Craft CMS: How To Disable A User Vs Suspending A User

User Management in Craft CMS

Overview of User Accounts in Craft CMS

User accounts are at the core of managing users and access control in Craft CMS. All users who need to access the Craft control panel or front-end of a site require a user account.

There are several types of user accounts in Craft:

• Admin accounts - These have full access to all settings and can manage the site. Usually limited to site owners/developers.

• Front-end accounts - Used for front-end forms and logging in. Have restricted permissions.

• Custom user groups - Admins can create user groups to manage permissions for certain users.

User accounts are created and managed within the Craft control panel. Here admins can set user details like name, email, and password when creating new accounts.

User accounts don't automatically have any permissions assigned to them. To control what a user can access, user accounts need to be assigned user groups and permissions. This allows managing which parts of Craft each user can access.

User Roles and Permissions in Craft

Craft comes with a set of predefined user roles that provide common levels of access:

• Admin - Complete access to all settings and management features.

• Author - Can create, edit, and publish their own entries but not manage users/settings.

• Editor - Authors + access to edit/publish all entries.

• Publisher - Editors + access to manage sections, categories, global settings.

While roles provide an easy starting point, the permissions system allows finely tuned control over user access.

Permissions can be assigned to user accounts and groups down to the granular control panel page or section level. For example, allowing access to manage Commerce products but not orders.

This flexibility lets admins lock down access to match user needs exactly. Certain groups like clients may only need access to a small section of the control panel.

Managing Users in the Control Panel

The Craft control panel provides an interface to manage all aspects of users and access control.

To create a new user, admins can navigate to Settings > Users and click the “New user” button. From here they can set the username, email, and password, assign user groups, and enabled/disabled status.

Existing users can be edited to update details, reset passwords, and enable/disable accounts. Access settings like user groups and permissions are also managed on a per-user basis here.

Disabling a user maintains their account but revokes access until re-enabled. Suspended users are immediately logged out of all sessions as well. This allows temporarily blocking access without deleting accounts.

Other key user settings include requiring password changes on the next login, managing access to the front-end, and connecting user accounts to LDAP directories for enterprise-grade authentication.

The control panel user management tools enable admins to fully control user access to Craft CMS. User accounts, groups, roles, and granular permissions provide robust tools to match access to user needs.

Creating and Configuring User Accounts

Adding a New User

Adding a new user account in Craft is straightforward through the control panel. To start the process, navigate to Settings > Users and click the “New user” button.

The username is the first thing that needs to be set when creating a new user. This will be used to log into the control panel and should be something memorable. Avoid spaces or special characters.

Next, set a temporary password that will be shared with the user. They can change it on the first login. The user’s email address should also be added at this stage.

With just the username, password, and email set a basic user account is created in Craft. However, at this point they won’t have any permissions so won’t be able to access anything yet.

Assigning User Roles and Permissions

To give the new user access, they need to be assigned a user role and permissions.

Craft comes with predefined user roles like Admin, Author, and Editor. These provide common access levels, for example Authors can create new entries but not delete other users' content.

For more control, permissions can be set at the individual user level. Permissions are available for nearly every section of the Craft control panel.

For example, you may want to allow a user to edit Commerce products but not see any order data. The granular permissions system enables this level of custom access.

Permissions can be assigned directly on a user, but for easier management assigning users to permission groups is better for larger teams.

Configuring Account Settings

Once the permissions are set up, some account settings like email and password can be configured.

The user’s email address will have already been added when creating the account. It can be updated here if needed.

Set an initial password for new users, making sure it complies with any password policies enabled. The user will be prompted to change this password on first login.

The preferred language of the control panel can be set as well. English is the default but any languages installed on the Craft site are available.

For the email address set for the account, email notification preferences can be managed. Choose which events like new user registrations to receive alerts about.

Finally, access to the front-end of the site can be controlled here. The “Allow this user to login?” checkbox governs access to front-end user logins and protected content.

Creating a user account is quick in Craft, but user roles, permissions, and access controls take more planning. Start with the least permissions needed and modify as requirements change. Proper access configuration ensures smooth user management.

User Groups in Craft CMS

User groups are an effective way to manage permissions for multiple users in Craft CMS. Groups allow admins to create permission sets that can be assigned to entire groups of users.

Creating User Groups

User groups are created from Settings > Users in the Craft control panel. Click the “New group” button to begin adding a new group.

A name for the group is required, this should describe the user type such as “Editors”, “Sales Team”, “Clients” etc.

The group type also needs to be set. Choose either a general “User group” for custom permissions or “Admin group” for admin-level access.

With just a name and type, the new group is created. Now permissions and users can be assigned to the group.

Managing Group Permissions

Permission management for groups works the same as for individual users. The permissions page allows selecting access for nearly every control panel page and feature in Craft.

For example, an “Editors” group may get full entry, asset, and section management permissions but no site or user management access.

Permissions are cascading, so a custom “Clients” group would get only the specific access needed like managing Commerce products they should see.

This cascade effect is an advantage of groups. Give broad permissions at the top level, then limit child groups to only the access they need through inheritance.

