UserProtect and RoleAssign: Get real! User access permissions weigh a ton!

Client management of users and roles via UserProtect and RoleAssign modules.

Yes we love the Drupal user registration and login system. But what if you want to allow a client role to manage their own users and roles with out endangering your admin user accounts, the client admin user accounts themselves and protect these administrative roles.

The short story is by using UserProtect and RoleAssign. Use the UserProtect module to protect user and roles as well as provide administrator overrides to specific users. Use RoleAssign to allow permissions to assign only specific roles to users. The tragic caveat is that a client user will need 'administer users permissions' to edit users and this exposes the 'User settings page' which may be to much power for a client to wield.

Read more if your are interested in my quick and dirty notes on UserProtect and RoleAssign in Drupal 6.x. -->


UserProtect Module:

  • UserProtect Module page: http://drupal.org/project/userprotect
  • UserProtect Usage statistics: http://drupal.org/project/usage/userprotect
    • From the module home page: 'This module provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. The following protections are supported: username, e-mail address, password, status changes, roles, deletion, all edits (any accessed via user/X/edit)'
  • Read the README.txt & module page
  • Install UserProtect Module in /sites/all/modules/
  • Enable Other > User Protect
  • Config: Administer › User management › User Protect
    • Protected users: use defaults
    • Protected roles: (all admin, staff, or client admin roles for all account edits)
    • Administrator bypass:  add specific admin users who should have access to manage/edit all users
    • Protection defaults: use them
  • Set permissions for user editor role:
    • user module: access user profiles
    • user module: administer users
      • So they need to administer users permissions, but then the user has access to the: Administer  › User management  › User settings page

RoleAssign module:

  • RoleAssign Module page: http://drupal.org/project/roleassign
  • RoleAssign Usage statistics: http://drupal.org/project/usage/roleassign
    • From the module home page: 'RoleAssign specifically allows site administrators to further delegate the task of managing user's roles. RoleAssign introduces a new permission called assign roles. Users with this permission are able to assign selected roles to still other users. Only users with the administer access control permission may select which roles are available for assignment through this module.'
  • Read the README.txt & module page
  • Install RoleAssign Module in /sites/all/modules/
  • Enable Other > RoleAssign
  • Config: Administer › User management › Role assign
    • "Users with both administer users and assign roles permissions are allowed to assign the roles selected below."
    • Assign any role(s) you want managed by a user, DO NOT assign any roles you want protected.
  • Set permissions for user editor role:
    • roleassign module: assign roles

misc. notes:

  • You DO NOT want to use AdminRole module as its settings are on the 'User settings page'!
  • The client user will need 'administer users permissions' to edit users and this exposes the 'User settings page'!
  • A good help page ./admin/help/userprotect
  • Lotsa details to the config on UserProtect module, check it out
  • UserProtect module is compatible with the RoleAssign module.
  • Usage statistics on RoleAssign show < 1000 users
  • Get Serious, this is about user access permissions! test test test!

Comments

See also http://drupal.org/project/secure_permissions if you want to store roles and permissions in code and disable the UI.

I am confused after reading this. So, does using these two modules in tandem help give people access to the administering users without exposing the full admin permissions?

With this setup and two modules you can create a user role which can then administrate other users. What's important is that specic roles and users can be protected from editing by the above role. Also specific roles can also be protected from being assigned, which was a problem with only the one module.

Ah, thank you for the clarification.

So, by using these two modules, one is able to give 'administer users' permissions to a particular role, but is also able to prevent that role from editing other roles (possibly with higher level permissions) and users. So the administer users permissions are restrictive, as they indeed should be. And, you can also prevent that user with admin perms from assigning similar perms to other, specific roles. Get it now.

Thanks for the article.

Hey, I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say GREAT blog!.....I"ll be checking in on a regularly now....Keep up the good work! :)