5 Modules Allowing Drupal Users to Choose Permissions for Others

drupal user permissions

For large sites with large numbers of users, permissions can become a difficult issue.

One common situation is that site owners want to allow some users to control the permissions of other users.

In this tutorial, I’ll show you Drupal’s default user control permissions. Then I’ll show you 5 modules for creating more sophisticated user control permissions.

Default User Control Permissions

By default, Drupal has two permissions that allow you to modify other people’s accounts:

  • Administer permissions: this gives full access to change the permissions for every user role. You get access to the “Permissions” tab as shown below.
  • Administer users: this gives full access to change the account details for every user. You get access to the “List” tab as shown below.

In short, Drupal is not kidding when it says “this permission has security implications.”


#1. Administer Users by Role

Modules required:

Administer Users by Role allows to decide which roles can edit which other roles. For each role, you get 4 permissions:

  • Edit users with this role
  • Edit users with this role and others
  • Cancel users with this role
  • Cancel users with this role and others

It also allows you to control the important permission, Create new users.


One thing this module doesn’t allow you to control whether people can move users from role to another.

If you try to edit a user who you don’t have permission to edit, you’ll see this message:


#2. RoleAssign

Modules required:

The RoleAssign module is relatively straightforward and easy to set up. There is only one permissions provided by this module, the ability to assign roles:


Here’s how RoleAssign works. Once it’s enabled, click on teh People menu link and you’ll see a Role Assign link in the top-right corner.


In this Role assign area, you can choose which roles can be given out to other users. In the example below I’m allowing people to give out the administrator role. I don’t recommend trying this on a live site:


When you create or edit a user, you’ll now see a box labeled Assignable roles:


#3. Role Delegation

Modules required:

Role Delegation is very, very similar to RoleAssign.

This module allows site administrators to grant some roles the authority to assign selected roles to users, without them needing the administer permissions permission.


#4. User Settings Access

Modules required:

User Settings Access has a slightly confusing name which is a carryover from Drupal 6. The actual name of the module for Drupal 7 should be Account Settings Access

This module controls access to the Configuration > Account settings page which is located at /admin/config/people/accounts. Normally, permission to access this page is contained within the “Administer users” permissions. However, as we saw at the beginning of the article, “Administer users” allows you to everything about all users.

The User Settings Access module adds a specific permission only for this Account settings page. Here are the two permissions:

  • Administer account settings: This controls whether someone has access to the Account settings page.
  • Administer Administrator Role: This controls whether people have access to box “Administrator role” in the screen below.

#5. Subuser

Modules required:

As you can tell from the number of modules involved, Subuser is a significantly more powerful and complicated module than any of the others we’ve looked at so far.

Subuser also does something more sophisticated than the other modules we’ve looked at. Subuser allows you to create users and then have permission to manage them.

With the Subuser module you’re creating “parent” and “child” users. For example, an “Chief Editor” might create an “author” or a “Site Manager” might create a “intern”.

Here are the permssions provided by Subuser:


However, I’ll admit that I had a hard time trying to whip this module into shape. It’s only available in Alpha for Drupal 7, it’s used on less than 450 sites.

There were several bugs out-of-the-box. For example, if you see an error message that says “missing style plugin in views”. go to Settings > Views > edit the Subuser view > Choose a format for the view. That solves an message about a missing style plugin in views.

It also got me to the point where I could see the intent of the module. On user profile pages, there was now a Subusers tab:


Click on that tab and you can see the subusers assigned to you. The Add user link is here too.


However, those subusers were showing for everyone. Inside Views there seems to have been a relationship but now it’s marked Broken/missing handler. A possible solution seems to be here, but I couldn’t get it to work: https://drupal.org/node/1241934

All in all, Subuser is a potentially promising and powerful module, but there have been no updates for over a year and you’ll probably need to do quite a lot of troubleshooting to make it work.


  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

    View all posts
0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
10 years ago

Nice right up. I use Role Assign on two of the larger sites I have developed ([url=http://bottman.com]bottman.com[/url] & [url=http://rahnland.com]rahnland.com[/url]) to allow my client admin to manipulate user roles. But to make sure they never mess with my admin role or user, I always use [url=https://drupal.org/project/userprotect]user protect[/url] at the same time.

10 years ago
Reply to  timb

Thanks timb, That’s a great tip with User Protect.

Prem Tiwari
Prem Tiwari
9 years ago

Thanks for sharing this tutorial,it is very helpful.
Some more Drupal development information are available,click on this : [url=http://freewebmentor.com/category/drupal]http://freewebmentor.com/ca…[/url]

Would love your thoughts, please comment.x