Skip to main content

Role

Vasyl MartyniukAbout 2 min

Syntax

Role:<role-slug>
Role:<role-slug>:users
Role:*

Actions

Note

If no actions are specified in a statement, the Promote action is assumed.

Role:<role-slug> & Role:*:

  • List: Allows the current user to view a role.
  • Promote: Allows the current user to assign or remove a role.

Role:<role-slug>:users:

  • List: Allows the current user to view all users assigned to the role. For more details on role visibility, refer to What is an "editable role" in WordPress? Q&A.
  • Edit: Allows the current user to edit all users assigned to the role.
  • Delete: Allows the current user to delete all users assigned to the role.
  • ChangePassword: Allows the current user to change or reset passwords for all users assigned to the role.
  • ChangeRole or Promote: Allows the current user to change roles for all users assigned to the role.

Examples

The following policy removes all roles from a user if their physical location is not Germany:

{
    "Statement": {
        "Effect": "deny",
        "Resource": "Role:*",
        "Condition": {
            "NotEquals": {
                "${GEO.country_name}": "Germany"
            }
        }
    }
}

The following policy prevents a user from seeing and managing all users assigned to the Author and Contributor roles:

{
    "Statement": {
        "Effect": "deny",
        "Resource": [
            "Role:author:users",
            "Role:contributor:users"
        ],
        "Action": [
            "List",
            "Edit",
            "Delete"
        ]
    }
}

Definition

AAM treats all WordPress roles (including custom-made ones) as a resource that can be applied to any user or role. The Role resource works similarly to assigning any WordPress role or multiple roles to a user on the Profile Edit page.

For example, the following statement assigns the Editor role:

{
    "Statement": {
        "Effect": "allow",
        "Resource": [
            "Role:editor"
        ]
    }
}

The Role resource expects a valid role slug, which can be found on the AAM "Users & Roles" widget.

Additionally, with AAM 6.9.28+, you can manage a role's visibility and govern users assigned to the role. For example, the following statement restricts the ability to edit or delete all users with the "Editor" role:

{
    "Statement": {
        "Effect": "deny",
        "Resource": "Role:editor:users",
        "Action": [
            "Edit",
            "Delete"
        ]
    }
}

FYI

To learn more about all available user actions, refer to the User resource.

Wildcard

The wildcard resource Role:* can be used to target all roles, which is useful for hiding all roles or depriving them from the current user. This is a premium feature available with our premium add-on.

In the following example, all roles are hidden from a user, preventing them from assigning or promoting other users to any roles:

{
    "Statement": {
        "Effect": "deny",
        "Resource": "Role:*",
        "Action": "List"
    }
}

FYI!

Another way to prevent a user from changing other users' roles is to deprive that user of the promote_users capability.

By visiting this website, you accept our transparent privacy policy.

Accept