From release AAM 2.5, by default, site administrator is not allowed to manager Administrator Role as well as any other roles or users that have Capability Level 10 (for more about Capability Levels refer to official WordPress Roles and Capabilities topic).
The reason for this significant change is that more and more inexperienced users, by mistake, limiting administrator Capabilities and the same time losing access to Admin Panel.
AAM is very powerful and flexible tool that is why we still give opportunity for more knowledgeable users to activate this possibility and not only to activate but give access to other users to use AAM features.
To show you how it works, lets accomplish these goals:
- Activate Super Admin feature for yourself;
- Create Regional Manager Role that will be close to Administrator Role with one exception – this Role is not allowed to Delete Other Users and Promote anybody to either Administrator or Regional Manager Role;
- Give possibility for Regional Manager to configure access to Posts & Pages;
- Give possibility for Regional Manager to create and manage Events on Posts Status & Content Change;
Looks pretty complex and complicated, but you can do it with AAM within 5 minutes.
ACTIVATE SUPER ADMIN FEATURE
In fact that AAM is moving toward the development framework, we are trying to involve ConfigPress more and more. That is why to activate super admin feature you have to define the super_admin Property under aam Section:
super_admin = "Your admin user ID"
Where Your admin user ID is unique number that is assigned in database to your admin user (in most cases it’ll be number 1).
As soon as you save the ConfigPress, you should be able to manage Administrator Role and any user that has this role.
CREATE AND CONFIGURE REGIONAL MANAGER ROLE
You can define as many roles as you like. There is no limitation to title length as well as its content.
We recommend to keep the size of the title within 20 characters and use alpha numeric characters.
When you hit the Plus icon it should show the Add New Role dialog box. Here you can type the role name and select the role that will be used to get the list of capabilities. In our example we type Regional Manager as Role Name and select Administrator Role for Inherit Caps.
Now, when you created a new role, it is time to uncheck few Capabilities for Regional Manager Role. Make sure that you are configuring correct Role. You can find it on the top left corner in Access Control page (see screenshot below).
So go to Capability Tab and make sure that Delete Users, Remove Users and Level 10 capabilities are unchecked. It is very important to uncheck the Level 10 capability. This way we deprive user from possibility to promote anybody to Administrator Role as well as do not allow to manager other administrators (including yourself).
GIVE REGIONAL MANAGER ACCESS TO AAM FEATURES
From release 2.5 each AAM page and feature has its own capability assigned to it. By default only user with capability Administrator has access to them but you can change this behavior and assign your own capability. You can do it with ConfigPress. Below is the list of all properties that are available from release 2.5:
- Access Control Page – aam.page.access_control.capability;
- ConfigPress Page - aam.page.configpress.capability;
- Extensions Page – aam.page.extensions.capability
- Admin Menu – aam.feature.admin_menu.capability;
- Metaboxes & Widgets – aam.feature.metabox.capability;
- Capability - aam.feature.capability.capability;
- Posts & Pages - aam.feature.post_access.capability;
- Event Manager – aam.feature.event_manager.capability
- Activity Log – aam.feature.activity_log.capability;
- My Feature – aam.feature.my_feature.capability;
In our example we want to give access for Regional Manager to use Posts & Pages and Event Manager features. In fact that these features are on Access Control Page, we also have to give access to this page to.
So lets go and insert next properties to ConfigPress right after super_admin property that we defined earlier.
super_admin = "1"
page.access_control.capability = "level_9"
feature.post_access.capability = "level_9"
feature.event_manager.capability = "level_9"
We are using Level 9 Capability because we know that Regional Manager and Administrator has it. You can use any other Capability, just make sure that this Capability is not checked for lower level Roles. You can actually create a Custom Capability like “AAM Access Control Page” and check it for Regional Manager (for Administrator Role any new Custom Capability is applied automatically).
From now, when you login to WordPress Admin panel as Regional Manager you should see AAM Menu and only Posts & Pages and Event Manager features.