Using Content Access and ACL with OG User Roles

Assigned to:somebody
Created:somebody at Wed, 07/25/2007 - 10:45am
Status:Open (General Task / Priority 1-High)
Case ID:OG User Roles: 72-185

OG User Roles now supports these two modules:

These modules allow you to custom define roles and/or users who can access particular nodes.

The following discussion assumes you have, in addition to OG User Roles, installed both Content Access and ACL modules as well as Taxonomy Access Control (TAC). It also assumes you have created a content type called "Document". You can use any content type you wish, but for this discussion and testing, we've created a content type called "Document".


Configure "Document" content type (assumes you have already created it):

HomeAdministerContent managementContent types

Click on "Access Control" tab for this content type:

From this screen:

  1. Enable per node access control settings
  2. Uncheck all roles

Content Access Content Type Configuration

"Document" content type is now set up to use Content Access.

I create a "Document" vocabulary and add the "Document" content type to it.

Home > Administer > Content management

Document Vocabulary

I then use the "add terms" link to add a "NONE" term to the "Document" vocabulary.

Using Taxonomy Access Permissions (TAC), I grant NO role access to this term (except for privileged "Admin" users). This means that any node you assign this term to will not be viewable by anyone. This is the recommended category to use for content for which you intend to use Content Access (i.e., assign customized permissions).

You must do this because you cannot use Content Access to revoke permisisons granted by TAC. However, you can use Content Access to grant permissions to content that TAC does not grant permissions to.

TAC Permissions for NONE

Note: Your Admin role(s) should be given List/Create permisisons here for "NONE" term.

In: HomeAdministerUser management > Roles:

Give your Admin users permission to grant content access.

Gave "Admin" and "GroupAdmin" roles these permissions:

grant content access

grant own content access

These are my Admin roles which can create Content Access nodes. These roles need to be able to List/Create "NONE" term (use Taxonomy Access: Permissions).


It is first important to remember that if you want to create custom access to a node you create, that node must NOT have access granted by a vocabulary term. From a technical standpoint, Content Access and Taxonomy Access (TAC) do not work together. So, you can't, for example, assign a node a vocabulary in which TAC allows Role A to view it, then try to use Content Access to restrict Role A from viewing it.

In order to use Content Access, you must assign the node for which access is to be customized to the "NONE" category (you have used TAC to grant NO users access to "NONE" content, except for Admin users). Then from the node's "Access Control" tab (which will appear once the node is submitted) you assign what roles and/or users can view/edit/delete the node.

To create a node with customized content access (using the "Document" content type):

  • Click on "Create document" link from Group menu.
  • Create node as usual, except for "Category" select "NONE". Click on "Submit".
  • At this point, no one can see the node but you.
  • When the node is saved, you will see an "Access Control" tab next to the "View" and "Edit" tabs. Click on "Access Control" tab.
  • You will see the "Role access control settings":
    Role Access Control Settings
  • Below that you will see the "User access control lists" (ACL) section which has the individual Grant view/update/delete lists. Here is where you enter invidual user IDs to grant a particular permission for this node:
    User Access Control List
  • On this screen, you can select the roles to give view/update/delete permissions for this node. Or, you can enter the users to grant view/update/delete permissions for this node.

    If you make any changes to this screen, don't forget to click on "Submit".

    Don't forget that if you add users to the ACL using the "Add User" button, you must still click on the "Submit" button at the bottom of the screen for your entries to be valid.