Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.After enabling the module, go to Administration > People > Permissions (http://example.com/admin/people/permissions) to configure the module's permissions.
Module Permissions
The Domain Access module has the following permissions:
Administer domain records and settings
This permission allows users to create and manage domain records and settings.
Access inactive domains
This permission allows users to navigate to domains which are marked as inactive. Users with this permission may also assign content to an inactive domain.
Assign domain editors
This permission allows users to assign themselves and other users as affiliate editors. For those users to act as editors, their role(s) must also have the 'Edit any content on assigned domains' permission.
Edit any content on assigned domains
This permission is for advanced use and substitutes for the normal 'Bypass content access control' permission for sites that give restricted administrative privileges. (See "Advanced usage", below for more information.)
Delete any content on assigned domains
This permission is for advanced use and substitutes for the normal 'Bypass content access control' permission for sites that give restricted administrative privileges. (See "Advanced usage", below for more information.)
Set domain access status for all content
This permission is key. Users with this permission will be given a user interface for assigning users and nodes to specific domains. Users without this permission cannot assign domain access; their nodes will automatically be assigned to the currently active domain.
For example, if a user has this permission and creates a book page on one.example.com, the user will be given a series of options to assign that book page to any or all of the registered domains on the site. If the user does not have this permission, the book page will only be shown to users who are on http://one.example.com.
Publish content only from the default domain
This permission provides a limited set of options for users to create and edit content on your site. Before being presented the editing form, users will be taken to the root domain. If the node is not visible on the root domain, the user may not be able to edit the node.
Publish content only from assigned domain
This permission provides a limited set of options for users to create and edit content on your site. Before being presented the editing form, users will be taken to the first domain assigned to their user account. This function is most useful when you users are only allowed to enter content from a single domain.
Note that for users who have more than one assigned domain, this option will take them to the first match and the user will not be allowed to change the domain affiliation.
The advantage of this option is the user cannot modify the URL of a content edit form to match the URL of other domains, forcing all of her posts to be made to a single domain. Users trying to enter content from another domain will always be transferred to their assigned domain.
In effect, a user assigned to 'one.example.com' will only be able to post to that domain, even if she clicks Create Content from two.example.com.
Publish content to any assigned domain
This permission provides a limited set of options for users to create and edit content on your site. The node editing form is shown normally, and the user is presented a list of checkboxes or a multiple select list. These options represent the affiliate domains that the user is allowed to publish content to, according to the domains assigned to their user account.
Note that if this option is selected, users will also be shown a list of affiliates to which the node is assigned. This list shows only the affiliates that the user cannot edit.
Warning: If this option is selected and the user has no domain publishing options, the user will not be allowed to post or edit!
NOTE: Users who are assigned _none_ of these permissions and cannot 'Set domain access status for all content' will have the default form values passed as hidden fields. This setting is the default option. It will assign all content to the domain from which the form is entered.
Note also that the user is not given the ability to promote content to 'all affiliates'. Users who need this ability should be given the 'set domain access' permission instead.
This feature was added in response to #188275: Restrict node creation to assigned domains.
Normal Usage
Under a normal Drupal site, a single administrator (or a handful of equally trusted administrators) typically have the 'Bypass content access control' permission and individual 'TYPE: edit all content' permissions.
The only choices for permissions would be who gets to administer the module settings and who gets to assign nodes to specific domains. Generally, only users who you trust to 'administer site configuration' should be given the 'Administer domain records and settings' permission. As for 'set domain access,' that can be given to any user you trust to use the UI properly.
Advanced Usage
In the event that you wish to segregate which content certain editors can control, you should not use the normal 'edit any TYPE nodes' and 'delete any TYPE nodes' permissions provided by Drupal's core Node module. These permissions grant the ability for a user to edit and delete all nodes of a given type.
In the Domain Access model, these permissions are not used in favor of the provided 'Edit any content on assigned domains' and 'Delete any content on assigned domains' permissions. These permissions allow editors only to edit (and delete) nodes that belong to their domain.
To enable this feature, you should grant the 'Edit any content on assigned domains' and (optionally) the 'Delete any content on assigned domains' permission to some roles. Then assign individual users accounts to specific domains to assign them as Domain Editors.
NOTE: Users with the 'Delete any content on assigned domains' permission must also be given the 'Edit any content on assigned domains' permission in order to delete content due to the location of the delete form in Drupal.
Limitations
Due to the way node_access() works, the following limitations should be noted.
- Any node that is assigned to more than one domain can be edited by any editor who belongs to one of the domains.
- Users who look at the sites and have the 'Bypass content access control' permission can always see all content on all sites, which can be confusing. To enforce Domain Access rules on these users, you may enable the 'Enforce rules on administrators' setting described in 4.3.3.
- Users who have the 'edit any TYPE nodes' permission will be able to edit nodes that do not belong to their domain.
These limitations are due to the permissive nature of node_access(). If any access rule grants you permission, it cannot be taken away.
