This is my second article in a set of articles devoted to user access control for Drupal-based sites. It is about roles that give access to certain parts of your Drupal site to site’s users. Depending on what your role is within the site, you can access certain features of the site.

It is up to you to decide which roles are best for the site, but before attempting this it is important to ask: What are roles and how are they used in the first place? To answer this question, let’s take a look at the practical side of things in more detail.

It may seem a bit odd that we begin with discussion of roles but not with the users. After all, it is all about what users can and cannot do! The problem with immediately talking about users is that the focus of a single user is too narrow, and we can learn far more about controlling access by taking a more broad view using roles. Once we have learned everything there is to know about roles, actually working with users becomes a trivial matter.

As mentioned, a user role in Drupal defines a set of rules that must be obeyed by all the users in that role. It may be helpful to think of a role as a character in a play. In a play, an actor must always be true to their character (in the same way a user must be faithful to their role in Drupal)—in other words, there is a defined way to behave and the character never deviates (no matter which actor portrays the character).

It is very easy to create a role in Drupal:

Click Administer > User Management item within the admin left navigation menu:

Then click Roles link:

You will be navigated to the Roles page:

As you can see, we have two roles already defined by default—the anonymous user and the authenticated user:

• Anonymous
  This is anyone who visits your site and who is not logged in as a user. By default, anonymous users can view your content. That’s really about all they can do by default.
• Authenticated User
  This is anyone who is logged in… including you, the administrator. If they are logged in, they are and Authenticated User. They have more access to your site by default, including posting comments.

The anonymous user has very few permissions set, and you would more than likely want to keep it this way, despite the fact it is possible to give them any and all permissions.

The authenticated user, by default, has only a few more permissions than the anonymous user, and it is also sensible to keep these to a minimum. We will see in a little while how to go about deciding who should have which permissions.

To add a new role, type in a name for the role and click Add role, and you’re done.

Now the Roles page should display the new role with the option to edit it, shown in the Operations column. Click edit role in order to change the name of the role or delete it completely.

Alternatively, click edit permissions to deal with the permissions for this specific role (we discuss permissions in the following article so let’s leave this for now).