Skip to main content

Roles and Permissions

An overview of Roles and Permissions can be obtained by opening the People page.

When you create a new CERN Drupal website, a predefined list of roles is automatically implemented:

  • Anonymous User: All anonymous users.
  • Authenticated User: All authenticated users regardless of their role.
  • Administrator: Administrative access to the website.
  • CERN Registered: Represents the currently active CERN primary accounts.
  • CERN Shared: Represents the currently active CERN secondary and service accounts.
  • HEP Trusted: HEP people registered in the CERN HR database, authenticated using HEP systems.
  • Verified External: Ex-members of personnel, like retirees, former staff, etc.
  • Unverified External: Anonymous unverified people (e.g. like external/lightweight accounts).

Overview of users of a Drupal website.

Overview of users of a Drupal website.

Creating and Assigning Roles

While the predefined roles accommodate most use-cases, it may be relevant to create a new role.

In order to create a new role:

  • Visit <website_url>/admin/people/roles
  • Click “Add role”
  • Give a descriptive name to your role and save it

Now you have a new role. Users can be assigned this role and permissions can be applied.

Creating Permissions

Once a role has been created, permissions can be granted.

There are predefined permissions for almost every basic functionality of your website.

In order to grant a permission to a specific role:

  • Visit <website_url>/admin/people/permissions
  • Check which roles should have the permissions
  • Save the page

or

  • Visit <website_url>/admin/people/permissions/<role_machine_name>
  • Check permissions for this specific role
  • Save the page

The difference between the two solution is that using the first solution, you can give multiple permissions to multiple roles and using the second solution, you can give multiple permission to one role. CERN Drupal Websites also support CERN e-groups meaning that the admins of the websites can use this feature to assign roles to e-group. As such, the admins of a website can grant access to a group of users belonging to a specific e-group.

Common Use Cases

The below outlines the two most common use cases.

Grant editing permissions

In this case, you want to give another user the ability to create new pages. Accordingly, you

  1. Create a Role, e.g. Page Editor (or any other name).
  2. Visit the Permissions page of the created role and grant access to editing content for this role.
  3. Create an e-group and bind it with the role, following the steps already mentioned.
  4. Add the user's e-mail, e.g. user@cern.ch, to the e-group.

Grant admin permissions

This case is easier to achieve but you, as an admin, need to be sure about what you try to achieve. The admin role has access to every part of the website and that consequently means that the users that are granted this role, have the ability to modify every aspect of the website. As a result, you need to be extra careful before making the decision to grant this role to a user. If you have doubts about this user, we recommend creating a custom role and granting only the specific permissions you want the user to have.

If you are sure that you want to grant admin access to a user, then the only procedure that you need to follow is to add this user to the admin e-group. For this use case, assume that the Drupal website that we own is called accelerating-science.web.cern.ch and that the user’s email that we want to make an admin is user@cern.ch. By default, every CERN Drupal website comes with an e-group called drupal-admins-name_of_the_website and contains all the admins of the created website. So in our case, the e-group will be called drupal-admins-accelerating-science and in order to make the user an admin, the only thing that we need to do is to add user@cern.ch to the drupal-admins-accelerating-science e-group.

To sum up:

  1. Visit https://e-groups.cern.ch/
  2. Find the drupal-admins-accelerating-science e-group
  3. Add user@cern.ch to this e-group

Grant admin access to a new group

This case refers to the situation where a new group is to be added as administrators of the website's content.

Steps:

  1. Go to the Webservices Portal and select the website you wish to give a new group admin permissions.
  2. Select Manage roles via the Application PortalManage roles via the Application Portal
  3. Click on RolesRoles on the new page
  4. Click on the green button of the Administrator role green button of the Administrator role
  5. Type the group you want to add as Administrator add as administrator

If the role you want to edit does not exist, you can create one using the button on the bottom of the page. The role_identifier must match the machine name that exists on your Drupal website. The Machine name can be found under <your-website>.cern.ch/admin/people/roles, and then by editing the role in question, e.g.:

example