Last updated July 26, 2012. Created by NancyDru on February 19, 2007.
Edited by nflowers1228, flip, skessler, figaro. Log in to edit this page.

One of the great features of Drupal is the ability to control how and what people can access on your site. You can set permissions for these "users" to define who can do what for Drupal core features and contributed modules. For example, you probably won't want casual visitors to edit your homepage. However, the site owner or trusted user should be able to do so. To learn more about the term "user", learn about Differentiating the Four Different Kinds of "Users" Encountered When Installing Drupal.

Drupal allows you to setup any number of different kinds of users or 'Roles'. Many websites have editor and site administrator roles; editors to make content updates and site admins to install new modules and make larger configuration changes.

Out of the box, Drupal recognizes two types of site visitors - those who are logged in (or 'Authenticated' users) and those who are not (or 'Anonymous' users). The exception is the first user created (user/1) -see here. Although it is not necessary, many sites have additional levels of users.

Managing roles in Drupal 5.x and 6.x

To create or edit a role, click Administration > User management > Roles.
To create or edit a user, click Administration > User management > Users.
To specify the permissions for a role, click Administration > User management > Permissions.

To add editors to your site, you will first need to create an editor role. Click Administration > User management > Roles. Type in the name of your new role (e.g. 'editor') and click 'Add role'.

To add a new 'editor' user, go to Administration > User management > Users and click the 'Add User' tab. After typing the username and email address, enable the 'editor' checkbox and click 'Create new account'.

Finally, you can configure permissions for editors at Administration > User management > Permissions. To give editors the ability to edit any page within the site, scroll down the permissions page and click the checkbox next to 'edit any page content'.

Managing roles in Drupal 7

To create (or edit) a role, navigate to the Roles Page People > Permissions tab > Roles tab . Like the example above, in 5.x and 6.x, Type in the name of your new role (e.g. 'editor') and click 'Add role'.

Adding 'editor' role

Having created the 'editor' role, now, create a user. Navigate to the People Page People and click '+ Add user'

Adding a new 'editor'

After typing the username and email address, enable the 'editor' role by selecting 'editor from roles and click 'Create new account'.

Be sure to select the 'editor' role

Finally, you can configure permissions for editors at People > Permissions tab. To give editors the ability to edit any page within the site, scroll down the permissions page and click the checkbox next to 'edit any' for each content type.

Set the 'edit any' permissions for the new 'editor' role

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

I'm having some issues with permissions and was wondering if there is a specific rule regarding precedence.

For example, if authenticated users have permissions to do more than say 'sample-role'. Which one will take precedence?

Essentially all permissions are merged into what the user experiences. So if a user is logged in as "sample-role" they get everything an "authenticated user" can do PLUS whatever "sample-role" allows. So if you want some users restricted from something, "authenticated user" should be the lowest level of permissions and other roles should increase their permissions.

Perhaps this document should include a quick reference to the special user #1, and an explanation of why/how that user is special. I think this would put the concept of "roles" in perspective, since the only user that a new reader is familiar with doesn't exactly fit in either of the two mentioned user types.

edit - modified document to mention user/1

any detail on what specific permissions do? like what does "display drupal links" do under Access control permssions?? It be nice to have a list with definitions.

The bad news: In D6, unless the maintainer makes a point of telling you, no there's not any way of knowing without digging into the module.

The good news: In D7, a developer can add a description to the permissions. It may take a while before most do though (hint: that's what issue queues are for).

Can anyone tell me if there is an upper limit on the number of user/roles?

Thanks

Sam

There is no design limit, but both could have some impact on performance, probably roles more than users.

Hi,
We changed our editorial policy which forced me to change permissions for the "blogger" role and take away their ability to "publish own blogpost content." However, one of our bloggers was able to publish something yesterday after I did make that change. I went and looked at user->permissions to confirm that I saved the changes and it shows that blogger does not have the ability to publish own blogpost content (or anything else for that matter).

Do I need to clear caches? Do I need to have the log out and log back in? Is there something else?

This is on Drupal 6.x

Thanks for the help
Charlie

www.sustainableindustries.com
(New Drupal-powered version under development)

The permission is checked when they begin the create content process. If they then wait (even hours), they still have already been granted permission. If you can confirm that they had a page build other than that after you changed the permissions, then you can open a core issue.

And it rarely hurts to clear caches when doing a significant admin action.

Drupal 7: I have a large list of organization members in an excel spreadsheet that I would like use to quickly upload to create user accounts on the Web site. is that doable? Their initial default password is their last name/first initial.

Feeds provide you with functionality of uploading users in csv files.

I created a new role 'non validated user'. The new role hierarchy is -

Anonymous user
authenticated user
non validated user -->> new role created by me
admin

Based on the comments in this discussion thread it seems that this role should inherit all permissions for authenticated user + some others (set for this role) . But i am observing that my role permissions are completely disconnected from authenticated user permissions i.e no matter what is set for authenticated user, i need to repeat the same for this role too. Is this correct or a bug?

Please note that another role created by me 'validated user' behaves as expected i.e its auth user permission + its own

I am on drupal version 7.18

Another observation is that on the /admin/people page I do not see the role 'non validated user' listed under the update option - "add a role to the selected users" while the second custom role is seen.

Is something wrong with the way i created the new role? Please help.

Roles are not hierarchical. Logged in (authenticated) users get whatever permissions you set. The "non validated user" will get whatever permissions are set for that role. If "non validated" users are logged in, then they should get both. That is, roles are additive.

thanks NancyDru.

Second part of the problem is I am not able to assign this new role to my users from the admin/people page, as I do not see the role 'non validated user' listed under the update option - "add a role to the selected users". I can see the other custom roles.

What am I missing here?

thanks in advance.
vsaroha

First, try clearing the cache. Then try adding it in the user edit page. If neither of those work, delete the role and re-add it.

This is typically the behavior of the "Non-authenticated" role with Login Toboggan :
* The "Non-authenticated" role is hidden from the user profile
* The "Non-authenticated" role is not checked with "Authenticated user" into admin/people/permissions.

Nancy, it seems like the questioner was saying non-validated user SHOULD get authenticated permissions plus non-validated permissions, but was not.

Based on the comments in this discussion thread it seems that this role should inherit all permissions for authenticated user + some others (set for this role) . But i am observing that my role permissions are completely disconnected from authenticated user permissions i.e no matter what is set for authenticated user, i need to repeat the same for this role too. Is this correct or a bug?

Your answer says "they should get both." What am I missing here?

Thanks.

This is one of those cases where I find it hard to debug without seeing it. I have certainly never seen a situation such as described. The fact that he cannot assign the role to a user kind of tells me that something is quite screwed up. I would probably delete the role and recreate it and see if that fixes everything.

I'd like Drupal.org to enhance learning for site administration by pasting pictorial screenshots of the server section in addition to every detail in the Administrative guides. Thanks!

D8