Nodeaccess
Provides per-node access control, allowing you to manage permissions (view, edit, delete) for individual nodes by user role and specific users.
nodeaccess
Install
composer require 'drupal/nodeaccess:8.x-1.0'
composer require 'drupal/nodeaccess:8.x-1.1'
Overview
Nodeaccess allows site administrators to manage permissions for nodes on a per-node basis by role and user. Unlike standard Drupal permissions which apply globally, this module implements fine-grained per-node access control that works without requiring taxonomy categorization.
With this module, you can restrict access to any individual node and assign permissions to view, edit, or delete each node by user or role. Once enabled, a 'Grants' tab appears on node pages where permissions for that specific node can be configured.
The module integrates deeply with Drupal's node access system through hook_node_access_records() and hook_node_grants(), providing three access realms: nodeaccess_role (for role-based access), nodeaccess_user (for user-specific access), and nodeaccess_author (for author-based access).
Features
- Per-node access control with view, edit, and delete permissions for roles and individual users
- Author-based permissions that can be configured per content type
- Configurable roles visibility on the node grants tab with display name aliases and weight ordering
- Per-content-type default permissions that apply to new nodes
- Per-content-type permissions allowing delegation of grant management to specific user roles
- Grants tab availability can be enabled/disabled per content type
- User search functionality on grants tab supporting both autocomplete (with user profile access) and user ID input
- Support for multilingual content with proper handling of translation publish status
- Automatic configuration updates when roles or content types are created, updated, or deleted
Use Cases
Restricting specific pages to certain users
Use Nodeaccess when you need to restrict access to specific nodes to certain users without creating complex taxonomy-based access rules. Enable the Grants tab for the content type, then on each restricted node's Grants tab, remove view access from anonymous and authenticated roles, and grant view access only to specific users or custom roles.
Editor-controlled content access
Allow content editors to control who can access their content. Create an 'Editor' role with 'nodeaccess grant [type] permissions', enable the Grants tab for that content type, and editors can then manage access for their own content through the Grants tab.
Author-only content before publication
Configure content types so authors can always edit their own content but others cannot see unpublished drafts. Set author permissions to grant_view, grant_update, and grant_delete in the content type settings, while keeping role permissions restricted.
Private content types
Create private content types where only the author and administrators have access by default. Leave all role permissions unchecked in content type settings but enable author view/edit/delete permissions. Authors can then selectively share access using the Grants tab.
Team-based content access
Create roles for different teams (e.g., 'Marketing Team', 'Development Team') and use Nodeaccess to grant content access to entire teams. Enable these roles on the Grants tab and editors can assign team access per node.
Tips
- Back up your database before installing Nodeaccess as it significantly changes content access behavior
- To emulate standard Drupal permissions, grant view permission to anonymous and authenticated users for each content type
- User grants are additive to role grants - a user gets access if ANY of their roles or their individual user grant allows it
- The Author permissions in content type settings cannot be overridden on individual nodes - they always apply to the node author
- Use the 'Display name' feature to provide user-friendly role names on the grants tab if your role machine names are technical
- When granting permissions to individual users, remember to check the 'Keep?' checkbox or the user will be removed on save
Technical Details
Admin Pages 2
/admin/config/people/nodeaccess
Configure global nodeaccess settings including which roles appear on node grants tabs, default permissions for each content type, and which grant operations are available.
/node/{node}/grants
Configure access permissions for a specific node. Allows setting view, edit, and delete permissions for selected roles and individual users.
Permissions 3
Hooks 8
hook_node_access_records
Provides access records for nodes. Returns grants for roles, users, and authors based on node-specific settings (from nodeaccess table) or content type defaults (from nodeaccess.settings).
hook_node_grants
Provides grant IDs for a user account. Maps user's roles to nodeaccess_role grant IDs and provides user ID for nodeaccess_user and nodeaccess_author realms.
hook_node_type_insert
Automatically adds new content type to nodeaccess settings with default (no access) permissions for all roles and author.
hook_node_type_delete
Removes deleted content type from nodeaccess settings.
hook_node_delete
Removes node-specific grants from the nodeaccess table when a node is deleted.
hook_user_role_insert
Adds new role to nodeaccess settings including map_rid_gid, roles_settings, and bundles_roles_grants.
hook_user_role_update
Updates role display name in nodeaccess settings when a role label changes.
hook_user_role_delete
Removes deleted role from all nodeaccess settings.
Troubleshooting 5
This is expected behavior. After enabling Nodeaccess, you must configure permissions on the settings page (/admin/config/people/nodeaccess). At minimum, grant view permission to anonymous and/or authenticated users for each content type to emulate standard Drupal behavior.
Check that 'Show grant tab for this content type' is enabled in Nodeaccess settings for that content type. Also verify the user has either 'administer nodeaccess' permission or the specific 'nodeaccess grant [type] permissions' for that content type.
Drupal's access system is additive. If a user has access through their role, you cannot revoke it for that individual user. For example, if authenticated users have edit permission, you cannot remove edit access for a specific authenticated user.
After changing settings on the Nodeaccess settings page, node access is automatically flagged for rebuild. If changes still don't apply, manually run node access rebuild at /admin/reports/status/rebuild.
Admin users bypass all node access restrictions by design. This is core Drupal behavior and cannot be overridden by Nodeaccess.
Security Notes 5
- After enabling this module, no content is accessible until permissions are configured - plan your access rules before enabling on a production site
- Admin users always bypass node access restrictions and cannot be restricted using this module
- The 'administer nodeaccess' permission should be restricted to trusted administrators as it allows modifying all access rules
- Granting a role edit or delete permissions on a content type affects all nodes of that type unless overridden on specific nodes
- Consider using content type-specific 'nodeaccess grant [type] permissions' rather than 'grant node permissions' for better access control delegation