A frequent support issue is users having the authenticated user role configured with more permissive grants than their additional roles, and not realizing/understanding why access is not denied.

  • A side effect of #1360458: Change default value of Add tag (create) grant to allow for anonymous and authenticated users is that there's a permissive default that needs to be overridden for restricted vocabularies. (E.g., it is a common scenario to create a vocab specifically for access control, and obviously non-administrators should not have create permissions for that vocab.) Plus, people already tend to overlook or misunderstand Add tag.
  • One suggestion in the UX review was to make the custom role's global default the same as the authenticated role's when enabled. This would need to be patched in #1314606: Redesign role configuration page.
  • #1314992: Add help text referring to authenticated user role for custom roles already aims to make the help text about the authenticated user role more prominent, but users won't necessarily remember what they configured on another role form.
  • #364058: Allow configuration of TAC permissions on term/vocab create/edit addresses that issue by moving all role configurations for a given term or vocab side-by-side, but that still does not help on the role configuration form. (Aside: maybe there is some way for the UI to link each term on the roles page to its term page, and vice versa? Maybe an "operations"-type link?)
  • The core permissions form addresses the issue by checking and disabling permissions that are checked for authenticated users. While that would provide more feedback, I'm not sure it's as helpful, because the auth role is not on the same page. It could just as easily confuse users more.
  • Another option would be validation notices when a custom permission is less permissive than the authenticated role.
  • Or even validation failures when a custom role permission is less permissive. Again, this could also be worse UX rather than better UX... and technically a less permissive access rule is legal; it just doesn't accomplish anything.