User Roles
This document goes over the different user roles on the Agency Platform and the level of access each role has. A role defines a group of users that have certain privileges. Each role is assigned a specific set of permissions. Permissions control what users can do on the site. After reviewing this document the reader will be familiar with the different roles available and the capabilities that role provides.
User Roles and Permissions
Drupal has two basic roles, anonymous users and authenticated users. The State agency Drupal distribution adds four additional roles that an agency can assign to their users: Power user, Content editor, Content creator, and Restricted authenticated user. Finally, there are two special roles that are not available for assignment, but are used by the Digital Government program and select agencies who have a signed support agreement.
Anonymous user: This role is used for users that don’t have a user account or are not registered on the site. Anyone that visits a Drupal site is considered an anonymous user until they login. Any permission granted to the Anonymous user role can be used by any site visitor. A common example of a permission assigned to the Anonymous user role is “view published site content”. Without this permission an anonymous user would not be able to view your website.
Authenticated user: This role is automatically granted to all logged in (registered) users. Therefore, all permissions assigned to the authenticated user role will apply to all registered users.
Restricted authenticated user: The permissions assigned to this role vary by site. The restricted authenticated user typically does not have the ability to create, modify and publish content, or any of the permissions available to the other roles. This role is normally assigned to users who may need access to perform a limited set of functions, but not otherwise make changes to your website. A common example of a permission assigned to the Restricted authenticated user role is “view webform submissions”. This is useful when an accounting staff member needs to reconcile payment information with a form submission, but should not otherwise be able to make changes to your site.
Content Creator: The Content Creator role, formerly known as the contributor role, only has permission to create and edit their own content and cannot publish content, edit content created by others, or make any configuration changes to the system. This role is most often used to grant someone the ability to create content while requiring someone else to publish the content.
Content Editor: The Content Editor role, formerly known as just the editor role, can create, modify and publish content. This role is typically granted to people who are trusted to edit all content on a website and to publish that content to the public. While the Content Editor role can change all content on your website, they can not make system configuration changes or perform more powerful actions that run the risk of making your site unusable.
Power User: The Power User role is the most advanced role typically assigned to a user at an agency. In addition to all the permissions provided to the Content Editor and Content Creator roles, the Power User can make many system configuration changes including things that will change the appearance, structure and functionality of your site. This role is designed for agencies with technical staff capable of performing limited configuration changes to the site. While this role can not permanently damage your site, they do have permissions to make changes that might require support from our service desk to restore functionality. For this reason, prior to assigning the Power User role to a staff member, we recommend they attend one of our monthly Advanced training sessions.
Site Administrator: The Site Administrator role, formerly known as just the administrator role, has all of the permissions provided to the other three agency roles, plus several advanced permissions. This role is designed for agencies with advanced technical staff capable of performing technical configuration changes to the site. The Digital Government team has reviewed the current state of the agency platform, security concerns, and the costs of maintaining and supporting the platform. In order to continue offering the best possible service and control costs, we require all users who need to be granted the Site Administrator role to sign the Agency Platform Administrator Rights Policy and Agreement
Permission Chart
The Agency Platform II distribution has over 650 fine grained permissions that can be assigned to each role. While it is not practical to publish all permissions here, we have summarized the most common permissions your staff will likely need. No changes shall be made to the existing distribution permissions scheme without prior consultation with platform management. Site builders shall coordinate with platform management to ensure all new permissions are in alignment with our overall permission philosophy outlined in this document.
| Permission | Site Administrator | Power User | Content Editor | Content Contributor | Restricted Authenticated User |
|---|---|---|---|---|---|
| View Private Pages |
✅ |
✅ |
✅ |
✅ |
✅ |
| Create Own Content |
✅ |
✅ |
✅ |
✅ |
|
| Edit Own Content |
✅ |
✅ |
✅ |
✅ |
|
| Edit All Content |
✅ |
✅ |
✅ |
||
| Add/Edit Taxonomy |
✅ |
✅ |
✅ |
||
| Add/Edit Views |
✅ |
✅ |
|||
| Add/Edit Webforms |
✅ |
✅ |
|||
| Add/Edit Content Types |
✅ |
||||
| Add/Edit User Roles |
✅ |
More detailed example of the permissions within the websites
| Permission | Site administrator | Power user | Content editor | Content creator | Restricted authenticated user |
| Block | |||||
| Administer blocks | X | X | X | X | |
| Block Class | |||||
| Administer block classes | X | X | X | ||
| CAPTCHA | |||||
| Administer CAPTCHA settings | X | ||||
| Skip CAPTCHA Users with this permission will not be offered a CAPTCHA. | X | ||||
| Contact | |||||
| Administer contact forms and contact form settings | X | ||||
| Content Moderation | |||||
| Editorial workflow: Use Archive transition. Move content from Published state to Archived state. | X | X | X | X | |
| Editorial workflow: Use Create New Draft transition. Move content from Draft, Published, Archived, In review states to Draft state. | X | X | X | X | |
