Drupal - Drupal 7 - Give permission to manage users but not permissions

I had the exact same requirement, and I was able to use the Roles Delegation module to build it to perfection :-)

Here is my scenario to give you more context -

  1. I had a drupal site with roles - A, B, C, Admin, Maint
  2. I wanted users with role Maint to be able to create new users and also assign them roles while doing so
  3. I also wanted to limit Maint users to be able to assign only roles A, B, C to the new users and not the role Admin
  4. All of it was just a few clicks with the Roles Delegation module

Hope this helps.


Hmmm... Interesting that there does not seem to be a clear cut way to do this. This seems like it could be a common feature for people. I found a couple solutions:

http://drupal.org/project/protect_permissions - However, this is not yet ready for production use.

However, I think you can accomplish what you want with: http://drupal.org/project/permissions_lock

You will also need: http://drupal.org/project/user_permissions

The later seems to do the opposite of what you want but the former seems to do exactly what you want. I have not tested either of these on my dev site to ensure 100% this is what will work for you. If I come across anything else I will update this answer.


Roles delegation leaves a security hole. You need to assign people the administer users for them to be able to use the administration page and the tools it has.

But if you do so, then that role will be able to edit even superadmin. Check Beware of Drupal's Administer users permission for a full description.

My solution is roles delegation + this hook


function hook_user_presave(&$edit, $account, $category) {
    if( $account->uid == 1 || in_array('adminrole',$account->roles)){ //trying to edit an admin
        global $user;
        if($user->uid != 1){//only super admin can do that
            drupal_set_message( "You attempted to edit an admin or dev user name and you are not allowed, this attempt was logged." ,'error');
            watchdog('permissions_extra','Logged in user %user tried to edit account %account', array('%user' => $user->uid, '%account' => $account->uid), WATCHDOG_ERROR);
            drupal_goto('/admin/people');
        }
    }
}

Tags:

Users

7

Related

Drupal - Custom template for 404 error pages Drupal - Difference between create new and edit node in form alter Drupal - Can I delete nodes of a given content type with Drush? Drupal - How to disable a module and its dependents modules with Drush? Drupal - Is there a good way to inspect objects whose type is derived from the EntityDrupalWrapper class? Drupal - Embedding a webform inside a node content Drupal - How to change my base URL Drupal - What are Ctools plugin (content type, access, etc), and how does one create them? Drupal - How to implement a reputation based system with badges in Drupal similar to StackExchange sites? Drupal - Syntax highlighting for admin-side text areas (during node or block editing) Drupal - Listen to AJAX complete event from a behavior Drupal - File issues after importing Drupal site

Recent Posts