Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By andynyc on
Does Drupal, or any module, support permissions based on multiple dimensions? Here's an example:
-you have 3 departments in your company: Marketing, Human Resources, Product Development
-you also have 3 levels of employees: regular, Manager, Vice President
can I create a node that is accessible to all VPs, but nobody else? to everyone in Marketing but nobody from the other departments? to Product Development Managers only? to everybody except Human Resources?
I realize I could create 9 roles... however this solution does not scale up, imagine 9 departments and 6 titles. Then add more dimensions like Eastern, Central, Western division.
Active Directory allows for multiple groups, you can allow or deny access to a resource by group. So a person would be classified in one department group, one level group, and one geographic group. This is what I'm lookin for in Drupal.
Also, is there a list of new features that will be included in Drupal 5.0? I can't seem to find that page.
Comments
One way is to use the
One way is to use the taxonomy_access module (TAC). It controls the access by user role and content category.
3 user roles: regular, Manager, Vice President
3 categories (defined as terms in a "departments" vocabulary): Marketing, Human Resources, Product Development.
When the content is created it is tagged with a department (or with more than one if needed)
Then you can control which roles can read, which can list (i.e. see the titles and the categories themselves) and which can create content tagged with each department. You can also control which roles can edit/delete *any* content under each category.
This looks 3-dimensional (roles, categories, actions).
-------
Edited to add: I have no idea how it scales performance-wise with more dimensions such as geographical divisions, but vocabularies are usually designed as hierarchical trees which can help make the logic manageable. Also, more than one vocabularies can be combined to grant access with an "OR" logic.
thanks for replying. That is
thanks for replying.
That is an interesting thought, using vocabs to control access, however I see two downsides:
- underneath, you still need to create all the roles. In the 3x3 example, you need 9 roles. Add geography, and you need 27. Users would not be exposed to this, but the admin would need to keep track. Otherwise how would you distinguish access rights for VP Human Resources from VP Marketing, and also distinguish from Manager Human Resources.
- Because vocabs would be tied up with user roles, it would be difficult to actually use vocabs for what they are designed for. If you create content categories within Marketing for Product A, Product B, Sales Goals, etc, users might get confused if the menus for the categories and the menus for the access are all bunched together.
I could be wrong on exactly how TAC works... I will have to investigate further. But I do appreciate the time you took to reply.
An addition.
An addition.
I understand that you would want a multidimentional model where the admin would not have to define all the "nodes" of the mesh, and that's why you multiply the roles.
Something which can help (or hinder in other cases) is that roles are ORed together when deciding access permissions. So, you don't need to say, for example, that Managers can read public content. You can just assign to Managers the extra things that they can do and say that this person is a Manager and a Regular User. If one of his roles can do something, then the user can do it.
Also with multiple categorization of the same content, granting a role access to only one of the categorizations is enough for access to the content. This can be both a shortcut and a pitfall.
But something more important for breaking the mesh to parts for content editing is the use of different named "content types" (story, article, financial report...). That is because each taxonomy category applies only to the content types which you have decided. So, a category won't give a user access to content of a type to which it does not apply. Also, the editor of content of a certain type will be able to tag it only with the relevant categories for this type -- won't see the whole mesh -- even if that editor has access permissions for more categories.
If all this sounds complicated it is because in Drupal usually it is up to the designer to create the logic from "lego blocks".
-----
Edited to add: Another module which you may find interesting for breaking up things is Organic Groups (OG). It has a bigger "out of the box" part for creating private group with separate registered users. With the upcoming Drupal 5 it will be able to be combined with TAC or other access control modules. It could hold regional departments and the possibilities seem unlimited (in Drupal 4.7 you can use only one access control module).
(And an inside joke -- who had that idea to call taxonomy "categories" so that people are not scared. Now we have to convince people that marketing can be a category ;)
About the new features in
About the new features in Drupal 5.0, I think they are listed in its CHANGELOG.txt file.