A Drupal User Administration Tip
I’ve been working a lot with the Drupal content management system lately, and one tip I’d share with anybody managing a Drupal site is to keep the administration account separate from their user account.
Why? Because if you’re managing a community site, the administrator account has ultimate power. You only want to be using this where absolutely necessary. In fact, I’d suggest you have 3 user accounts:
- The Built-in Administrator Account: In Drupal, the built-in admin account has total control to manage the site’s features.
- Your live account: Your own identity on the website that you use when posting content and interacting with other members.
- A dummy account for testing permissions. An account whose permissions you can alter to test menus and access rights.
The Administrator Account
I use the admin account for high-level tasks like activating/installing modules and configuring forum features. The admin account has total control of the site by default, and needs to be managed carefully.
By not using it as my primary account, I’m not tempted to go in and make tweaks to the configuration on an ad-hoc basis. This sometimes prevents rash changes that might affect the way the site works.
The Live Account
I keep a live account for posting and interacting on the site myself. My permissions are still higher than a normal user, but only allow me to carry out moderation tasks. This way, I get roughly the same user experience that other users get, which is useful from a site design and usability perspective.
I add myself (and other high-level users) to a Trusted Members group which has the appropriate access permissions granted in Drupal.
The Dummy Account
Keeping a ‘dummy’ user account is useful when I want to test permissions in Drupal. This can be useful to test everything from basic ‘authenticated user’ permissions through all of the tiers of user access I’ve created for the site. You just use your administrator permissions to grant the appropriate level of access to the dummy account, then log on with that account and check the menu structures and what features you have access to.
This can be helpful, as I discovered today that one of my sites had image uploading permissions for authenticated users, but didn’t have blog/forum posting rights. Likewise, I discovered my ‘trusted member’ group had access to the page and story content types. I didn’t want this, as I wanted to restrict trusted members (including myself) to using the blog/forum/image content types.
I hope this is helpful for Drupal administrators. If there’s one thing I would do again on some of my early Drupal sites it would be to set up better segmentation between my administrator account and my live posting account.