Roles and permissions

When you create a new CERN Drupal website you get a predefined list of roles already implemented with the website.

  • Anonymous User: All anonymous users
  • Authenticated User: All authenticated users regardless of their role
  • Administrator: Administrative access to the website
  • CERN Registered: Represents the currently active CERN primary accounts
  • CERN Shared: Represents the currently active CERN secondary amd service accounts
  • HEP Trusted: HEP people registered in the CERN HR database, authenticating using their HEP systems (through Federation)
  • Verified External: Ex-members of personnel, like retirees, former staff, etc.
  • Unverified External: Anonymous unverified people, like external/lightweight accounts, Facebook/Google accounts, Federation accounts not verified

How to create a role and assign a user to it

Even though the sites come with predefined roles, website admins are able to create custom roles based on their needs. In order to create a new role:

  1. visit <website_url>/admin/people/roles
  2. Click on “Add role” 
  3. Give a descriptive name to your role and save it.
  4. Now you have a new role.

How to give permissions to a role

After you have created the new role, you are able to give permissions to this role. There are pre-defined permissions for almost every basic functionality of your website. In order to grant a permission to a specific role:

  1. visit <website_url>/admin/people/permissions 
  2. Check which roles should have the permissions
  3. Save the page


  1. Visit <website_url>/admin/people/permissions/<role_machine_name>
  2. Check permissions for this specific role
  3. Save the page

The difference between the two solution is that using the first solution, you can give multiple permissions to multiple roles and using the second solution, you can give multiple permission to one role.

CERN Drupal Websites also support CERN e-groups meaning that the admins of the websites can use this feature to assign roles to e-group. As a result, the admins of a website can grant access to a group of users, who belong to a specific e-group.

How to assign an e-group to a role

  1. Create a role using the process already described above
  2. Create an e-group on
  3. Visit <website_url>/admin/config/people/simplesamlphp_auth
  4. Click on “User Info and syncing” tab
  5. In the “Automatic role population from simpleSAMLphp attributes” field associate the role with the e-group by adding at the end of the string “|<role_machine_name>:egroups,=,<e_group_name>”
  6. Save Configuration
  7. Clear caches and re-open your browser.
  8. Now you are ready to add new members to your e-group which will have the permissions that you have assigned to the e-group. 

Be extra careful in step 5 as you should assign the the machine name of the role and not the name of the role. In order to find the role you need to visit the role page, like the image below.

Picture indicating how to find a machine name of a role

Use cases

Use Case 1: Make another user a content editor

Let’s assume that I own a website and I want to make another user content editor to give him/her the ability to create new pages. Also, let’s assume that the new role is called “Page Editor” and the user’s e-mail is “”.
The steps I follow in order to accomplish the above scenario are:

  1. Create a Role called “Page Editor”
  2. Visit the Permissions page of the created role and grant access to editing content for this role. Most of the times, when it’s about a content editor role, the permissions we grant are related to creation and editing of content, so be careful on what kind of permissions you grant.
  3. Create an e-group and bind it with the Role, following the steps already mentioned.
  4. Add the e-mail “” in the group.
  5. Dont forget to clear the caches!

Use Case 2: Make another user an admin

This case is easier to achieve but you, as an admin, need to be sure about what you try to achieve. The admin role has access to every part of the website and that consequently means that the users that are granted this role, have the ability to modify every aspect of the website. As a result, you need to be extra careful before making the decision to grant this role to a user. If you have doubts about this user, it’s better if you create a new custom role, grant specific permissions for this role and add the user to the role following the steps we described in the previous use case.

If you are sure that you want to grant admin access to a user, then the only procedure that you need to follow is to add this user to the admin e-group. For this use case, let’s assume that the Drupal website that we own is called “” and that the user’s email that we want to make an admin is “”. By default, every CERN Drupal website comes with an e-group called drupal-admins-name_of_the_website and contains all the admins of the created website. So in our case, the e-group will be called “drupal-admins-accelerating-science” and in order to make the user an admin, the only thing that we need to do is to add “” to the  “drupal-admins-accelerating-science” e-group. 

To sum up:

  1. Visit
  2. Find the drupal-admins-accelerating-science e-group
  3. Add to this e-group
  4. Done! Don’t forget to clear the caches.