If you have multiple user roles in your system and want a role other than administrator to manage certain roles, you might have found that splitting role management from other administrative permissions is not straight forward. This is a summary of how we solved that issue for one of our projects.
Let us say you have two business roles: moderator and editor. You want moderators to be able to give new users the editor role. Here is what you might do:
# Create the moderator role, a new user, and assign the user the moderator role. drush role-create moderator drush user-create sally --mail="firstname.lastname@example.org" --password="pass" drush user-add-role moderator sally
# Create editor role and assign user drush role-create editor drush user-create jim --mail="email@example.com" --password="pass" drush user-add-role editor jim
Next you would give the moderator role the following permissions:
You would also have to give moderators the following permissions in order for them to edit user roles:
Sally can now edit Jim’s account. You will see that she can give Jim any of the available roles including administrator. In fact, she can edit her own account and make herself an administrator. This is probably not what you would want. Ideally, Sally should only be able to give Jim the “editor” role.
# Install new modules drush en -y role_delegation drush en -y administerusersbyrole
First remove the following permissions:
Now give moderators the following permission:
Here is what “Administer Users by Role” permissions look like:
And here is what the “Role Delegation” permissions look like:
Let us create a new user and see what Sally is able to do:
drush user-create brian --mail="firstname.lastname@example.org" --password="pass"
Sally can make Brian an editor only, as it should be: