Best Practices for Managing Drupal Users

Make sure your Drupal website is set up to allow appropriate permissions for all your user types. This includes logged-out users and anyone who logs in. Avoid the temptation to add too many user roles and be mindful of unnecessary content editor restrictions.

Let's take a look at best practices for managing your Drupal users.

An Overview of Drupal Users

Let's start with a quick refresher and look at how the database catalogs and identifies users.

  1. 1.    User1: This user is the first user created which also has the ID number of one (1). This is not just an administrator, this is the master administrator. It's the most critical user account so make sure you are aware of who has this login.

  2. User 2 and all other users can be assigned a role and each role can contain specific permissions for accessing and using the website.

  3. User 0 is reserved for all unauthenticated users who are logged out. The database views all these visitors as User 0. Everyone gets a number!

How many roles are too many?

Drupal lets you create as many roles that you need, but how many is too many? Well, if your permission page takes a long time to load or fails to load, you may have too many user roles. If you were to adopt a general rule, your website should not have more than 5 or 6 roles. Typically those roles are identified as: Anonymous, Authenticated, Administrator, Content Editor, and Member/Customer. If you find yourself adding more roles, you may have a structure issue. Keep it simple.

In the example above here's what your content administration system would look like:

  • Anonymous: This is anyone who vists your website and does not log in. With Drupal, you can target the experience of this user in the database as User 0.

  • Authenticated: This is anyone who is logged in. This could be someone that created a free account, the administrator, and anyone who is logged in.

  • Administrator: This user should be able to update and change anything in the Drupal back-end. It is a full access role, just shy of the super admin privileges that User 1 has.

  • Content Editor: This role should be set up to allow any content creation, modification, publication, and deletion. Sometimes website owners will break this role into two roles (Editor and Moderator). This scenario can be ok, but we recommend more complete control for content editors. In other words, create one role and give it to users you trust. Consider taking moderation off-line and re-evaluate your internal processes.

  • Member: Many of our nonprofit association clients will have a unique role for members or constituents that may be necessary for syncing data with a 3rd party system or for generating specific access permissions. This role is particularly helpful for managing protected content that requires a subscription or paid membership level.

Is it safe to delete a user?

Use caution when deleting users. The action of deleting users also has the ability to delete content associated with users. One of our clients recently discovered this painful realization, and thankfully had a reliable backup system. (Take this moment to double check the status of your website backup system.) Instead of deleting uers, consider disabling users or assigning that user a different role if your primary concern is user permissions. You can, however, delete a user and re-assign that user's content to a different user. Make sure not to overlook that option during the user deletion process.

If you are unsure if your existing roles and permissions are set up correctly, ask your website administrator or send BackOffice Thinking a message about your issue. If you're a client of BackOffice Thinking just send an email to the support email provided to you.

Related Blog Posts



Technologies for Nonprofits