Now that your site is up and running, you have a couple of decisions to make. First, will you have any administrators on the site other than yourself? Second, will your site be open to everyone, or will users need to log in to view content and other features? In this chapter, I cover how Drupal treats visitors to your site, and how you as a site administrator can configure Drupal’s user account features to restrict the capabilities of those who have user accounts on your system.
Controlling who has the ability to do what on your website is performed through Drupal’s security features. Drupal’s security features provide the ability to define who has the ability to view, create, update, delete, and participate through a combination of individual user accounts, user roles, and permissions.
Users (or site visitors) in Drupal 8 are divided into two general categories: anonymous users and authenticated users. Anonymous users are individuals who visit your website and do not log in using a user ID and password. With Drupal, you have the ability to support anonymous users, and you also have the ability to restrict what an anonymous user can do on your site. Authenticated users are visitors to your site who log in using a unique user ID and password. I’ll cover how user IDs and passwords are created shortly, but understanding the difference between the two categories of users is important. A lot of Drupal developers post useful tutorials about handling users.
Roles are a Drupal mechanism that allows you, the site administrator, to define categories of authenticated users of your website. You may define roles on your website that are department specific (e.g., a role each for human resources, purchasing, sales, marketing, and customer service), roles that are functionally oriented (e.g., content authors, content reviewers, content publishers), roles that are associated with a specific section of your website (e.g., products, support, sales, homepage), or any other definition that you can dream up. Roles are simply a way of putting authenticated users into categories, where categories are associated with specific permissions. Any authenticated user of your website may be assigned to none, one, or more than one role (e.g., you may have a user who is assigned roles of sales department, content author, and products).
Permissions in Drupal are a mechanism for controlling what a user assigned to a specific role can do. There are dozens of permissions that you can enable or revoke for each user role you have defined. Examples of permissions that you might set for a specific role include: the ability to create a new page, the ability to create a new article, the ability to edit any article regardless of who authored it, the ability to search content on the website, and the ability to add a new user account. The combination of permissions that you set for each role defines the capabilities that a user assigned to that role can do on your website once they have successfully logged in. When you combine user roles with permissions and individual user accounts, you end up with a highly configurable solution for securing access to key features and content on your website.