I am writing this out of frustration in trying to come up with a method of giving certain rights to an individual (usually relegated to an administrator) but removing other rights. Maybe I just don't get how the taxonomy structure really works. I am using the taxonomy_access mechanism to limit access rights throughout the system.
I am trying to come up with a role designation for an individual which has the ability to administer users (initial entry, change names, change information) and be able to assign roles to that user (role rights being indicative of what is possible to do within a category). The exception is that this person can only assign a role up to their access rights and cannot change the definition of a role or change the permissions on specific categorys as defined in the taxonomy. By limiting these two cases I hope to keep the individual in this role (called manager) to administer day to day updates but not be able to change overall structure and access rights on the website.
In case you are wondering, the role of manager will be assigned to one of the church secretaries and to one pastor. I want to keep the role of administrator out of the hands of the church staff for technical and political reasons. Any ideas on how to proceed?
Comments
What I might try doing in a
What I might try doing in a case such as this, is to create small individualized administration and moderation roles. Then I would assign each person as many roles as they need to be able to fulfill their tasks. For example, I would create a User Administrator role that might only have one or more of the user administration permissions assigned to it (say "access user profiles" and "administer users"). I would also do the same thing for a blog or forum administrator or moderator, etc. Now, you cannot assign as fine-grained permissions as you can with taxonomy_access to particular forums (for example), but with that method you can create very specific roles that can be assigned to individuals who may have overlapping but not identical tasks, and you can combine the two methods to have even greater control over who can do what.
maybe og_promote or og_roles?
These modules may have some possiblities.
You might be able to allow the manager to only subscribe users to certain groups.
Then each of those groups would automatically assign certain roles (with sets of permissions) to those people who were subscribed to them.
(The manager could subscribe Joe to the calendar manager group - which would automatically add the calendar manager role to Joe)
That way the manager would not be touching the roles at all - just the group subscriptions.