How to Manage User and Role Permissions in Drupal 8

How to Manage User and Role Permissions in Drupal 8

This tutorial is all about managing users on your Drupal 8 site.

I’ll show you how to control who can do what on your site:

  • Who can create, delete, and edit content?
  • Who can upload modules and themes?
  • Who can modify menus and blocks?

You also see how to make user accounts more interesting. You do this by allowing users to add more information about them.

Drupal Roles and Permissions Explained

Drupal users are defined by their role. Roles are defined by the permissions you assign the role. Drupal has three default roles:

  • Anonymous: Visitors to your site who are not logged into your site.
  • Authenticated: Anyone who has an account on your site and logs in is authenticated. The Authenticated role also serves as the minimum set of permissions that is given to all logged in users. Drupal sets some default permissions but you can change them.
  • Administrator: Users assigned the administrator role can do everything on the site.

You might be thinking that this is enough for your site, but just in case you have bigger plans, let’s take a look at how you fine tune access to your account via three examples.

Creating an Article Writer

Start with the example of an Article writer. Such a person will be a role to which you can assign users. If users are in this role, all they can do is write articles. There are four steps to make sure a user account is set up correctly:

  1. Add a role.
  2. Set the role permissions.
  3. Create a user.
  4. Test the user to make sure it has the correct permissions.

Following are those four steps.

  • Click “People” on the admin menu bar and then on the “Roles” tab.

drupal roles

  • Click “Add role”.
  • Type Article writer for the new role name.
  • Click “Save”.

Now that the Article writer role has been created, you need to decide what user in that role can and can’t do.

  • Click the Permissions tab to see the permissions available:

drupal permissions tab

On the left side of the list, you can see the modules that have permissions settings. The modules are ordered alphabetically. Across the top of the list, you see the four roles that you have set up.

drupal permissions tab

The permissions for the three default roles are already set. You can also see that some permissions for the Article writer role are already set. This is because those permissions have been giving to the Authenticated User role. By default, if you grant permission to the Authenticated role, all subsequent roles (except for anonymous) inherit said permission. That is why the check marks for comments are grayed out and can’t be deselected.

drupal permissions boxes

Your article writer is going to need more permissions than those granted by default to the Authenticated role, so let’s get started.

  • Scroll down until you find the header Node. Remember that Node is Drupal’s geeky word for content.
  • At the top of the Node area, you see some admin-type permissions, as shown below:

drupal node permissions

Scroll a little further to find the Article permission set. To keep things simple in this example, check all of the Article permission boxes:

  • Create new content
  • Delete any content
  • Delete own content
  • Delete revisions
  • Edit any content
  • Edit own content
  • Revert revisions
  • View revisions

drupal article permissions

  • To ensure the Article writer can “Add Content”, check the permissions box for “Use the administration toolbar”.

drupal admin toolbar permisisons

  • Click “Save permissions” at the bottom of the page.

Now let’s set up an actual user account for an Article writer.

  • Click the “List” tab at the top of the screen.
  • Click the “Add user” button.

As you can see by the absence of the red asterisk, an email address is not required. However, the email is necessary for the user to receive messages, such as password reset. If you have an email address, other than the one you used when creating your first account, enter it now, so that you can see the emails users will receive. Otherwise, leave it blank.

  • Username: articlewriter
  • Password: articlewriter
  • Roles: Check the “Article writer” box.
  • If you included an email address, check the box to “Notify user of new account”.
  • Click “Create new account”.

drupal create article writer

The fourth and final step is crucial. Permissions are a vital part of your site’s security, and if you don’t test your permissions, you could easily allow some users to do things that can compromise your site.

Following is a basic method for testing. You can use the following steps:

  • Open a browser where you are not already logged in.
  • Log in by going to http://[your_web_address]/user/login.
  • Observe that the menu bar to which you have grown accustomed is lacking in options. That is good. First test passed.

drupal low permissions

  • Click “Shortcuts” and then “Add content”.
  • The “Create Article” form appears immediately, with no other content types available. Test passed again!

drupal create article

There are limitations to this testing. Because you created the account and the password, you were able to log in as that person and test.

