Have you ever wondered why do corporate and government organizations embrace Drupal CMS to take care of their critical information? Well, there are numerous reasons but one of the most significant motives is that Drupal CMS provides a great amount of security via its strong and granular user roles and permission control system. Besides, it is also fairly simple to create user roles and permissions and fine tune the administration, use and security of your Drupal website.

Setting user roles and permissions is also very crucial for a better user experience for site managers and content creators as they can view and access only those sections that they need to work on. You can easily add new roles and set permissions for each role under each Drupal module.

A better understanding of User roles and Permissions

Basically, User roles are groups of people to whom you want to grant certain permissions to or disallow them from accessing or modifying some information. Permissions are things that you are letting your User roles perform (or don’t).

So, by default, Drupal creates three user roles –

• Administrator
• Authenticated User
• Anonymous User

An Administrator (also referred to as ‘root user’) has control over all activities in your Drupal website. You should be careful while accessing your website as a Drupal admin as even a small mistake can bring your whole site down. So if you’re not going to perform any administrative duties, it is always recommended to create a user that has control only over certain sections. For example, if you want to add some content to your Drupal website, you can create a role for a ‘Content Creator’ and give permissions for him to only play around with the content.

Authenticated users are users who are logged in to your Drupal website. Since they’ve taken the pain to register themselves, you can grant them a few more permissions just to keep them happy (pun intended). Authenticated users should be able to create or modify some kind of content and based on their other details, more permissions can be granted to them. It is always best to follow the Principle of least privilege, which states that you should give permissions for your users to do their job and nothing more than that. Since you don’t want to risk control over your critical information as there will be many users trying to break-in to your system, it is always best to give least privileges to other authenticated users.

Anonymous users are basically any user who visits your website and who are not registered or logged in. These users should be given the least permissions of them all. They can be given permissions to view comments but not always a good idea to allow them to post comments as you don’t want unauthorized users to inject your website with malicious data.

A few more best practices…

• Always remember that using a contributed module is less secure than Drupal core. The default permissions created by them are very few and so you will have to keep a check on each module you use and set user role permissions for individual roles.
• Be extra cautious when assigning permissions to anonymous roles. Some of the critical permissions do come with a Warning message but there are some that don’t. Double check, always!
• Don’t think about future role goals. Grant permissions to roles according to their present role, not according to the role they might be in the future. That can always be taken care of later.
• Chalk out the various roles you would need and what you want them to do. Document them in your site too for a better understanding for other Drupal developers.
• Test! The last and the most important step is to test the roles you added and the permissions you granted them. Better safe than sorry, right?