Restricting access to nodes per user

Problem: I want to be able to restrict access to nodes on a per-user basis (NOT per role).

There are currently many solutions for restricting access based on user roles, but what if you have a group of users who share the same role (say Authenticated User) but want to restrict their access to nodes on a per user basis?

Say you have clients. A given user may or may not be a client. One or more users may belong to the same client, etc... Some of your content you want to restrict to one or more clients, while other content you simply want to make available to all users.

Organic groups implements this type of functionality, but it's really overkill for the simple goal here.

I would like a solution that implements the following:

User "client" tagging - this would be a taxonomy or other mechanism for tagging users as clients.

Content "client" tagging - this would be a taxonomy or other mechanism for tagging nodes as being available only to one or more clients.

ACL - A module would implement access control on a per-user, per-node basis.

AFAIK, there is no such solution right now.

I am thinking about implementing a module (lets call it "user node access by tag") that goes something like this:

User Profile Modification

Users are not nodes (unfortunately) and so we cannot apply taxonomy to them by default. However, we can apply taxonomy to users by hooking in to the user profile and inserting a taxonomy selector and then storing the results in a table that would resemble term_node.

User Node Access by Tag Configuration

The site admin would select a single taxonomy that would be used for user access control to content, lets call that vocabulary "employees". He populates this vocabulary with whatever he wants. For our example, let's add two terms called "manager" and "worker".

The admin configures the employees vocab to apply to the node types he wants to restrict access to. He would probably also configure some module specific settings that would determine what to do with untagged nodes and untagged users (ie grant/deny).

The admin now can tag users as manager or worker or nothing at all. Authors can tag nodes using the employees vocab as manager or worker or nothing at all.

ACL Implementation

User Node Access by Tag implements its own access control based on the "employees" vocabulary. Access is granted where a user tag matches a node tag.
Of course all the complexities of ACL are not addressed here, but this is the basic idea.

It seems simple and sound to me. I'm curious as to why nothing like it has been done yet.

You're essentially describing Taxonomy Access Control Lite. See

How can I restrict access to a node by the user's 'role' ?


Take a look at the simple access module.