The goal of Access Control Kit (ACK) is to provide a customizable system for controlling access to all kinds of things in a Drupal site: nodes, taxonomy terms, menu items, and more. It will give site builders the flexibility to define access based on whatever conditions make sense for the site, while still providing an easy-to-understand UI for security administrators and regular users.
Why you'd want it
There are several outstanding access control modules already available (Content Access, Nodeaccess, Taxonomy Access Control, TAC Lite, Workbench Access, Menu Access, etc.), but many of them share a set of common problems:
- Most define their own view/add/update/delete/list permissions, which are incompatible with Drupal's built-in node permissions. This may make sense to the site builder, but can be confusing for whoever is tasked with managing user roles day-to-day.
- They don't tend to work well together, so you can only define node access by one scheme at a time.
- Most control access to content, but not content-related features like menu links or tags. You can install other modules to handle those, but there's usually no direct integration (i.e. Menu Admin per Menu doesn't know how to relate its controls to your TAC hierarchy), which complicates administration.
- They don't scale well when users need access to multiple sections of your site with differing levels of access in each. For example, let's say you have a news site, and your user Joe is an Editor (with the "edit any" permission) for the Business section, and a Contributor (with only the "edit own" permission) to the Sports section. If you don't want the "edit any" permission from Joe's Editor role to spill over into his work in Sports, you typically have two choices: (a) give up role-based access control and assign permissions directly per-user, or (b) create redundant roles per section (i.e. Business Editor, Business Contributor, Sports Editor, Sports Contributor). That's fine on a small site, but quickly becomes unmanageable when you have lots of users or lots of sections.
ACK will try to address these problems. Rather than defining its own permissions, it will work with Drupal's native roles and permissions by simply limiting where those permissions can apply (i.e. it uses privilege restriction, NOT privilege escalation). Different access control schemes will operate through a single API that works for both entities (node, terms, etc.) and non-entities (menu links). And it will provide a clean interface for adding new sections and assigning users to roles within those sections.
Access Control Kit is being developed for a large university site consisting of hundreds of users and departments, all sharing a single Drupal instance. It is the successor to the (badly named) Conditional Roles module, building on lessons learned in our deployment. The current development snapshot is not supported for use in production, but may still be useful to you. Please try it out, report bugs, and give feedback in the issue queue. A supported alpha is planned for release soon.