UserProtect and RoleAssign: Get real! User access permissions weigh a ton!
Client management of users and roles via UserProtect and RoleAssign modules.
Yes we love the Drupal user registration and login system. But what if you want to allow a client role to manage their own users and roles with out endangering your admin user accounts, the client admin user accounts themselves and protect these administrative roles.
The short story is by using UserProtect and RoleAssign. Use the UserProtect module to protect user and roles as well as provide administrator overrides to specific users. Use RoleAssign to allow permissions to assign only specific roles to users. The tragic caveat is that a client user will need 'administer users permissions' to edit users and this exposes the 'User settings page' which may be to much power for a client to wield.
Read more if your are interested in my quick and dirty notes on UserProtect and RoleAssign in Drupal 6.x. -->
UserProtect Module:
- UserProtect Module page: http://drupal.org/project/userprotect
- UserProtect Usage statistics: http://drupal.org/project/usage/userprotect
- From the module home page: 'This module provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. The following protections are supported: username, e-mail address, password, status changes, roles, deletion, all edits (any accessed via user/X/edit)'
- Read the README.txt & module page
- Install UserProtect Module in /sites/all/modules/
- Enable Other > User Protect
- Config: Administer › User management › User Protect
- Protected users: use defaults
- Protected roles: (all admin, staff, or client admin roles for all account edits)
- Administrator bypass: add specific admin users who should have access to manage/edit all users
- Protection defaults: use them
- Set permissions for user editor role:
- user module: access user profiles
- user module: administer users
- So they need to administer users permissions, but then the user has access to the: Administer › User management › User settings page
RoleAssign module:
- RoleAssign Module page: http://drupal.org/project/roleassign
- RoleAssign Usage statistics: http://drupal.org/project/usage/roleassign
- From the module home page: 'RoleAssign specifically allows site administrators to further delegate the task of managing user's roles. RoleAssign introduces a new permission called assign roles. Users with this permission are able to assign selected roles to still other users. Only users with the administer access control permission may select which roles are available for assignment through this module.'
- Read the README.txt & module page
- Install RoleAssign Module in /sites/all/modules/
- Enable Other > RoleAssign
- Config: Administer › User management › Role assign
- "Users with both administer users and assign roles permissions are allowed to assign the roles selected below."
- Assign any role(s) you want managed by a user, DO NOT assign any roles you want protected.
- Set permissions for user editor role:
- roleassign module: assign roles
misc. notes:
- You DO NOT want to use AdminRole module as its settings are on the 'User settings page'!
- The client user will need 'administer users permissions' to edit users and this exposes the 'User settings page'!
- A good help page ./admin/help/userprotect
- Lotsa details to the config on UserProtect module, check it out
- UserProtect module is compatible with the RoleAssign module.
- Usage statistics on RoleAssign show < 1000 users
- Get Serious, this is about user access permissions! test test test!
BeatnikDude is an individual member of the Drupal Association.
'(Òvó) CrownedUp.com is a <<BBros.us>> effort.
'(Òvó) CrownedUp.com by BeatnikDude is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Comments
Nobody (not verified)
Fri, 04/16/2010 - 18:41
Permalink
Secure Permissions
See also http://drupal.org/project/secure_permissions if you want to store roles and permissions in code and disable the UI.
Nobody (not verified)
Sat, 04/17/2010 - 11:26
Permalink
I am confused after reading
I am confused after reading this. So, does using these two modules in tandem help give people access to the administering users without exposing the full admin permissions?
BeatnikDude
Sat, 04/17/2010 - 15:22
Permalink
Yes, but the devils in the details
With this setup and two modules you can create a user role which can then administrate other users. What's important is that specic roles and users can be protected from editing by the above role. Also specific roles can also be protected from being assigned, which was a problem with only the one module.
Nobody (not verified)
Sat, 04/17/2010 - 20:02
Permalink
Ah, thank you for the
Ah, thank you for the clarification.
So, by using these two modules, one is able to give 'administer users' permissions to a particular role, but is also able to prevent that role from editing other roles (possibly with higher level permissions) and users. So the administer users permissions are restrictive, as they indeed should be. And, you can also prevent that user with admin perms from assigning similar perms to other, specific roles. Get it now.
Thanks for the article.
Nobody (not verified)
Sun, 04/25/2010 - 13:41
Permalink
FeedBack
Hey, I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say GREAT blog!.....I"ll be checking in on a regularly now....Keep up the good work! :)
Nobody (not verified)
Tue, 05/03/2011 - 17:51
Permalink
Giving this a shot tonight
Hey! Last night I spent quite a bit of time fumbling around drupal modules regarding user management looking for a proper solution to the exact problem you describe. On a fresh start today your article is the first I have come across, and it seems be exactly what is required for the site I am developing. I will let you know how it goes tonight after I do some developing and testing.
Nobody (not verified)
Tue, 05/03/2011 - 21:12
Permalink
Gave it a shot!
Well, thank you very very very much for this great article. It put me directly on the right track, and now I also have knowledge of the powerful module UserProtect. The site now has a role that can create new users, only assign new users to roles allowed by me, all the while protecting the administrator roles within the site. PERFECT!
Everything worked great except one caveat, but perhaps I didn't follow you exactly. Below is the issue I ran into within the UserProtect Module step,
" - Protection defaults: use them"
Protection Defaults: I found I had to change the 'Administer bypass default' section within the Protection Defaults Tab from the default settings. All settings actively checked by default, which means that any user with the site permission 'administer users' can actively bypass the user protection. This is why the 'Administer Bypass' Tab within the UserProtect Module should be used instead, as you list in your directions.
So Basically -
User management : User Protect : Protection Defaults Tab : Administrator Bypass Defaults : Uncheck all options : Save Configuration
Now when we create the role that will be able to edit user accounts and give it the site permission 'administer users'; they wont be able to bypass the UserProtect protection since we removed all the enabled defaults for the 'Protection Defaults' Tab.
Thanks! -Drupaled
BeatnikDude
Tue, 05/17/2011 - 12:02
Permalink
glad to hear
thanks for the feedback, I will touch up my notes next time I enable this functionality
Add new comment