The Importance of User Roles and Permissions for Site Security

Rethink your roles

When discussing site security we often use words like "attacker", "malicious user" or "untrusted" to define site visitors who may be intent on abusing resources, stealing, or altering data. Within Drupal, visitors can achieve these goals using the permissions granted to their roles. This is the key component. We have to think of visitors in terms of what roles they have and what permissions we've granted those roles. Then instead of just thinking about trusted vs. untrusted users, we are thinking about trusted vs. untrusted roles.

On your site, which roles are trusted and which are untrusted? What permissions have you given to those roles? What permissions have you granted to the Anonymous role and thus to anonymous visitors? As you build and add features to your site you are also widening the available points for attack. If you have allowed users to create accounts without administrator approval you should also consider what permissions you've granted the Authenticated role. Can authenticated users create content or post comments without approval?


This article is now part of the Knowledge Base of Drupal security articles on Drupal Scout.

Read the rest of The Importance of User Roles and Permissions for Site Security


This page is kept so the comments posted here are available since they provide additional help and insights.

Comments

Super-Permissions

Seems to me, that starting with drupal 7 it would have been interesting to restrict the super-user permissions from ever being given to roles 1 & 2 - since we automatically create an admin role in 7, there's really no reason for those permissions to ever go to anonymous or authorized users.

Well, someone could open a

Well, someone could open a site to administration by everyone as an experiment.

Need to restrict the permissions

yes, I think we certainly need to take away any permissions from Anonymous and Authorized Roles and they can't get any permissions even when superadmin wants to give it to them. For this superadmin have to explicitly create a role and give enhanced permissions.

I hope future Drupal release will have this restriction so that even accidently site security is not compromised.

A few Drupal permissions

A few Drupal permissions should never be added to untrusted roles, as they allow or open up full control of your site. These permissions are:

And anything with the word "PHP" in it including "use PHP for block visibility".

Right now I need to be able

Right now I need to be able to set a role that can alter a users role without having access to permissions.

Does anybody have an idea how to go about that one?

Permission to change users gives you no access to roles as you have when you first enter the user.

Permission to change permissions give you access to all permissions.

I want to give my clients permission to change a users role, but I retain the right to alter the permissions for each role.

I'm using Drupal6.

Role Delegation

Hi
I had the same issue and came across your post while looking for a solution. I finally found it in the Role Delegation module.

I hope that this helps you out
http://drupal.org/project/role_delegation

Cheers

Phil