yes/No
├── Default role for new members: [dropdown]
├── Require CAPTCHA for registration: Yes/No
├── Minimum username length: 4
├── Minimum password length: 8
├── Password must contain: uppercase, number, special char
└── Allow multiple roles per member: Yes/No

Removing and Deactivating Members

  1. Go to Members > All Members
  2. Click the member's username
  3. Change their Primary Role to Banned
  4. Click Save

Banned members cannot log in, access the CP, or use frontend features. Their content and profile remain intact.

Deleting a Member

  1. Go to Members > All Members
  2. Check the box next to the member(s) to delete
  3. Click Bulk Actions > Delete
  4. EE prompts: Reassign entries to which member?
  5. Select a member to inherit all entries, or choose to delete entries
  6. Confirm the deletion

What Happens to Their Content

When you delete an EE member:

  • If you reassign entries, all channel entries transfer to the selected member with full metadata preserved
  • If you delete entries, all channel entries by that member are permanently removed
  • Comments by the member remain but show "Guest" or the original screen name (depending on settings)
  • Forum posts (if using Discussion Forum module) are preserved with the original author name
  • File uploads remain in the upload directory
  • Member custom fields data is deleted

CLI-Based Removal

# Ban a member (set role to Banned)
php system/ee/eecli.php update:member jsmith --role="Banned"

# Delete a member and reassign entries
php system/ee/eecli.php delete:member jsmith --reassign-to=admin

SQL-Based Deactivation

-- Ban a member
UPDATE exp_members
SET role_id = (SELECT role_id FROM exp_roles WHERE name = 'Banned')
WHERE username = 'jsmith';

-- Also update the multi-role table
DELETE FROM exp_members_roles WHERE member_id = (
  SELECT member_id FROM exp_members WHERE username = 'jsmith'
);
INSERT INTO exp_members_roles (member_id, role_id)
SELECT member_id, role_id FROM exp_members m
CROSS JOIN exp_roles r
WHERE m.username = 'jsmith' AND r.name = 'Banned';

Bulk User Management

Export All Members

-- Export members to CSV
SELECT m.member_id, m.username, m.screen_name, m.email,
       r.name AS role, m.join_date, m.last_visit
FROM exp_members m
JOIN exp_roles r ON m.role_id = r.role_id
ORDER BY m.username
INTO OUTFILE '/tmp/ee_members.csv'
FIELDS TERMINATED BY ',' ENCLOSED BY '"'
LINES TERMINATED BY '\n';

Bulk Import Add-on

EE has a community add-on called DataGrab (or Datagrab) for bulk member imports:

# Using the EE CLI with a custom import command
php system/ee/eecli.php import:members --file=members.csv --role="Content Editors"

Bulk Import Script

<?php
// bulk-import-members.php -- Run from EE root directory

// Bootstrap EE
define('SYSPATH', 'system/');
require SYSPATH . 'ee/EllisLab/ExpressionEngine/Boot/boot.php';

$csv = array_map('str_getcsv', file('import_members.csv'));
$header = array_shift($csv);

foreach ($csv as $row) {
    $data = array_combine($header, $row);

    $existing = ee('Model')->get('Member')
        ->filter('username', $data['username'])
        ->first();

    if ($existing) {
        echo "SKIP: {$data['username']}\n";
        continue;
    }

    $member = ee('Model')->make('Member');
    $member->username    = $data['username'];
    $member->screen_name = $data['screen_name'];
    $member->email       = $data['email'];
    $member->password    = password_hash($data['password'], PASSWORD_BCRYPT);
    $member->role_id     = $data['role_id'];
    $member->join_date   = time();
    $member->save();

    echo "ADDED: {$data['username']}\n";
}
echo "Import complete.\n";

LDAP and SSO Integration

LDAP via Add-on

ExpressionEngine supports LDAP through the Auth LDAP add-on:

// system/user/config/ldap.php
return [
    'host'      => 'ldap://ldap.example.com',
    'port'      => 389,
    'base_dn'   => 'dc=example,dc=com',
    'bind_dn'   => 'cn=admin,dc=example,dc=com',
    'bind_pass' => getenv('LDAP_BIND_PASSWORD'),
    'filter'    => '(uid={username})',
    'mapping'   => [
        'username'    => 'uid',
        'screen_name' => 'cn',
        'email'       => 'mail',
    ],
    'default_role' => 'Content Editors',
    'group_mapping' => [
        'cn=editors,ou=groups' => 'Content Editors',
        'cn=admins,ou=groups'  => 'Admin',
    ],
];

SAML SSO

For SAML-based SSO (Okta, Azure AD), use the EE SAML add-on or implement via the EE extension hook system:

// system/user/addons/saml_auth/ext.saml_auth.php
// Extension hook: member_member_login_start
// Redirects to SAML IdP if not authenticated

Security Settings

Configure member security at Settings > Security & Privacy:

Settings > Security & Privacy:
├── Password lockout: After X failed attempts
├── Lockout duration: X minutes
├── Require secure passwords: Yes
├── Minimum password length: 12
├── Password rotation: Every X days
├── Session type: Cookies only / Cookies + Session ID
├── CP session timeout: X minutes
└── Require MFA for CP access: Yes (EE7+)

Offboarding Checklist

  1. Ban the member (change role to Banned) to preserve content and audit trail
  2. Reassign channel entries if needed, especially for critical content
  3. Revoke additional roles -- Remove all secondary role assignments
  4. Check add-on access -- Some add-ons store per-member settings or API keys
  5. Review template access -- If the member had template editing permissions, audit recent template changes
  6. Clear their sessions -- Delete from exp_sessions table: DELETE FROM exp_sessions WHERE member_id = X
  7. Update LDAP/SSO -- Disable the account in your identity provider
  8. Audit CP log -- Review Developer > Logs > CP Log for recent actions by the member
Nach oben