The Importance of User Roles and Permissions for Site Security

Rethink your roles

When discussing site security we often use words like "attacker", "malicious user" or "untrusted" to define site visitors who may be intent on abusing resources, stealing, or altering data. Within Drupal, visitors can achieve these goals using the permissions granted to their roles. This is the key component. We have to think of visitors in terms of what roles they have and what permissions we've granted those roles. Then instead of just thinking about trusted vs. untrusted users, we are thinking about trusted vs. untrusted roles.

Drupal Security presentation slides from BADCamp

At the Bay Area Drupal Camp yesterday I presented on Drupal Security for site administrators and beginners which covered some of the important ways you can protect your site from attacks through configuration of Drupal core. Attached are the slides from the presentation.

Drupal text filtering decision cheat sheet

This flowchart is based on the one that Heine Deelstra presented at Drupalcon Paris.

I'm hopeful that the presentation will be helpful in eliminating Drupal's most common security issue!

Syndicate content