From the release of AAM 2.5, by default, the site administrator is not allowed to manage Administrator Role or any other roles or users that have Capability Level 10 (for more about Capability Levels refer to official WordPress Roles and Capabilities topic).
The reason for this significant change is that more and more often, inexperienced users, by mistake, are limiting administrator Capabilities and as a result, losing access to the Admin Panel.
AAM is a very powerful and flexible tool. This is why we still allow the option for more knowledgeable users to activate this feature. In addition, these advanced users can also give access to other users to use AAM features.
To show you how it all works, let’s walk through these goals:
- Activate the Super Admin feature for yourself;
- Create a Regional Manager Role that will be almost identical to Administrator Role with one exception – this Role is not allowed to Delete Other Users or Promote anybody to either Administrator or Regional Manager Role;
- Give the ability to the Regional Manager to configure access to Posts & Pages;
- Give the ability to the Regional Manager to create and manage Events on Posts Status & Content Change;
Although this looks like a daunting list of complicated tasks, you can do it with AAM within 5 minutes. Let’s go through it together.
ACTIVATE SUPER ADMIN FEATURE
Because AAM is moving more toward the development framework, we are trying to involve ConfigPress more and more. This is why in order to activate the super admin feature, you have to define the super_admin Property under aam Section:
[aam] super_admin = "Your admin user ID"
Where ‘Your admin user ID’ is a unique number that is assigned in the database to your admin user, (in most cases it’ll be number 1).
As soon as you save the ConfigPress, you should be able to manage Administrator Role and any user that has this role.
CREATE AND CONFIGURE REGIONAL MANAGER ROLE
You can define as many roles as you like. There is no limitation to title length or its content.
We recommend keeping the size of the title within 20 characters and using alpha numeric characters.
When you hit the Plus icon, it should show the Add New Role dialog box. Here you can type the role name and select the role that will be used to assign the list of capabilities. In our example, we type Regional Manager as Role Name and select Administrator Role for Inherit Caps.
Now that you have created a new role, it is time to uncheck a few Capabilities for the Regional Manager Role. Make sure that you are configuring the correct Role. You can find it in the top left corner on the Access Control page (see screenshot below).
Now go to the Capability Tab and make sure that Delete Users, Remove Users and Level 10 capabilities are all unchecked. It is very important to uncheck the Level 10 capability. By doing this, we deprive users from having the capability to promote anybody to Administrator Role, as well as restricting the ability to manage other administrators (including yourself).
GIVE REGIONAL MANAGER ACCESS TO AAM FEATURES
From the release of 2.5, each AAM page and feature has its own capability assigned to it. By default, only users with the Administrator capability have access to them, but you have the option change this behavior and assign your own capability. You can do it with ConfigPress. Below is the list of all properties that are available from release 2.5:
- Access Control Page – aam.page.access_control.capability;
- ConfigPress Page - aam.page.configpress.capability;
- Extensions Page – aam.page.extensions.capability
- Admin Menu – aam.feature.admin_menu.capability;
- Metaboxes & Widgets – aam.feature.metabox.capability;
- Capability - aam.feature.capability.capability;
- Posts & Pages - aam.feature.post_access.capability;
- Event Manager – aam.feature.event_manager.capability
- Activity Log – aam.feature.activity_log.capability;
- My Feature – aam.feature.my_feature.capability;
In our example, we want to give access for Regional Manager to use Posts & Pages and Event Manager features. Because these features are on the Access Control Page, we also have to give access to this page too.
So let’s go and insert the next set of properties to ConfigPress right after the super_admin property that we defined earlier.
[aam] super_admin = "1" page.access_control.capability = "level_9" feature.post_access.capability = "level_9" feature.event_manager.capability = "level_9"
We are using Level 9 Capability because we know that the Regional Manager and the Administrator both have access. You can use any other Capability you like, just ensure that the Capability you choose is not checked for lower level Roles. You can actually create a Custom Capability like “AAM Access Control Page” and check it for Regional Manager, (for Administrator Role, any new Custom Capability is applied automatically).
From now, when you log in to the WordPress Admin panel as a Regional Manager, you should see the AAM Menu and only the Posts & Pages and Event Manager features.