| Editorial workflow: Use Publish transition. Move content from Draft, Published, In review states to Published state. | X | X | X | X | |
| Editorial workflow: Use Restore from archive transition. Move content from Archived state to Published state. | X | X | X | X | |
| Editorial workflow: Use Send to review transition. Move content from Draft, In review states to In review state. | X | X | X | X | |
| View any unpublished content | X | X | X | X | |
| View the latest version Requires the "View any unpublished content" or "View own unpublished content" permission | X | X | X | X | |
| Facets | |||||
| Administer Facets Create and configure Facets for your Search pages. | X | ||||
| Feeds | |||||
| Create new feeds | X | X | |||
| Delete feed items | X | X | |||
| Delete feeds | X | X | |||
| Import feeds | X | X | |||
| Update existing feeds | X | X | |||
| View feeds | X | X | |||
| File | |||||
| Access the Files overview page | X | X | X | ||
| File Delete | |||||
| Delete files from the file system. This allows the user to change the status of a file from Permanent to Temporary. These files will be deleted by drupal during its cron runs. | X | X | X | ||
| Filter | |||||
| Define how text is handled by combining filters into text formats. | X | X | X | ||
| Use the Basic HTML text format Warning: This permission may have security implications depending on how the text format is configured. | X | X | X | X | X |
| Use the Full HTML text format Warning: This permission may have security implications depending on how the text format is configured. | X | X | X | ||
| Google Analytics | |||||
| Administer Google Analytics Perform maintenance tasks for Google Analytics. | X | X | |||
| Opt-in or out of tracking Allow users to decide if tracking code will be added to pages or not. | X | ||||
| Google Tag Manager | |||||
| Administer Google Tag Manager Configure the website integration with Google Tag Manager | X | X | |||
| Honeypot | |||||
| Administer Honeypot Administer Honeypot-protected forms and settings. | X | ||||
| Bypass Honeypot protection Bypass Honeypot form protection. | X | X | |||
| Image | |||||
| Administer image styles | X | ||||
| Layout Builder | |||||
| Content - Basic page: Configure all layout overrides Warning: Allows configuring the layout even if the user cannot edit the content item itself. | X | ||||
| Content - Basic page: Configure layout overrides for content items that the user can edit | X | X | X | X | |
| Configure any layout | X | X | |||
| Create and edit custom blocks Manage the single-use blocks within the Layout Builder | X | X | X | X | |
| Layout Builder Component Attributes | |||||
| Administer Layout Builder Component Attributes Manage global settings for the Layout Builder Component Attributes module | X | X | |||
| Manage Layout Builder component attributes Add attributes to Layout Builder components (blocks) | X | X | |||
| Mail System | |||||
| Administer Mail System Select the default, per-module, and per-mailing Mail System Interface to use for formatting and sending email messages. | X | ||||
| Media | |||||
| Create new media | X | X | X | X | |
| Delete any media | X | X | X | X | |
| Edit any media | X | X | X | X | |
| Access media overview Users with this permission can access the media overview page. | X | X | X | X | |
| View all media revisions To view a revision, you also need permission to view the media item. | X | X | X | ||
| View media | X | X | X | X | X |
| View own unpublished media | X | X | X | X | |
| Node | |||||
| Create new content | X | X | X | X | |
| Delete any content | X | X | X | ||
| Delete revisions | X | X | X | ||
| Edit any content | X | X | X | ||
| Revert revisions | X | X | X | ||
| View revisions | X | X | X | ||
| Access the Content overview page | X | X | X | X | |
| View published content | X | X | X | X | X |
| View own unpublished content | X | X | X | X | |
| Paragraphs | |||||
| Administer Paragraphs settings Administer Paragraphs settings | X | X | |||
| Administer Paragraphs types Allow to define the existing Paragraphs types and their Fields | X | X | |||
| Edit behavior plugin settings Users with this permission can edit behavior plugin settings on Paragraphs behavior instance | X | X | |||
| View unpublished paragraphs Users with this permission can view paragraphs that are unpublished | X | X | |||
| Path | |||||
| Administer URL aliases | X | X | |||
| Create and edit URL aliases | X | X | X | ||
| Redirect | |||||
| Administer global URL redirection settings | X | X | |||
| Administer individual URL redirections | X | X | |||
| Search | |||||
| Administer search | X | X | |||
| Use advanced search | X | X | X | ||
| Use search | X | X | X | X | X |
| Search API | |||||
| Administer Search API Create and configure Search API servers and indexes. | X | ||||
| Shortcut | |||||
| Administer shortcuts | X | X | |||
| Use shortcuts | X | X | X | X | |
| Taxonomy | |||||
| Create terms | X | X | X | ||
| Delete terms | X | X | X | ||
| Edit terms | X | X | X | ||
| Access the taxonomy vocabulary overview page Get an overview of all taxonomy vocabularies. | X | X | X | ||
| Administer vocabularies and terms | X | ||||
| Webform | |||||
| Access the webform overview page Get an overview of all webforms. | X | X | X | ||
| Access the webform user submission page Allows a user to view their submissions via 'Submissions' tab on their profile page. | X | X | |||
| Administer webform element access Restrict webform element access to certain roles and users. | X | X | |||
| Create webforms | X | X | |||
| Delete any webform | X | X | |||
| Delete any webform submission Allows deleting all submissions. | X | X | |||
| Delete own webform | X | X | |||
| Edit any webform submission Allows updating all submissions. | X | X | |||
| View any webform submission Allows viewing all submissions. | X | X | X | X |
Disclaimer
These materials are intended to assist State of Arizona employees, contractors, vendors and others as they strive to improve their knowledge and understanding of the Agency Platform II. While we attempt to thoroughly address specific topics, it is not possible to cover everything that is needed. This information must be understood as a tool for addressing information as much as we can. Over time, Agency Platform maintainers may modify rules and procedures in light of new technology, information, or circumstances.