Roles and permissions

In a business, people with different roles are allowed to do different things. For example, managers are allowed to approve expense payments, but regular employees are not.

Permissions depend on roles, not people. Suppose Jim is a regular employee on Monday, and is promoted to manager on Tuesday. That means Jim cannot approve expense payments on Monday, but can on Tuesday. Jim hasn’t changed, but his role has.

Drupal works that way as well. There are:

  • Roles
  • Permissions
  • Users

Users are given roles. Roles have permissions. Users get whatever permissions their roles give them.


A role is a label, like manager, author, editor, sales rep… whatever makes sense for the business. Drupal comes with some default roles:

Default roles

You can see them on /admin/people/roles. Or click People | Roles in the admin menu.

Anonymous is a special role. Usually, you decide which users have which roles. When people are not logged in, what user are they, and what role do they have? Anonymous. They can only see and do the things that Anonymous is allowed to see and do.

When you’re not logged in, you’re the Anonymous user.

Authenticated user is another special role. Anyone who’s logged in is given the Authenticated user role automatically. It lets admins set baseline permissions that apply to everyone who’s logged in.

As you might guess, the Administrator role lets users configure the Web site. Don’t give this one to very many users.

Adding a role

Let’s add a role called Editor. Users with the editor role will be allowed to create, edit, and delete pages on the site, but not mess with user accounts or other things.

Click Add role on /admin/people/roles. Type “Editor” and save.

Rearrange the roles like this:


Help text on /admin/people/roles explains why you put roles in order. Have a look.


Now let’s give the new role permission to edit pages. Click People | Permissions. That will take you to /admin/people/permissions.

Scroll down to the Node section, and give Editor all permissions for Basic pages:


Don’t forget to save.

Now, anyone with the Editor role will be able to create, change, and delete Basic pages.


Let’s try it. We’ll need to create a user account. Go to People, and click Add user. Type in the required information, and give the user the Editor role. Use a fake email address if you want.

Here’s what I ended up with:


User names don’t have to be real names. I could have typed patryan, pryan, or super-sales.

Start a new browser. For example, if you normally work in Firefox, start Chrome.

When messing with permissions, it helps to have two or more browsers open. You can be logged in as admin in one browser, and test your work in another. (I’m doing this right now.)

Don’t log in with the second browser, so it will be Anonymous. Try going to the page /node/add/page as Anonymous. This is the URL of the page that adds a new page to your site. You should get Access denied. Makes sense, because Anonymous doesn’t have permission to make new pages.

Now log in with the new account (Pat Ryan in my case). Go to /node/add/page again. This time, you should be able to create a page.

Why have roles at all? Why not just give Pat Ryan the permissions directly, instead of making a role, giving it those permissions, and then giving Pat Ryan the role?

Good question!

Using roles makes the site easier to manage. Suppose Pat changes jobs. With roles, no big deal. Change his account, remove the role for his old job, add the role for his new job. Done.

Without roles, it’s harder. Drupal has dozens of roles. Imagine having to check them all when someone changes jobs. Ack!

I’ve got a question, too. What happens when a user has two roles?
The user gets all of the permissions from both roles. In fact, users can have any number of roles.

Text formats

When you’re logged in as admin, the editor lets you choose your text format:

Text formats

The difference between them is what HTML tags the editor allows. To insert video as we did before, you need to use the <iframe> tag.

Restricted HTML lets you just use the simplest tags. Basic HTML lets you add more. Full HTML lets you use every HTML tag.

The user I just created, Pat Ryan, doesn’t have those formats.

No text formats

You can give roles permissions to use different formats. Try it. Go to People | Permissions, and give the Editor role permission to use Full HTML.

Can random people apply for accounts?

By default, Drupal lets anyone apply for an account on your site. The accounts aren’t activated, but still, it’s common to get lots of spam account applications. Yuck!

You can change that. Go to Configuration | Account settings (that’s /admin/config/people/accounts). Change Registration to Administrators only. I recommend doing this on every site you make.

User 1

When you installed Drupal, you created the admin account.

User 1

This is the first account Drupal creates. It has the user id 1; every account has an id number. This account if usually called admin, user 1, or sometimes the super user.

User 1 can do anything on your site. Change permissions, erase roles, erase users, delete every page, you name it.

User 1 can do anything with your site, including erasing all its data.

Obviously, don’t tell others what user 1’s login credentials are. However, you shouldn’t use admin yourself, unless you need to reconfigure your site. You don’t want to accidentally do something you regret.

Here’s what I do. The site you’re looking at now is a Drupal site. I’m typing this text while logged in, but I’m not logged in as admin. Instead, I created a role called Author, gave the role permission to edit pages. Then I created a second account and gave it the role Author. The second account is the one I’m using now. I can’t accidentally do Bad Things with the account, since the Author role doesn’t have permission to do Bad Things.

That’s a good idea for any IS:

Use accounts with the minimum permissions needed to do the required tasks.

Exercise: Make a role
Make a role allowed to work on basic pages. Name the role anything you like.

Let the role create, update, and delete basic pages, and use the Full HTML text format.

Create a user with that role.


  • The URL of your site
  • The login credentials for the new user
  • The login credentials for user 1

(If you were logged in as a student, you could submit an exercise solution, and get some feedback.)


Users are given roles. Roles have permissions. Users get whatever permissions their roles give them.

Use accounts with the minimum permissions they need to do the required tasks.