The user management interface allows administrators to create user groups with sets of permissions ("roles") and what each user group is allowed to do within the web interface ("permissions"). There are two default roles:

1. anonymous users which are those readers of a site that do not have an account or those that have an account but are not logged in.
2. authenticated users is the role automatically given to new users in the system, though they can be upgraded or downgraded depending on how you set up the permission structure.

To create a role

1. Click Administer » User management » Roles.
2. Type in the role name—a balance between length and descriptiveness in the name ("User", for example is short but not descriptive, and "People who have access to blogs, events, and stories" is very descriptive but probably too long).
3. Click the "Add role" button, and the new role will appear in the list.

To create permissions for a role

1. Click Administer » User management » Access control.
2. The screen that results shows columns which represent the roles vertically, and the rows represent the permissions specific to each role horizontally. Clicking a check in a box enables a permission for a user role, unchecking it disables that permission.

Permissions Definitions

The verbs in the permission screen determine what a user can do with that content type or administration task

• administer means the user has full administrative access to a piece of content or area of the site. This means the ability to edit content, promote content to the front page, and change settings for that content type.
• access means the user has the ability to read the content in their browser. A common reason for "Page not found" errors for content that exists are that the user role (often the anonymous user role does not have "access" to that content via the permissions.
• edit means the user can change their own content once they've submitted it.
• create means the user can create new content of that type, but does not necessarily imply that they can edit it after they've submitted it. See the edit permission above.