An overview of Roles and Permissions can be obtained by opening the People page.
When you create a new CERN Drupal website, a predefined list of roles is automatically implemented:
- Anonymous User: All anonymous users.
- Authenticated User: All authenticated users regardless of their role.
- Administrator: Administrative access to the website.
- CERN Registered: Represents the currently active CERN primary accounts.
- CERN Shared: Represents the currently active CERN secondary and service accounts.
- HEP Trusted: HEP people registered in the CERN HR database, authenticated using HEP systems.
- Verified External: Ex-members of personnel, like retirees, former staff, etc.
- Unverified External: Anonymous unverified people (e.g. like external/lightweight accounts).
Creating and Assigning Roles
While the predefined roles accommodate most use-cases, it may be relevant to create a new role.
In order to create a new role:
- Visit <website_url>/admin/people/roles
- Click “Add role”
- Give a descriptive name to your role and save it
Now you have a new role. Users can be assigned this role and permissions can be applied.
Once a role has been created, permissions can be granted.
There are predefined permissions for almost every basic functionality of your website.
In order to grant a permission to a specific role:
- Visit <website_url>/admin/people/permissions
- Check which roles should have the permissions
- Save the page
- Visit <website_url>/admin/people/permissions/<role_machine_name>
- Check permissions for this specific role
- Save the page
The difference between the two solution is that using the first solution, you can give multiple permissions to multiple roles and using the second solution, you can give multiple permission to one role. CERN Drupal Websites also support CERN e-groups meaning that the admins of the websites can use this feature to assign roles to e-group. As such, the admins of a website can grant access to a group of users belonging to a specific e-group.
Common Use Cases
Use Case 1: Make another user a content editor
In this case, you want to give another user the ability to create new pages. Accordingly, you
- Create a Role, e.g. “Page Editor” (or any other name).
- Visit the Permissions page of the created role and grant access to editing content for this role.
- Create an e-group and bind it with the role, following the steps already mentioned.
- Add the user's e-mail, e.g. “email@example.com”, to the e-group.
Use Case 2: Make another user an admin
This case is easier to achieve but you, as an admin, need to be sure about what you try to achieve. The admin role has access to every part of the website and that consequently means that the users that are granted this role, have the ability to modify every aspect of the website. As a result, you need to be extra careful before making the decision to grant this role to a user. If you have doubts about this user, we recommend creating a custom role and granting only the specific permissions you want the user to have.
If you are sure that you want to grant admin access to a user, then the only procedure that you need to follow is to add this user to the admin e-group. For this use case, let’s assume that the Drupal website that we own is called “accelerating-science.web.cern.ch” and that the user’s email that we want to make an admin is “firstname.lastname@example.org”. By default, every CERN Drupal website comes with an e-group called drupal-admins-name_of_the_website and contains all the admins of the created website. So in our case, the e-group will be called “drupal-admins-accelerating-science” and in order to make the user an admin, the only thing that we need to do is to add “email@example.com” to the “drupal-admins-accelerating-science” e-group.
To sum up:
- Visit e-groups.cern.ch
- Find the drupal-admins-accelerating-science e-group
- Add firstname.lastname@example.org to this e-group