However, on a real site, it is neither feasible nor safe to know what your users’ passwords are. Instead, you can use a module called Masquerade to easily test any user account. Here’s how it works:

  • Make sure you are logged in using your main admin account.
  • Install the Masquerade module.
  • Go to “Structure” and then “Block layout”.
  • Place the Masquerade block at the top of the Secondary region.
  • Go to your homepage and you’ll find the Masquerade block and its search box.
  • Type in the name of the user you want to test and click “Switch”.

drupal masquerade

The Masquerade block disappears and an “Unmasquerade” link appears in the black menu bar at the top of the screen. Don’t worry: by default, this link appears only for administrators.

drupal user masquerade module

You can now browse the site and see exactly what an Article writer can see. Simply click the Unmasquerade link, and you’ll be back at the administrator account.

Creating a Moderator

Now see one more example of user permissions. Let’s set up a role called Moderator. People in this role can moderate comments and forum posts. These people help to make sure that your site is a pleasant and spam-free destination.

  • Go to “People”, “Roles”, and then “Add new role”.
  • Type Moderator for the Role name.

Next, we’ll set up the permissions:

  • Click the “Permissions” tab and scroll down until you find the Comment module.
  • Check the “Administer comments and comment settings” box in the Moderator column.

drupal create moderator

  • Scroll down until you find the Forum module and check the “Administer forums” box in the Moderator column. This allows the Moderator to rearrange the forum boards if needed.

drupal administer forums

  • Scroll down until you find the Node section.
  • Give Moderator permission to create, delete any, and edit any Forum nodes.

drupal forum permissions

  • To ensure the Moderator can add content, check the permissions box for “Use the administration toolbar”.
  • Check the “View user information box” in the Moderator column. This can help the Moderator when advising the site administrator if an account needs to be blocked.
  • Click “Save permissions” at the bottom of the screen.

Now we can move on to the create the Moderator account:

  • Click the “List” tab at the top of the screen and click “Add user”.
  • If you have yet another extra email account, enter it, otherwise, leave the email blank.
  • Username: moderator.
  • Password: moderator. You can set this to something more difficult if you want. Drupal warns you that this is a weak password.
  • Roles: Check the “Moderator” box.
  • Click “Create new account”.

Now it’s time to test the account:

  • Visit the front page of your site.
  • Use the Masquerade module to see the site as moderator.
  • Click “Forum” on the Main menu.
  • Access any forum topic, and you can edit or delete the topic.
  • If there is a comment on a topic, you can moderate it using the “Edit” and “Delete” links.

drupal edit delete links

  • Click any user’s account name. The easiest account to find will probably be your main administrator account.

drupal user name

  • You’ll see the user profile. In the next part of the chapter, we’re going to make this look more interesting!
  • If you think the user needs moderating, click the “Edit” tab. You change the user status from “Active” to “Blocked”. Please do not try this with your own administrator account!

drupal edit user

You can grant your Moderator role permission to administer users (see the User section on the Permissions page). Note that this is a very powerful permission. If granted, any user with Moderator role can access any other user’s account and change its settings. Grant with caution.

Video on Drupal Permissions

This video is taken from the class called “The Beginners Guide to Drupal 8“:

Want to Learn More Drupal 8?

After reading this tutorial, I’d recommend “How to Build User Profiles” which follows on directly from this point.

This tutorial was an extract from Drupal 8 Explained, the best-selling guide to Drupal 8. Grab a copy today to learn all the fundamentals of Drupal 8.


  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
2 years ago

Hi 🙂 In Drupal 9 I can’t set rights. I created an author role, but I can’t set rights … I enter the rights section, but nothing is active there. What do I need to do? I am currently developing on XAMPP.

2 years ago
Reply to  Maria

Hi Maria,
This still works exactly the same in Drupal 9.

If you’re the Superuser (ID 1), there’s no reason why you shouldn’t be able to set permissions.  Here’s a few things you can try:
1.  Clear Cache – go to /admin/config/development/performance and click “Clear All Caches”.  That will likely fix it.
2.  If #1 didn’t work, check over the rest of the administration areas – you may have more wrong that just permissions.

Also – when you say “Active” – what do you mean – can you upload a screen shot please?

2 years ago

I enter through http://localhost/drupal-9.1.0/user/1. Now it shows this, it was gone yesterday, I’m attaching a photo.          I have no rights to upload here, so this way 🙂 My goal is to assign rights to individual roles, but nothing is available.

Would love your thoughts, please comment.x