On Delegating Role Delegation

I've been working through building a site with one of my pastors to replace our church's dated Drupal 5 site. Early on, I talked him through the process of figuring out what kinds of content he new site would include and how users should interact with that content. This forced him to define what I would implement as node types, user roles, and a handful of flags, Views, and who knows what else.

While the site develops, I want him to have the freedom to setup members of the church as content creators and site administrators without having to ping me every time a new user needs a role. Unfortunately, to give him that ability, I'd have to give him the permission to administer all user permissions. In other words, I'd be introducing clutter for any other site administrators (who really don't need to know what "permissions" are in Drupal speak) and the possibility that someone might grant unsafe permissions to users without me knowing about it.

I quickly imagined a module that would include a single permission along the lines of "grant users roles" and put the role element on user edit forms just like it would appear for users with "administer permissions." I was about to look for the form code in the user module when my Spidey sense started to tingle. A quick search turned up the Role Delegation module. It does exactly what I needed... no more, no less. Happy day! I recommend its use to anyone with a similar need, and I'd loooove to see this permission included in Drupal 8.

Kudos to David Lesieur for a handy utility module that makes it easier for site builders to empower site administrators without overwhelming them or introducing a security weakness.

Topics: 

Comments

Role Delegation is a great module. I like how you can assign certain roles the ability to manage a subset of the overall role list. I recently came across a situation though where Role Delegation would simply have led to me creating more roles than necessary, however I figured out a solution using Groups + Rules. It piggy backed on functionality that was already in the site and removed users from even having to think about roles.

I'm going to piggy-back on my own article and say it's also annoying that I can't display the "Authoring information" fieldset or "Publishing information" fieldset without granting users "administer nodes" permission. Tongue

There's a module for that! Override Node Options provides permissions for each field within the Authoring information and Publishing options fieldsets on the node form.

Awesome! This should be another must have for Drupal 8. I might have to go on a permissions crusade...

Indeed. I'm using Role Delegation on many many sites as well.

For D7, I ensured that Role Delegation can do its nicety on the user account form itself. Not sure whether David already knows about that, but it will make this module much more convenient (UX as always, no separate page/UI).

Great, I didn't know about the Node Delegation module. Could be very useful indeed.
For a slightly different use case where I wanted to give some people the permission to access the permissions screen, but not change *all* permissions, I created the Permissions Lock module.
I'm surely gonna add the Node Delegation module to my toolset to have more fine grained control over roles & permissions.