For some reason, many of my customers and many of those on the Drupal site have trouble understanding the Drupal permissions system. It’s actually extremely simplistic…and in some cases, too much so…
The Basics
Drupal is set up to do role-based permissions. This means that every user (logged in or not) is assigned to a role. If you take a look at your Access Control settings, you’ll see that you can add new roles and set module permissions on each role. For example, if you set the “Authenticated user” role to “create page content”, every user in the “authenticated user” role can create page nodes anywhere on the site. Again, this is MODULE LEVEL.
The Problem
I get this question all the time: “Can I make this page secured so that only myself and 3 others can see it?” The short answer is NO! The problem here lies in the Module-level roles. If you can view “Page” nodes, you can view ALL page nodes! This can be very problematic.
A Solution
One possible solution is to install Organic Groups (OG). OG allows you to place pages in a group that only group members can access. The obvious problem is that in order to secure ONE page in a different way than all other content, you would need to create a group, create a page assigned to the group, and add users to the group. That can be a pain.
Another little caveat: If a user has a Role which allows for “create page content”, they will be able to create pages in ANY group they are a member of. If you need to restrict THAT, you’ll need yet another module: og_user_roles. This allows the group manager/admin to set user roles per group. However, if the user has a site-wide role permission (as defined in the Users->Access Control), they will have that role in your group no matter what. Meaning that you must remove them from the global role as well.
Conclusion
While the Drupal authentication scheme probably works for 80% of the users, it is limited at the functional level, not the node level. There are quite a few access control modules that attempt to correct this (like OG) but they are all additional modules. A couple others to look at are Taxonomy Access Control (TAC), Simple Access, and any of the other 174 Options.
