UserProtect and RoleAssign: Get real! User access permissions weigh a ton!
Tags:
- Drupal Planet
- Drupal
- UserProtect module
- RoleAssign module
- AdminRole module
- user
- roles
- permissions
- user management
Client management of users and roles via UserProtect and RoleAssign modules.
Yes we love the Drupal user registration and login system. But what if you want to allow a client role to manage their own users and roles with out endangering your admin user accounts, the client admin user accounts themselves and protect these administrative roles.
The short story is by using UserProtect and RoleAssign. Use the UserProtect module to protect user and roles as well as provide administrator overrides to specific users. Use RoleAssign to allow permissions to assign only specific roles to users. The tragic caveat is that a client user will need 'administer users permissions' to edit users and this exposes the 'User settings page' which may be to much power for a client to wield.
Read more if your are interested in my quick and dirty notes on UserProtect and RoleAssign in Drupal 6.x. -->
UserProtect Module:
- UserProtect Module page: http://drupal.org/project/userprotect
- UserProtect Usage statistics: http://drupal.org/project/usage/userprotect
- From the module home page: 'This module provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. The following protections are supported: username, e-mail address, password, status changes, roles, deletion, all edits (any accessed via user/X/edit)'
- Read the README.txt & module page
- Install UserProtect Module in /sites/all/modules/
- Enable Other > User Protect
- Config: Administer › User management › User Protect
- Protected users: use defaults
- Protected roles: (all admin, staff, or client admin roles for all account edits)
- Administrator bypass: add specific admin users who should have access to manage/edit all users
- Protection defaults: use them
- Set permissions for user editor role:
- user module: access user profiles
- user module: administer users
- So they need to administer users permissions, but then the user has access to the: Administer › User management › User settings page
RoleAssign module:
- RoleAssign Module page: http://drupal.org/project/roleassign
- RoleAssign Usage statistics: http://drupal.org/project/usage/roleassign
- From the module home page: 'RoleAssign specifically allows site administrators to further delegate the task of managing user's roles. RoleAssign introduces a new permission called assign roles. Users with this permission are able to assign selected roles to still other users. Only users with the administer access control permission may select which roles are available for assignment through this module.'
- Read the README.txt & module page
- Install RoleAssign Module in /sites/all/modules/
- Enable Other > RoleAssign
- Config: Administer › User management › Role assign
- "Users with both administer users and assign roles permissions are allowed to assign the roles selected below."
- Assign any role(s) you want managed by a user, DO NOT assign any roles you want protected.
- Set permissions for user editor role:
- roleassign module: assign roles
misc. notes:
- You DO NOT want to use AdminRole module as its settings are on the 'User settings page'!
- The client user will need 'administer users permissions' to edit users and this exposes the 'User settings page'!
- A good help page ./admin/help/userprotect
- Lotsa details to the config on UserProtect module, check it out
- UserProtect module is compatible with the RoleAssign module.
- Usage statistics on RoleAssign show < 1000 users
- Get Serious, this is about user access permissions! test test test!