Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

access_policy

274 sites Security covered
View on drupal.org

Access policy is an incredibly powerful module that allows you to use fields and other attributes to control access to entities. No code required.

With Access Policy you can do things like:

  1. Restrict content to members in a particular group, section or department.
  2. Only allow authors to edit content from 9:00 AM - 5:00 PM, Monday through Friday.
  3. Restrict content by priority or security level such as secret, confidential, public etc.
  4. Make content private while granting view access to specific users (see screen shot).
  5. Grant access to content by assigning it to individual users.
  6. Soft-delete content with an “Add to trash” checkbox.
  7. Grant access to users with a specific domain name in their email address.
  8. Create gated content with a custom access denied message.
  9. Allow authors to edit all unpublished content except for archived content.

Any many more use cases.

How it works:

Access policy compliments Drupal's role based access control (RBAC) architecture with an Attribute-Based Access Control (ABAC) architecture that leverages Drupal fields as the attributes.

In general it follows three steps:

  1. Define the fields in Drupal.
  2. Configure the access policy.
  3. Assign the policy to entities.

For example, to restrict content by section:

  1. Create a "Section" vocabulary.
  2. Add a Section taxonomy term entity reference field to a content type and user.
  3. Create a new Access policy that compares those fields.
  4. Assign the Access policy to entities.

For more details, please see the Access Policy Overview or step-by-step Tutorials.

Developer notes

Built for developers:
This module is highly extensible with custom plugin types for Operations, Access Rules, Selection Rules and more. This gives developers complete control of how to define their access scheme. For more details please see the README and access_policy.api.php.

What is the difference with Drupal's new Access Policy API?
Starting with Drupal 10.3, Drupal core will be supporting its own Access Policy API.

There are two primary differences between the API and this module.

  • The API is meant for developers and requires custom code. This module is configuration based and can be installed and configured without writing any code. Future versions of the Access Policy module will incorporate the new API when it is released.
  • The API is a generic implementation of Policy Based Access Control (PBAC). This module is an implementation of Attribute-Based Access Control (ABAC). A type of PBAC that relies on Drupal fields to control access.

For more details you can watch this presentation about Attribute Based Access Control in Drupal.

Activity

Total releases
3
First release
Feb 2025
Latest release
10 months ago
Release cadence
49 days
Stability
0% stable

Release Timeline

Releases

Version Type Release date
2.0.0-rc1 Pre-release May 29, 2025
1.0.0-rc1 Pre-release May 29, 2025
2.0.x-dev Dev Feb 20, 2025