I wrote up a document that talks about Drupal Permissions Control. A lot of people have been requesting it, and I'm beginning some implementation, but I thought that I'd write out exactly what I thought (based on experience, on reading other forum posts, etc.) permissions was. It's been called "access control", "security model", and so forth, but I lumped it under "permissions" in this document.

What I need is someone to help me review it - to get some comments and some feedback to be sure that this is exactly what people want to see. If we do it well, then we won't have to go back and fix it when people complain. I know that we're not trying to IMPRESS anyone, nor do we have any kind of deadline, but I personally think it's nice to know what we're doing before we go do it. So please take a look here and leave a comment as to what you think.

I've highlighted a few "open issues" below, but if anyone finds anything they'd like to comment on or add, please, please do. I really want to make sure that this is what people want to see in a Drupal system.

I'm planning to start implementation in small steps at a time - I'll probably start with introducing multiple user roles, then adding taxonomy permissions, then user groups, then node permissions, or something like that. In any case I'll probably use this document as a guide so I remember what I'm doing.

Thank you!

Full document: Drupal Permissions Control Requirements