I plan to create a set of articles devoted to user access control for Drupal-based sites. This article would be the first in the cycle. It provided a good grounding in the basics of controlling access to your site’s content.

When you think about how your site should work, focus in on what will be required of yourself, other community members, or even anonymous users. For instance:

• Will there be a team of moderators working to ensure that the content of the site conforms to the dictates of good taste and avoids material that is tantamount to hate speech, and so on?
• Will there be subject experts who are allowed to create and maintain their own content?
• How much will anonymous visitors be allowed to become involved, or will they be forced to merely window shop without being able to contribute?

Some of you might feel that the site should grow organically with the community, and so you want to be extremely flexible in your approach. However, you can take it as given that Drupal’s access policies are already flexible, given how easy it is to reconfigure, so it is good practice to start out with a sensible set of access rules, even if they are going to change over time. If you need to make modifications later, so be it, but at least there will be a coherent set of rules from the start.

The first and foremost rule of security that can be applied directly to our situation is

Grant a user permissions sufficient for completing the intended task, and no more!

Our entire approach is going to be governed by this rule. With a bit of thought you should be able to see why this is so important. The last thing anyone wants is for an anonymous user to be able to modify the personal blog of a respected industry expert. This means that each type of user should have carefully controlled permissions that effectively block their ability to act outside the scope of their remit.

One upshot of this is that it is better to create a larger number of specific roles, rather than create a generic role or two, and allow everyone to use those catch-all permissions.

A role constitutes a number of permissions that define what actions any members of that role can and can’t perform.

We will explore roles in detail in the next section!

Drupal gives us fine-grained control over what users can accomplish, and you should make good use of this facility. It may help to think of your access control using the following figure (this does not necessarily represent the actual roles on your site—it’s just an example):

The shaded region represents the total number of permissions available for the site. Contained within this set are the various roles that exist either by default, like the Anonymous users role, or those you create in order to cater for the different types of users the site will require—in this case, the Blog Writer users and Forum Moderator users roles.

From the previous diagram you can see that the Anonymous users role has the smallest set of permissions because they have the smallest area of the total diagram. This set of permissions is totally encapsulated by the Forum Moderator users and Blog Writer users—meaning that forum moderators and blog writers can do everything an anonymous user does, and a whole lot more.

Remember, it is not compulsory that forum moderators encapsulate all the permissions of the anonymous users. You can assign any permissions to any role—it’s just that in this context it makes sense that a forum moderator should be able to do everything an anonymous user can and more.

Of course, the blog writers have a slightly different remit. While they share some privileges in common with the forum administrators, they also have a few of their own. Your permissions as the primary or administrative user encompass the entire set, because there should be nothing that you cannot control.