Administer Users by Role
Allows site builders to set up fine-grained permissions for allowing sub-admin users to edit, cancel, and create other users based on their roles, providing more specific control than Drupal Core's all-or-nothing 'administer users' permission.
administerusersbyrole
インストール
composer require 'drupal/administerusersbyrole:8.x-3.6'
composer require 'drupal/administerusersbyrole:8.x-3.4'
概要
Administer Users by Roleモジュールは、サイト管理者が完全な「administer users」権限を付与することなく、特定のロールにユーザー管理タスクを委任できるようにします。これは、特定のユーザーが完全な管理アクセス権を持たずに特定のユーザーグループを管理する必要がある、複数階層の管理者を持つサイトで特に有用です。
このモジュールは、ユーザーの編集とキャンセルのためのロール固有の権限を自動的に生成します。システム内の各ロールに対して、そのロールを持つユーザーを編集およびキャンセルするための権限が作成されます。複数のロールを持つユーザーを編集またはキャンセルするには、サブ管理者はそれらすべてのロールを管理する権限を持っている必要があります。このモジュールは、管理者ロールをターゲットから意図的に除外しています。管理者を編集できるようにすると、モジュールのセキュリティ目的が無効になるためです。
これはDrupal 7モジュールであり、適切なメニューアクセスチェーンのためにChain Menu Access APIモジュールに依存しています。
Features
- ユーザー編集のための詳細なロールベースの権限 - システム内の各ロールに対して権限が動的に生成されます
- ユーザーアカウントのキャンセル(削除)のための詳細なロールベースの権限
- 完全な管理者アクセス権なしで新しいユーザーアカウントを作成するための個別の権限
- 編集可能なユーザーのみを表示するユーザー一覧ページ(admin/people)へのアクセス制御
- セキュリティのための管理者ロールの権限ターゲットからの自動除外
- 複数のロールを持つユーザーのサポート - サブ管理者は対象ユーザーが持つすべてのロールに対する権限が必要
- 編集およびキャンセルリンク用のカスタムフィールドハンドラーによるViewsモジュールとの統合
- フィルタリングされたユーザー管理Viewsのためのadmin_viewsモジュールとの互換性
- パスワード管理アクセスのためのpassword_policy_password_tabモジュールとの互換性
- 適切なアクセスコールバック処理のためのEntity API統合
- カスタムViewsで編集権限に基づいてユーザーをフィルタリングするためのクエリタグシステム
Use Cases
Departmental User Administrators
In a large organization with multiple departments, you can create role-based sub-admins who can only manage users within their department. For example, create a 'Marketing' role and a 'Marketing Admin' role. Give 'Marketing Admin' the permissions to edit and cancel users with the 'Marketing' role. Marketing admins can then manage marketing users without access to users in other departments.
Membership Site Management
For a membership site with multiple tiers (Basic, Premium, VIP), you can allow customer service staff to manage Basic and Premium members but restrict VIP member management to senior staff only. Create appropriate roles and grant permissions accordingly.
User Registration Delegation
Allow content editors or moderators to create new user accounts without giving them full administrative access. Grant only the 'Create new users' permission to these roles.
Hierarchical Administration
Implement a tiered administration system where senior admins can manage all user types while junior admins can only manage specific user groups. This prevents junior admins from accidentally modifying accounts of users with higher privileges.
Self-Service Portal
Combined with proper role assignment, allow team leads to edit members of their team (users with their team's role) without exposing other users' information.
Tips
- Always test permission configurations with test accounts before deploying to production
- Remember that 'edit users with no custom roles' only applies to users who have NO custom roles - users with any role require the specific role permission
- Use the query tag 'administerusersbyrole_edit_access' in custom Views to automatically filter users based on edit permissions
- The module works well with Views to create role-specific user administration interfaces
- Consider creating a clear role hierarchy to simplify permission management
- Document your permission structure as it can become complex with many roles
Technical Details
Admin Pages 1
/admin/people
User administration overview page. When accessed by users with 'access users overview' permission (instead of 'administer users'), only displays users that the current user has edit permission for based on their role-specific permissions.
権限 6
Hooks 5
hook_permission
Dynamically generates permissions for editing and canceling users based on all available roles in the system.
hook_menu_alter
Chains access callbacks for user-related menu items to implement the module's access control logic.
hook_query_alter
Alters queries tagged with 'administerusersbyrole_edit_access' to filter out users that the current user cannot edit.
hook_entity_info_alter
Replaces the user entity access callback to integrate with Entity API module.
hook_views_data_alter
Replaces Views field handlers for user edit and cancel links to respect this module's permissions.
Troubleshooting 5
Ensure the sub-admin role does NOT have the core 'administer users' permission. This permission bypasses all permissions from Administer Users by Role.
Make sure the Chain Menu Access API module is installed and enabled. Run database updates (update.php or drush updatedb) to complete the migration to version 2.x.
This is by design. To edit a user with multiple roles, you must have permission to edit ALL of their roles. Grant additional role-specific edit permissions as needed.
This is intentional security behavior. Users with the site's administrator role are excluded from being edited/canceled by sub-admins to prevent privilege escalation.
The module provides custom Views field handlers. Make sure you're using the correct field handlers and that the module's Views integration is loaded (clear caches if needed).
Security Notes 5
- The administrator role is intentionally excluded from being targeted by this module's permissions - this prevents privilege escalation where a sub-admin could modify an admin's password and gain full access
- The 'administer users' core permission always overrides this module's permissions - never grant it to sub-admin roles
- Users cannot cancel their own account through the bulk operations form when they have cancel permission - the form bypasses normal self-cancellation restrictions
- When granting cancel permissions, remember that canceling a user may delete their content depending on site configuration
- The module prevents editing of user ID 1 (the root admin) regardless of permissions