Overrides

Overrides are specific permissions designed to override a role in a specific context, allowing you to "tweak" your permissions as required.

In each role, you can choose to set the permission for a capability to one of four values:

NOT SET

Use the setting the user already had. If permission is never allowed at any level, then the user will not have that capability.

ALLOW

Grant permission for a capability to people who are assigned this role. This permission applies for the selected context as well as all "lower" contexts.

PREVENT

Remove permission for a capability even if it's allowed in a higher context.

PROHIBIT

Completely deny permissions to a role in a way that can NOT be overridden at any lower context.

Conflict resolution of permissions

Permissions at a "lower" context will generally override anything at a "higher" context (this applies to overrides and assigned roles). The exception is PROHIBIT which can not be overridden at lower levels.

Special exceptions

Note that the guest user account will generally be prevented from posting content even if granted the capability to do so.

See also Roles, Contexts, Assign Roles and Permissions.