Drupal User Management: Roles and Permissions | OpsBlu Docs

Drupal User Management: Roles and Permissions

Manage users, roles, and permissions in Drupal. Covers the role-permission matrix, content access control, contributed modules for advanced RBAC, and...

Drupal uses a role-based permission system where each role is a named collection of permissions selected from a global permission matrix. Users can have multiple roles, and their effective permissions are the union of all assigned roles. Drupal's permission system is one of the most granular among open-source CMS platforms.

Permission model overview

Drupal's access control is structured as:

  • Permissions -- Individual capabilities (e.g., "create article content," "administer users," "access site reports"). Each module defines its own permissions.
  • Roles -- Named collections of permissions. A user can have multiple roles simultaneously.
  • Users -- Accounts that are assigned one or more roles. User 1 (created during installation) is the superuser with implicit full access that bypasses all permission checks.

Permissions are additive. If any assigned role grants a permission, the user has it. There is no deny mechanism in core Drupal.

Built-in roles

  • Anonymous -- Unauthenticated visitors. Permissions granted here apply to all non-logged-in traffic.
  • Authenticated -- All logged-in users automatically have this role. Use it for baseline permissions that every registered user should have.
  • Administrator -- Typically configured during installation to have all permissions. Unlike User 1, this role is subject to the permission matrix and can be customized.

Additional roles are created as needed (Content Editor, Site Manager, Marketing, etc.).

Admin UI paths

  • Users list -- People (/admin/people) -- View, filter, add, edit, and bulk-manage user accounts
  • Roles -- People > Roles (/admin/people/roles) -- Create, edit, reorder, and delete roles
  • Permissions -- People > Permissions (/admin/people/permissions) -- The master permission matrix showing all permissions grouped by module, with checkboxes per role
  • Account settings -- Configuration > People > Account settings (/admin/config/people/accounts) -- Registration settings, email templates, and default role assignment

The permission matrix

The Permissions page (/admin/people/permissions) displays a grid:

  • Rows are individual permissions grouped by the module that defines them
  • Columns are roles
  • Checkboxes grant or revoke each permission per role

Core permission categories include:

  • Node (Content) -- Create, edit own, edit any, delete own, delete any -- per content type (article, page, etc.)
  • Content Moderation -- Use editorial transitions (draft > review > published) if the Content Moderation module is enabled
  • Taxonomy -- Create, edit, delete terms in each vocabulary
  • File/Media -- Upload, view, delete files and media entities
  • Block -- Administer blocks and block layouts
  • Menu -- Administer menus and menu links
  • User -- Administer users, change own username, cancel own account
  • System -- Access administration pages, access site reports, administer site configuration, administer modules, administer themes
  • Filter -- Use specific text formats (Full HTML, Restricted HTML, etc.)

Each contributed module adds its own permissions to this matrix.

Creating a role

  1. Go to People > Roles (/admin/people/roles)
  2. Click Add role
  3. Enter a label (e.g., "Content Editor") and machine name
  4. Save, then go to People > Permissions to configure what the role can do
  5. Check the relevant permissions and save

Managing users

Adding a user:

  1. Go to People > Add user (/admin/people/create)
  2. Enter username, email, password, and status (Active/Blocked)
  3. Assign one or more roles
  4. Save

Editing a user:

  1. Go to People, find the user, click Edit
  2. Modify roles, status, or account details
  3. Save

Blocking/removing a user:

  1. Set the account status to Blocked to disable login while preserving content attribution
  2. Or Cancel account with options to: disable only, disable and unpublish content, disable and delete content, or delete account entirely

API and authentication

Drupal provides several API modules:

  • JSON:API (core) -- RESTful API following the JSON:API specification. Permissions are enforced per the authenticated user's roles. Authentication via cookie, Basic Auth, or OAuth.
  • RESTful Web Services (core) -- Configurable REST endpoints for entities. Each resource/method must be explicitly enabled and its authentication method configured at /admin/config/services/rest.
  • Simple OAuth (contrib module) -- OAuth 2.0 provider for Drupal. Tokens are issued per-user and scoped to roles. Configure at /admin/config/people/simple_oauth.
  • API keys -- Not built into core. Contributed modules like Key Auth provide token-based API access.

OAuth tokens inherit the user's permissions. Create dedicated service accounts with minimal roles for API integrations.

Analytics and tracking permissions

  • Google Analytics / Tag Manager -- Installed via the Google Analytics or Google Tag Manager contributed module. Configuration at /admin/config/system/google_analytics (or /admin/config/system/google_tag_manager). Requires the "Administer Google Analytics" permission.
  • Custom script injection -- Adding scripts to all pages via theme templates requires developer access to the filesystem. Or use a module like Asset Injector (/admin/config/development/asset-injector) which has its own "Administer Asset Injector" permission.
  • Statistics module (core) -- Enables basic page view counting. View counts appear on content pages. Requires "View content access statistics" permission to view and "Administer statistics" to configure.
  • Reports -- Built-in reports under /admin/reports include status reports, recent log messages (Watchdog), and top search queries. Requires "Access site reports" permission.
  • Content access for analytics -- Some analytics implementations read node data via API. Ensure the API service account has "View published content" for relevant content types.

A Content Editor role typically cannot install or configure analytics modules. Grant the "Administer Google Analytics" (or equivalent) permission specifically to the roles that need to manage tracking configuration.

Contributed modules for advanced access control

  • Content Access -- Per-node access control with role-based view/edit/delete permissions
  • Group -- Organic groups with their own member roles and content permissions
  • Permissions by Term -- Taxonomy-driven access control
  • Role Delegation -- Allow non-admins to assign specific roles without full user administration access
  • Masquerade -- Allow admins to impersonate other users for testing

Security features

  • Drupal supports SSO via SAML (SimpleSAMLphp module), OAuth, CAS, and LDAP contributed modules
  • Password policies are configurable via the Password Policy contributed module
  • Two-factor authentication is available via the TFA module
  • The Watchdog log (/admin/reports/dblog) records security events, login attempts, and permission-related errors
  • User 1 should be secured with an extremely strong password and used only for emergency access

Sub-pages in this section

  • Roles and Permissions -- Permission matrix walkthrough, recommended role configurations, and contributed access control modules
  • Adding and Removing Users -- Account creation, role assignment, bulk operations, and secure offboarding
返回顶部