Drupal - Drupal 7 - Give permission to manage users but not permissions

I had the exact same requirement, and I was able to use the Roles Delegation module to build it to perfection :-)

Here is my scenario to give you more context -

  1. I had a drupal site with roles - A, B, C, Admin, Maint
  2. I wanted users with role Maint to be able to create new users and also assign them roles while doing so
  3. I also wanted to limit Maint users to be able to assign only roles A, B, C to the new users and not the role Admin
  4. All of it was just a few clicks with the Roles Delegation module

Hope this helps.


Hmmm... Interesting that there does not seem to be a clear cut way to do this. This seems like it could be a common feature for people. I found a couple solutions:

http://drupal.org/project/protect_permissions - However, this is not yet ready for production use.

However, I think you can accomplish what you want with: http://drupal.org/project/permissions_lock

You will also need: http://drupal.org/project/user_permissions

The later seems to do the opposite of what you want but the former seems to do exactly what you want. I have not tested either of these on my dev site to ensure 100% this is what will work for you. If I come across anything else I will update this answer.


Roles delegation leaves a security hole. You need to assign people the administer users for them to be able to use the administration page and the tools it has.

But if you do so, then that role will be able to edit even superadmin. Check Beware of Drupal's Administer users permission for a full description.

My solution is roles delegation + this hook


function hook_user_presave(&$edit, $account, $category) {
    if( $account->uid == 1 || in_array('adminrole',$account->roles)){ //trying to edit an admin
        global $user;
        if($user->uid != 1){//only super admin can do that
            drupal_set_message( "You attempted to edit an admin or dev user name and you are not allowed, this attempt was logged." ,'error');
            watchdog('permissions_extra','Logged in user %user tried to edit account %account', array('%user' => $user->uid, '%account' => $account->uid), WATCHDOG_ERROR);
            drupal_goto('/admin/people');
        }
    }
}

Tags:

Users

7