It may seem a bit odd that we are not beginning our practical look at access control with a discussion on users. After all, it is all about what users can and cannot do! The problem with immediately talking about users is that the focus of a single user is too narrow, and we can learn far more about controlling access by taking a more broad view using roles. Once we have learned everything there is to know about roles, actually working with users becomes a trivial matter.
A user role, in Drupal, is akin to a character in a play. In a play, an actor must always be true to their character—in other words, there is a defined way to behave and the character never deviates (no matter which actor portrays the character), otherwise the illusion is broken. In the same way, Drupal allows defined roles that determine the behavior of a user. Creating a role in Drupal is very easy! Simply click the access control link under administer and select the roles tab to bring up the following simple interface:
As you can see, we have two roles already defined by default—the anonymous user and the authenticated user. It is not possible to change these, and so the Operations column is permanently set to locked. To begin with, the anonymous user (this is any user who is browsing the site without logging in) has very few permissions set, and you would more than likely want to keep it this way despite the fact that it is possible to give them any and all permissions.
Similarly, the authenticated user, by default, has only a few more permissions than the anonymous user, and it is also sensible to keep these to a minimum. We will see in a little while how to go about deciding who should have which permissions.
In order to add a new role, simply type in a name for the role and click Add role, and you're done! But what name do you want to add? That's the question! If you are unsure about what name to use, then it is most likely you haven't clearly defined what purpose you want that role to serve. To see how this is done, let's assume that the Contechst Wildlife Community requires a forum moderator who will be a normal user in every way except for the ability to work directly on Conservation forums (to take some of the burden of responsibility off the administrator's hands) to create new topics and to edit the content if necessary.
So, to get the ball rolling, we type in Forum Moderator user and click Add role—actually, you might even want to be more specific and use something like Conservation Forum Moderator user in this case, but you get the general idea. That's it! We have added the role successfully. Now, when you are presented with the roles page you should be able to view the new role, with the option to edit it shown on the right-hand side of the page. You can click edit in order to change the name of the role or delete it completely.
Our work is just beginning, because now we need to grant or deny the various permissions that the Forum Moderator user role will need in order to successfully fulfill its purpose. New roles are not given any permissions at all to begin with—this makes sense if you think about it, because the last thing we want is to create a role only to find that it has the same permissions as the administrative user.
The chances are you will need to add several roles depending on the needs of the site. For the moment, let's move on and take a look at how we flesh out this new role by setting permissions.