Skip to main content

Role

Vasyl MartyniukAbout 1 min

Beta 1

This is the documentation for the AAM 7.0.0-beta.1 release. We are actively working on the documentation that may change before stable release announcement.

Syntax

Role:<slug>
Role:<slug>:users
Role:* - Premium Feature

Definition

AAM treats all WordPress roles (including custom-made ones) as a resource that can be applied to user or role access levels. The Role:<slug> resource works similarly to assigning any WordPress role or multiple roles to a user on the "Profile" page. For example, the following statement assumes the "Editor" role for currently authenticated user.

{
    "Statement": {
        "Effect": "allow",
        "Resource": [
            "Role:editor"
        ]
    }
}

The Role:<slug> resource expects a valid role slug, which can be found on the AAM "Users & Roles" widget.

AAM Users & Roles Widget

Actions

The Role resource also support the Action property with two actions:

  • The List action allows you to hide any targeted role. In other words - make the role invisible. For more details on role visibility, refer to What is an "editable role" in WordPress? Q&A.
  • The Assume action assigns a targeted role to current user. It does exactly the same thing as Role:slug resource.

The following policy removes the "Administrator" & "Editor" roles from users if their physical location is not Germany:

{
    "Statement": {
        "Effect": "deny",
        "Resource": [
            "Role:administrator",
            "Role:editor"
        ],
        "Action": "List",
        "Condition": {
            "NotEquals": {
                "${GEO.country_name}": "Germany"
            }
        }
    }
}

This policy assigns role "Shop Manager" to users that have email domain "@mycompany.xyz":

{
    "Statement": {
        "Effect": "allow",
        "Resource": "Role:shop_manager",
        "Action": "Assign",
        "Condition": {
            "Like": {
                "${USER.user_email}": "*@mycompany.xyz"
            }
        }
    }
}

Role Users

With the Role:<slug>:users resource, you have the ability to target all users that belong to any given role and control what current user can or cannot do with them. You can find the complete list of all available actions on the User page.

FYI

To learn more about this particular functionality, refer to the "Users & Roles Governance" article.

The following policy prevents current user from seeing and managing all users assigned to the "Author" and "Contributor" roles:

{
    "Statement": {
        "Effect": "deny",
        "Resource": [
            "Role:author:users",
            "Role:contributor:users"
        ],
        "Action": [
            "List",
            "Edit",
            "Delete"
        ]
    }
}

Wildcard

The wildcard resource Role:* can be used to target all roles, which is useful for hiding all roles or depriving them from the current user. This is a premium feature available with our premium add-on.

In the following example, all roles are hidden from a user, preventing them from assigning or promoting other users to any roles:

{
    "Statement": {
        "Effect": "deny",
        "Resource": "Role:*",
        "Action": "List"
    }
}

FYI!

Another way to prevent a user from changing other users' roles is to deprive that user of the promote_users capability.

Virtual Assistant

By visiting this website, you accept our transparent privacy policy.

Accept