When working with large organizations—whether in private enterprise, governmental organizations, or nonprofits—editorial responsibility is often spread across multiple sub-organizations. Depending on the type of organization, those subdivisions can look very different:

- Department > division > section or program
- Bureau > program > project or team
- Brand > product line > product

In all of the above structures, there is some hierarchy and some cross-organizational oversight to the editorial process combined with the overall administration of the website.

Organizational structure for a site can also significantly differ for publicly-accessed content versus employee intranets versus membership-based websites.

Drupal.org has somewhat-outdated documentation for a Comparison and Overview of Access Control modules. The documentation in question was created for Drupal 7, updated somewhat for Drupal 8—it hasn’t been maintained for Drupal 9 and 10.

While this overview outlines a long list of access control modules, it doesn’t speak much to the “why” or “how does this module work”. With this post, I hope to outline some approaches to access control in Drupal and talk about why you might want to take one approach over another.

We’ll cover:

- What’s in Drupal core to handle access control?
- The simplest approach: trust more and verify
- The Group module
- Workbench suite of modules
- Taxonomy Access Control Lite
- What about Organic Groups (OG)?
Presentation Slide: https://joshuami.com/2023/10/27/access-control-strategies-for-enterpris…