"Mark Hope" wrote:

I support the idea.

The ability to let other users handle the assignment of roles is...well, possibly useful. It's a good idea to be able to automate/delegate all kinds of permissions, and so this makes sense to me, too. With some concerns... This module, in core, should include some pretty stringent logic to prevent the site admin (user = 1) from letting any generic user (user ‚ 1) create or assign themselves a role which has destructive potential. This might be simple enough by providing an "access grid" UI where the site admin could mark specific access features as "excluded from RoleAssign created roles". Another way to say this is that, as core or contrib modules add access right rows to the table, the admin should be able to include/exclude those rights from be "assignable" through any ModuleX (RoleAssign, in this case.)

Makes complete sense to me.

[This is slightly OT to the issue of inclusion in core, but because I think it's related to the concerns over mis-use or improper use, and because a full understanding of this module is important _to_ the discussion of inclusion into core, I'll include this here at risk of my own peril.] I would say that the description you provided [*] does _not_ make complete sense to me. The author over-uses the words "user", which have different meanings, at different times, in the description and in the administration of Drupal. Granted, it can be tedious to careful avoid confusion in a description of this kind of module (since it's about roles being able to create roles), but great care should be taken to make clear distinctions between "user" and "user" (yes, that's an intentional word duplication here.) Creating some specific language might help here. Some suggestions: - the 'user 1' user ==> Administrator or Super-User - user ==> site user, registered user

I wasn't aware of the module - I'll take a look as I'm delegating that task right now.

How are you doing this without the use of the module, which you've never heard of? Is there some other module or feature which is allowing you to assign a "role assignment" permission to your users? -- inkfree [*] Original description.

RoleAssign introduce the |assign roles| permission. While editing a user's account information, a user with this permission will be able to select roles for the user from a set of available roles. Roles available are configured by users with the |administer access control| permission. Thus, RoleAssign lets site administrators delegate assignment of selected roles.

Draft suggestion for a more thorough description: RoleAssign specifically allows Site Administrators to further delegate the site task of managing User Roles. RoleAssign introduces a new site task permission called |assign roles|. This task permission allows the Site Administrator to grant authority to other Site Users (or Site Users in a Role Group) the ability to further assign roles to still other Site Users. The Site Administrator, or any Site User with access to the |administer access control| task permission, may set up and configure roles which are able to delegated through this module. Incorrect use of this module could compromise site security or could limit the ability of the site administrator from properly administering the Drupal web site. One should have a thorough understanding of the Drupal role-based permission system and of the management of user access permissions before installing this module. For more information about User Roles, Role Groups and managing Access Permission features of Drupal, please see <...>

"Thomas Barregren" wrote:

You write that "Incorrect use ... could limit the ability of the site administrator from properly administering the Drupal web site." How do you mean? The site administrator, e.g. user 1, always have all permissions irrespective of assigned roles. So how could his/hers ability be limited?

I mean that, unless one is very careful in the setting of access privileges, roles which can receive those privileges, and users assigned to those roles, then the ability of the Site Administrator to be fully (and only) in control of site features could be compromised. I only suggest that you take a special sentence or two to _very clearly_ tell the module user that they should be completely familiar with Drupal's role-permission access system. Already this system is complicated by a terrible UI [*] when there are more than 2 or 3 roles and a few dozen modules. To add another "meta layer" of "permission-granting permission" could leave a Site Admin (user = 1) baffled about some why some user/role is able/not able to take an action, and in the case of actual role creation/assignment and permission assignment, this could be disastrous. I'm not being overly cautious, I think, to encourage you to write an extremely clear description/help file and to specifically _warn/alert/notify/caution_ the module user about all the potential issues. -- inkfree [*] The UI for access control is, frankly, quite bad. Arbitrary width columns for roles and non-collapsible module-level "task permission" entries (table rows) make for a cumbersome and always changing UI. I hope that 5.0 brings some of that 'ajax' goodness to the administrative UI, so that things like "Settings", "Block Config", "Access Control" and similar tabular/sectioned lists can be better navigated and share a consistent interface.