Group content by department

In this tutorial we’re going to use the Access Policy module to create sections of content based on department. Each section will have one or more Content managers. Employees can view all the content in their respective department without being able to edit it.

Step by Step

Step One: Create the user roles 

Add the Content manager role

This role is responsible for managing the content, they’ll be able to edit and view all the content in their department.

1. Go to /admin/people/roles
2. Create a new Role called “Content manager” with the following permissions
   • View published content
   • Access the Content overview page 
   • View own unpublished content 
   • Basic page: Create new content 
   • Basic page: Edit any content 
   • Basic page: Delete any content 
   • Basic page: Delete own content 
   • Basic page: Edit own content  
   • Use the toolbar 
   • View the administration theme
3. Create a new Role called “Employee” with the following permissions
   • View published content
   • Access the Content overview page 
   • Use the toolbar

Now we have our roles, however Content managers can still edit all basic pages. We don’t want that! So let’s start to restrict content by department.

Step Two: Create the Department taxonomy

1. Go to /admin/structure/taxonomy
2. Create a new Vocabulary called “Department”
3. Add the following terms 
   • Marketing
   • Operations
   • Finance

 Step Three: Add Department fields

1. Add a new Taxonomy term entity reference field to the Basic page
2. Give it the label “Department”  
3. Leave allowed number of values set to 1
4. Choose the Department vocabulary and click Save settings.
5. Go to /admin/config/people/accounts/fields
6. Add a new Taxonomy term entity reference field to the user
7. Give it the label “Department”  
8. Leave allowed number of values set to 1
9. Choose the Department vocabulary and click Save settings.

We’ve set up our fields, now let’s get them talking to each other! 

Step Four: Create the Department access policy

1. If you haven’t already, download and install the Access policy module.
2. Enable the access_policy_ui sub module.
3. Go to /admin/people/access-policies
4. Add a new Access policy called “Department” 
5. Edit the permissions for the Employee role and grant the following permission:
   • Department: View any content assigned this access policy
6. Edit the permissions for the Content manager role the and grant the following permissions:
   • Department: Assign to any content
   • Department: Delete any content assigned this access policy 
   • Department: Edit any content assigned this access policy.
   • Department: View any content assigned this access policy.
   • Department: View any unpublished content assigned this access policy.
7. Click Add access rule
8. Search for and select “Compare Department with user”
   • Note that you can also choose “Compare Department with user (with depth)” if you want to support hierarchy!
9. For the operator choose “Is one of” 
10. For user field choose “Department”
11. This will compare the node’s department with the user’s department and ensure that they match.
12. Leave all other options as they are and click save.
13. Go to Manage selection 
14. Click Add selection rule
15. Select Department > Click add rule
16. Under operator choose Is not empty
17. Under field access settings change it to Permission and leave the default permission selected.
18. Save the selection rule
    • We add a selection rule in order to do two things: Limit this access policy to only nodes that have the Department field, and tell it to assign this policy when that field has a value.

Now with the Department access policy in place, you can create sections of content for each department. Let’s do that now!

Step Five: Create some content restricted by department

1. Log in as a Content Manager whose department is set to “Finance”
2. Create a new Basic page
3. Note on the right column that Access is currently set to Unrestricted. Let’s change that.
4. From the Department field, change it to “Finance” and save the node.
   • Right now all content managers can restrict content to any department (yikes!). That's ok though, we'll take care of that.
5. Edit the node again
6. Observe that Access has changed to “Department”

Step Six: View the content as an employee

1. Create a new employee with Department set to Operations 
2. Log in as that employee 
3. Go to /admin/content
4. Observe that no content is available for that employee. 
5. Change their Department to Finance
6. Go back to /admin/content
7. Observe that they can now see the content!

And that’s it! You can now serve content for different departments!

However, we do have one security issue that we mentioned earlier. Content managers can assign content to any department. That's not good! Let's start restricting those terms now.

Step Seven: Create Term department access policy

Access policy supports more than just content. You can restrict taxonomy terms, media, block content and even paragraphs! For the rest of this tutorial we're going to lock down taxonomy terms so that authors can't assign the wrong ones.

1. Go to /admin/people/access-policies
2. Add a new Access policy called “Term department” 
3. For Entity type choose "Taxonomy term"
4. Edit the permissions for the Content manager role and grant the following permission:
   • Term department: View any taxonomy term assigned this access policy
5. Click Add access rule 
6. Search for and add the access rule: Current user: Has reference to this taxonomy term
7. Go to Manage selection 
8. Click Add selection rule
9. Select Vocabulary > Click add rule
10. For Value choose "Department"
11. Save the selection settings.

Step Eight: Turn on manual mode for taxonomy terms.

Managing access on taxonomy terms is easier with Manual mode turned on. Let's do that now!

1. Go to /admin/people/access-policies
2. Click Taxonomy term settings 
3. Under Selection mode choose “Manual” 
4. Enable "Show operations link"
5. For Default policy choose "First available"
6. Save the settings
7. Clear the Drupal cache.

Step Nine: Restrict terms by department

1. Go to /admin/structure/taxonomy/manage/department/overview
2. Change the access for each of the terms to "Term department"

Now Content managers will only have access to the terms assigned to them!