For example, start Admin groups with full permissions, then pare down access for lower-level User groups.

Assigning Users to Groups

Once groups are created with their respective permissions, user accounts can be added to them.

From a user’s account page, assign them to one or more groups using the settings form. Multiple groups can be selected, users inherit permissions from all their groups.

The primary benefit of using groups is it allows admins to change permissions broadly. For example, if Editors need access to a new feature, just update the Editors group versus individual users.

Group-based permission management is much easier than trying to maintain custom permissions for every single user separately. It simplifies admin workflows as teams scale up.

User groups in Craft CMS enable admins to logically organize users and streamline access control management. Segment users into groups that align with internal teams or functions for efficiency.

Front-end vs Backend User Access in Craft CMS

Front-end User Access

For site visitors that only need access to parts of the front-end, user accounts can be limited to just that. Common use cases include customer/subscriber accounts for shopping or member-only content access.

To enable front-end-only access, the “Allow this user to login?” permission can be set when creating user accounts. This allows logging in on the site front-end.

Access can be dialled in further by limiting permissions to specific sections, categories, or entries on the site. For example, wholesale customer accounts may only view certain product pages.

Predefined user roles like “Site Visitor” and “Site Member” are available to quickly assign common limited access levels.

Front-end user management is handled through a dedicated Users section in the Craft control panel. This allows managing these accounts separately from back-end users.

Back-end User Access

For back-end control panel access, user accounts need permissions enabled to match their roles. For example, Content Editors will need access to manage Entries, Categories, Assets, and more.

Common user roles like Author, Editor, Admin, and custom groups streamline granting the appropriate permissions. Accounts can also be locked down to just the specific sections or settings needed.

The Craft CMS back-end user management is handled through the main Users section in the Craft control panel. Admins can manage both front-end and back-end user accounts here.

Back-end user sessions are logged separately from front-end as well, allowing tracking of control panel activity specifically.

Limiting Permissions for Front-end Users

When granting front-end user access, take care to limit permissions to only needed functionality. Allowing full front-end permissions enables editing or removing any content.

The “Site Visitor” and “Site Member” roles provide starting points for typically limited access. Building custom roles with granular permissions is recommended for more complex needs.

For example, a “Product Reviewer” role may be allowed to submit new reviews but not edit published ones. Customarily access is possible thanks to Craft’s flexible permissions model.

Limit front-end access to the bare necessities for each user group. Audit permissions regularly as site functionality expands to prevent unintentional exposure. Proper front-end permissions balance usability with security.

Disabling User Accounts in Craft CMS

Disabling user accounts in Craft CMS allows admins to temporarily revoke access while retaining the user and their content for re-enabling later.

How to Disable User Accounts

To disable an account, go to Settings > Users, select the user, and open their account settings.

Scroll down to the “Account Status” section. Change the Enabled dropdown from “Enabled” to “Disabled”. Craft will immediately disable the user account.

The user will be logged out of all sessions and denied further access until re-enabled. Admins require the “Administrate users” permission to disable accounts.

Disabling can also be applied to multiple users at once by selecting them and choosing “Disable users” from the Users actions menu.

Effects of Disabling Accounts

When an account is disabled in Craft, the user is immediately denied all control panel and front-end access if applicable.

However, the user account, profile, and content are retained. Disabling acts as a temporary access ban versus permanently deleting the user.

This allows admins to re-enable the account later to restore access. All previous data and settings are maintained.

Disabling is preferable to deletion in cases where access needs to be revoked short-term but data retention is still important.

Reasons to Disable User Accounts

Some common use cases where disabling user accounts may be applicable:

• Temporary access - Disable accounts for users only needing short-term access, such as contractors. Re-enable later if needed.

• Spam/abusive users - Quickly block access for any accounts posting spam content or acting abusive.

• Security risk - Disable compromised accounts immediately to prevent access without deleting.

• Key employee leave - Disable departing employees' accounts while retaining content.

Preventing access from accounts posing a spam or security risk allows admins to address the issue before considering deletion.

For temporary access needs, disabling avoids needing to fully delete and then recreate accounts later. The user can pick up where they left off if re-enabled.

Disabling user accounts in Craft provides a temporary, reversible permission revocation. It enables admins to securely block access as needed.

Suspending User Accounts in Craft CMS

How to Suspend User Accounts

The process of suspending an account is straightforward within the Craft control panel. To suspend a specific user, navigate to Settings > Users, select the desired account, and open their detailed settings. Scroll down to the “Account Status” section and change the Enabled dropdown from “Enabled” to “Suspended”.

This will immediately suspend the account and trigger several effects: the user will be logged out of all active sessions, effectively terminating any possibility for further account usage or activity. The account itself along with associated profile and content data will be fully preserved, however access will be revoked until the status is changed back to “Enabled”.

Admin users require the "Administrate users" control panel permission in order to suspend accounts in this manner. Suspension can also be applied to multiple users simultaneously by selecting them from the Users index page and choosing the "Suspend users" option from the actions menu.

