If you have multiple user roles in your system and want a role other than administrator to manage certain roles, you might have found that splitting role management from other administrative permissions is not straight forward. This is a summary of how we solved that issue for one of our projects.
Let us say you have two business roles: moderator and editor. You want moderators to be able to give new users the editor role. Here is what you might do:
# Create the moderator role, a new user, and assign the user the moderator role.
drush role-create moderator
drush user-create sally --mail="email@example.com" --password="pass"
drush user-add-role moderator sally
# Create editor role and assign user
drush role-create editor
drush user-create jim --mail="firstname.lastname@example.org" --password="pass"
drush user-add-role editor jim
Next you would give the moderator role the following permissions:
- Access administration menu (the following is a dependency: Use the administration pages and help)
- View published content
- View the administration theme
You would also have to give moderators the following permissions in order for them to edit user roles:
- Administer permissions
- Administer users
Sally can now edit Jim's account. You will see that she can give Jim any of the available roles including administrator. In fact, she can edit her own account and make herself an administrator. This is probably not what you would want. Ideally, Sally should only be able to give Jim the "editor" role.
# Install new modules
drush en -y role_delegation
drush en -y administerusersbyrole
First remove the following permissions:
- Administer users
- Administer permissions (if you give this permission to moderators, they can give editors any of the available roles)
Now give moderators the following permission:
- Access the users overview page
- Edit users with no custom roles
- Edit users with role editor
- View user profiles
- Assign editor role
Here is what "Administer Users by Role" permissions look like:
And here is what the "Role Delegation" permissions look like:
Let us create a new user and see what Sally is able to do:
drush user-create brian --mail="email@example.com" --password="pass"
Sally can make Brian an editor only, as it should be: