User Management
Craft’s “Users” represent humans in the system. These may be member accounts, or records that represent people in general.
The first user account is created during installation. If you stick with the Solo edition, this is the only account you will be able to create. If you need more (or you want to support public registration) you can upgrade to the Pro edition, which offers additional user accounts.
# Admin Accounts
Admin accounts are special accounts that can do everything within Craft, including some things that don’t have explicit permissions:
- Everything within the Settings section
- Make other users Admins Pro
- Administrate other Admins Pro
The user account you create during installation is an admin by default.
Considering how much damage an admin can do, we strongly advise caution when creating new admin accounts; only create them for those you trust and who know what they’re doing.
# User Groups
If you have Craft Pro, you can create User Groups to help organize your site’s user accounts, as well as batch-set permissions on them.
To create a new User Group, go to Settings → Users and press + New user group. You can give your group a Name and Handle, plus any Permissions you want every user within the group to have.
After you create your groups, you can assign users to groups by going into their account settings and choosing the Permissions tab.
# Permissions
Craft Pro allows you to set permissions on users and groups, such as the ability to access the control panel, edit content within certain sections, etc. You can apply these permissions directly to user accounts as well as to user groups. When you apply permissions to a user group, all users that belong to that group will inherit them.
Make sure you trust users with access to settings that accept Twig code, like the Settings section and the System Messages utility. It’s possible to do malicious things in Craft via Twig, which is intended primarily for trusted admins and developers.
The permissions Craft comes with are:
| Permission | Handle |
|---|---|
| Access the site when the system is off | accessSiteWhenSystemIsOff |
| Access the control panel | accessCp |
| ↳ Access the control panel when the system is offline | accessCpWhenSystemIsOff |
| ↳ Perform Craft CMS and plugin updates | performUpdates |
| ↳ Access [plugin name] | accessPlugin-[PluginHandle] |
| Edit users | editUsers |
| ↳ Register users | registerUsers |
| ↳ Moderate users | moderateUsers |
| ↳ Administrate users | administrateUsers |
| ↳ Impersonate users | impersonateUsers |
| ↳ Assign user permissions | assignUserPermissions |
| ↳ Assign users to this group | See note. |
| ↳ Assign users to [group] | assignUserGroup:[UserGroupUID] |
| Delete users | deleteUsers |
| Edit [site name] | editSite:[SiteUID] |
| View entries | viewEntries:[SectionUID] |
| ↳ Create entries | createEntries:[SectionUID] |
| ↳ Save entries | saveEntries:[SectionUID] |
| ↳ Delete entries | deleteEntries:[SectionUID] |
| ↳ View other users’ entries | viewPeerEntries:[SectionUID] |
| ↳ Save other users’ entries | savePeerEntries:[SectionUID] |
| ↳ Delete other users’ entries | deletePeerEntries:[SectionUID] |
| ↳ View other users’ drafts | viewPeerEntryDrafts:[SectionUID] |
| ↳ Save other users’ drafts | savePeerEntryDrafts:[SectionUID] |
| ↳ Delete other users’ drafts | deletePeerEntryDrafts:[SectionUID] |
| Edit [global set name] | editGlobalSet:[GlobalSetUID] |
| View categories | viewCategories:[CategoryGroupUID] |
| ↳ Save categories | saveCategories:[CategoryGroupUID] |
| ↳ Delete categories | deleteCategories:[CategoryGroupUID] |
| ↳ View other users’ drafts | viewPeerCategoryDrafts:[CategoryGroupUID] |
| ↳ Save other users’ drafts | savePeerCategoryDrafts:[CategoryGroupUID] |
| ↳ Delete other users’ drafts | deletePeerCategoryDrafts:[CategoryGroupUID] |
| View assets | viewAssets:[VolumeUID] |
| ↳ Save assets | saveAssets:[VolumeUID] |
| ↳ Delete assets | deleteAssets:[VolumeUID] |
| ↳ Replace files | replaceFiles:[VolumeUID] |
| ↳ Edit images | editImages:[VolumeUID] |
| ↳ View assets uploaded by other users | viewPeerAssets:[VolumeUID] |
| ↳ Save assets uploaded by other users | savePeerAssets:[VolumeUID] |
| ↳ Replace files uploaded by other users | replacePeerFiles:[VolumeUID] |
| ↳ Remove files uploaded by other users | deletePeerAssets:[VolumeUID] |
| ↳ Edit images uploaded by other users | editPeerImages:[VolumeUID] |
| ↳ Create subfolders | createFolders:[VolumeUID] |
| Utilities | |
| ↳ Updates | utility:updates |
| ↳ System Report | utility:system-report |
| ↳ PHP Info | utility:php-info |
| ↳ System Messages | utility:system-messages |
| ↳ Asset Indexes | utility:asset-indexes |
| ↳ Queue Manager | utility:queue-manager |
| ↳ Caches | utility:clear-caches |
| ↳ Deprecation Warnings | utility:deprecation-errors |
| ↳ Database Backup | utility:db-backup |
| ↳ Find and Replace | utility:find-replace |
| ↳ Migrations | utility:migrations |
You may not see all of these options, initially—only ones that are relevant based on the current content schema will be displayed. For example, everything under View categories will be hidden until you have at least one category group.
Plugins may register their own permissions, which can appear in a top-level group, under Access the control panel, or within Utilities.
See the Extending Craft User Permissions page to learn how to register custom permissions from your module or plugin.
# Checking Permissions
You can check whether the logged-in user has a specific permission by using its handle, replacing any bracketed items in the table above with the desired value (So accessPlugin-[PluginHandle] would become accessPlugin-commerce).
{% if currentUser.can('accessCp') %}
<a href="{{ cpUrl() }}">Visit the Control Panel</a>
{% endif %}
For UID-driven permissions, you can either hard-code the value in Twig, or look it up dynamically.
{# Store the UID directly in the template: #}
{% if currentUser.can('createEntries:4fcb3c63-9477-4b5f-8021-874d64f819ce') %}
<a href="{{ siteUrl('account/vendors/add') }}">Add a Vendor</a>
{% endfor %}
This is not strictly necessary, but the handle of a given resource is often much easier to understand in the template context.
UIDs are safe to use like this because they’re tracked in Project Config and will be consistent across environments.
# Requiring Permissions
You can also require the logged-in user to have a specific permission to access an entire template:
{% requirePermission 'accessCp' %}
# Public Registration
Craft Pro has the option of allowing public user registration, which is disabled by default.
To enable public registration, go to Settings → Users → Settings, and check Allow public registration. With that checked, you will also have the ability to choose a default user group to which Craft will assign the publicly-registered users.
Once you set up your site to allow public user registration, the last step is to create a user registration form (opens new window) on your site’s front end. For a full list of params a user can set during registration (or when updating their account, later on), read about the users/save-user controller action.