Effects of Suspending Accounts

When an account is suspended in Craft, the key effects beyond revoked access are terminating any active sessions and retaining all account data intact. By immediately logging out the user from all sessions, suspension prevents any chance for the account to be used further after that point. This differs from disabling an account, where existing sessions could still potentially remain open for activity depending on the timing.

With suspension, the account details, user profile, and any associated content created by that user all remain available within Craft after access is revoked. This allows admins to fully restore login access later simply by changing the account status back to “Enabled”. No user data is lost in the interim. This makes suspension preferable for temporary deactivation needs compared to deletion which would erase the account entirely.

Reasons to Suspend User Accounts

Some common use cases where suspending user accounts may be applicable include:

• Conducting urgent investigations into suspicious account activity by rapidly cutting off live access before the user can do further potential harm.

• Temporarily deactivating unruly or disruptive accounts as a cooling-off period before taking more permanent actions.

• Halting access to shared or compromised accounts until ownership and intended use can be verified.

• Short-term deactivation for accounts is only needed for a limited period, avoiding the need to fully delete and then recreate the account later.

The ability to immediately terminate all active user sessions is what makes suspension such an effective emergency response to harmful account activity that requires urgent investigation. It is an ideal tool for managing risk while retaining options before deciding on more permanent measures. When temporary deactivation is needed, suspension keeps accounts intact and ready for re-enabling without data loss. For all of these reasons, the ability to suspend user accounts enables Craft admins to take appropriate actions quickly in order to maintain site security and integrity.

Comparing Disabling vs Suspending Users

Temporary vs Permanent Deactivation

When considering whether to suspend or disable a user account, the primary distinction is whether the deactivation should be temporary or permanent in nature. Suspending an account is designed for short-term, reversible access blocking. This could be useful for situations requiring urgent intervention but further investigation before taking more permanent measures.

With suspension, the administrator can quickly halt all account access knowing it can easily be restored in the future if needed. Disabling on the other hand implies a more persistent revocation of access that is not intended to be short-lived. A disabled account remains deactivated until an admin manually re-enables it, unlike suspended accounts that can instantly be reactivated at any time.

Use Cases for Disabling vs Suspending

The optimal use cases for suspension versus disablement align with the temporary versus permanent nature of each. Suspending is most applicable for time-sensitive cases requiring urgent intervention, such as investigating potential misuse or stopping an active compromise.

The ability to rapidly halt all account activity despite active sessions makes it ideal for emergency response.

Conversely, disabling is better suited for scenarios with no pressing urgency, where access changes are intended to be longer lasting. Examples could include removing former employees from the system or restricting known spam accounts without deleting them entirely.

Effects of Disabling vs Suspending

The effects of both suspension and disablement result in immediate denial of access and retention of account data. However, suspending is a more proactive form of access revocation by forcibly logging the user out of all active sessions at the moment of suspension. Disabling simply prevents future logins but does not terminate existing sessions, which could remain active for some time after depending on session length settings.

Suspended accounts also have their access instantly recoverable at an administrator's discretion, while disabled accounts remain persistently deactivated until manually re-enabled. Actual user data is fully retained in both cases though, with no content being deleted.

In summary, the decision between user suspension versus disablement comes down to the expected duration and urgency of access revocation needed. Both achieve the end goal of restricting access without unneeded data loss. Suspending provides an instant block, while disabling sets a persistent access change. Craft CMS administrators can utilize both options as needed for user management.

Restoring Disabled or Suspended User Accounts

Re-enabling Disabled User Accounts

To restore access for a disabled user, navigate to Settings > Users and select the disabled account. Go to the “Account Status” section in their settings.

Change the Enabled dropdown from “Disabled” to “Enabled”. Save the changes, and the user account will be fully restored with access to the control panel and front-end site if permissions allow it.

All previous account details, content, and settings remain intact after being disabled. Enabling the account simply lifts the access restriction while retaining all existing data.

The user will need to reset their password before logging in again in most cases. An admin can also reset it for them first if needed.

Reactivating Suspended User Accounts

The process for unsuspending an account is the same as re-enabling. Navigate to the user’s account settings, go to Account Status, and change “Suspended” back to “Enabled”.

This immediately lifts the access restriction and allows the user to login again. As with disabling, no data is lost when an account is suspended - everything is retained and restored upon reactivation.

The only difference is a suspended user is forcibly logged out when suspended. Re-enabling doesn’t require a password reset since access was severed instantly during suspension.

Granting Previous Access to Re-enabled Accounts

Optionally, admins restoring a disabled or suspended account can also take the opportunity to update the user’s roles and permissions.

By default, returning the Enabled status to “True” grants the same access level they previously had. However, roles and permissions can be adjusted as well.

For example, an abusive user might have permissions limited upon re-enabling. Or new access may need to be granted if responsibilities have changed.

Take the chance to audit and adjust access levels appropriately when re-enabling accounts. Don’t just fall back to old permissions that may need revisions.

Restoring disabled and suspended accounts is fast and simple in Craft given no actual user data is affected in the interim. Take advantage of the re-enable moment to review and adjust access as needed.