site building

Access Control Strategies for Enterprise Drupal Websites

Access Control Strategies for Enterprise Drupal Websites

When working with large organizations—whether in private enterprise, governmental organizations, or nonprofits—editorial responsibility is often spread across multiple sub-organizations. Depending on the type of organization, those subdivisions can look very different:

- Department > division > section or program
- Bureau > program > project or team
- Brand > product line > product

In all of the above structures, there is some hierarchy and some cross-organizational oversight to the editorial process combined with the overall administration of the website.

Organizational structure for a site can also significantly differ for publicly-accessed content versus employee intranets versus membership-based websites.

Drupal.org has somewhat-outdated documentation for a Comparison and Overview of Access Control modules. The documentation in question was created for Drupal 7, updated somewhat for Drupal 8—it hasn’t been maintained for Drupal 9 and 10.

While this overview outlines a long list of access control modules, it doesn’t speak much to the “why” or “how does this module work”. With this post, I hope to outline some approaches to access control in Drupal and talk about why you might want to take one approach over another.

We’ll cover:

- What’s in Drupal core to handle access control?
- The simplest approach: trust more and verify
- The Group module
- Workbench suite of modules
- Taxonomy Access Control Lite
- What about Organic Groups (OG)?
Presentation Slide: https://joshuami.com/2023/10/27/access-control-strategies-for-enterpris…