Managing Content Access in Higher Education

benjag's picture

Does anyone have any recommendations on content access/permissions implementation they can share?

I'm a (relatively new) Drupal developer at private university that's nearing the end of an almost-two-year transition from Coldfusion to Drupal 7. We have around 800 faculty/staff and almost 200 of them need (or want) access to edit specific pages or sections on the website.

Currently, we have a very basic permission structure in place. Our accounts are integrated with SSO through CAS and so every user has their individual account. Most fall into the general editor role and can edit pages they've been giving ownership of. We also have a reviewer role who can publish those changes and 'edit any' on a few different content types.

Problems arise because some areas want more than one person to edit a page. I've solved this with Content Access and ACL but it's still a very manual process. I would love to be able to propagate access to all pages within a section but that's not so easily done. I am looking into the workbench suite which seems to allow that but I haven't tested it or seen it in action yet.


Penn State

aitala's picture

When Penn State rebuilt in D7, the developers used Workbench Access and Moderation (I think) . They set up fairly complex taxonomies to handle the editorial access, the colleges, the campuses, and units and assigned people to each. The users are managed by LDAP groups... which themselves are managed in a completely different, non-Drupal system.

It is not a simple thing to do... and gets more complicated if you try and use multiple access control systems.


mercergirl's picture

We had our D7 site built by a vendor and they implemented Workbench Access and Moderation. The implementation could have been improved had we been involved in the user access discussion.

Workbench has worked fairly well, but we really just use it to assign special editors to content types (athletics for athletics news, profiles, rosters and schedules). The main page content types are only editable by our content manager and admins.

There is the drawback. If I want my arts and sciences department to have access to their pages, I will need to create new content types.

You might want to look at organic groups, especially for the departmental areas.

Workbench has worked well except for one time I installed a module to allow our managers access to view unpublished pages. Those permissions clashed with workbench and the permissions haven't been the same since.


I have worked extensively

joel_osc's picture

I have worked extensively with workbench moderation, it is really great for managing a role based publishing workflow. It does have a few challenges associated with it so keep an eye on the issue queue.

Organic groups is very powerful and capable of doing sub-site style access control where users may not even be able to view content on a site unless they are a group member. For example, I built an LMS in which each course was a group, and only students registered with the course (group members) could view the course content. And, only group administrators (profs) could edit the course content. This might be overkill for doing just content moderation workflow, but keep it in mind as it is a great set of modules.

TAC Lite is another option where you can use a taxonomy vocabulary for 'departments' that you can assign to both users and content. Then TACLite will allow only a member of a specific department edit content tagged with that department. It is a slick and light solution as the name suggests. I have even integrated TACLite with LDAP so a user's groups are assigned on login removing one manual aspect. I can't remember if I used a module or just a hook, but you can also auto-tag content with the author's department so it automatically becomes 'group' content.

The nice thing about workbench is that it is panels and views based so you can modify a users workbench to show 'group' content with either of the above implementations.


Thank you all for your

benjag's picture

Thank you all for your input!

I installed Workbench Access and it seems promising (particularly the hierarchal permissions based on the menu structure) but I can seem to get that to work correctly. I set the general editor role to be managed by the module and assigned test general editor to a section but still wasn't able to edit anything.

Does anymore know of any setup/troubleshooting tutorials? I wasn't able to resolve much with the included module documentation.


aitala's picture

What I have done for one site is:

  • Setup a Content Taxonomy.
  • Added a term reference field to Content Types I need to have moderated. I select the taxonomy and check the 'Workbench Access control field' box for the field.
  • Also check that 'Enforce Workbench Access control' is checked for your Content Type....
  • Make sure that your Content Taxonomy is selected in Workbench Moderation's "Taxonomy scheme settings" setting. You might also want to enable the content types.
  • Assign various Drupal Roles to the Taxonomy sections and assign users, if needed, as editors on per user/section basis.

I'm not sure that is all I did.. it took a bit of fiddling, but I did get it to work. I think the longest part was actually going back and assigning the term reference to all the preexisting nodes.

No, it is not always easy and will require you and your users to test things out. There is also the odd issue of users not seeing unpublished content (from other users) but the View Unpublished module - - solves that. This crops up when multiple people need to edit the same content and someone other than the original author is trying to find and edit an unpublished node. If they don't; know the actual URL, the node won't be listed in the Content admin page.

Monster Menus

David.Hamilton's picture


Monster menus:

Also handles hierarchical access control and propagation. It's in use at a number of schools and addresses the problem space you're working on. It's more of a toolkit than a turnkey solution, but if you're looking for additional tools to test, it's worth a look as well.