The Sector Starter Kit includes preconfigured user roles, user profiles, and permissions, and out of the box, the ability to create, add, edit, or delete users is only available to the Drupal sitebuilder role.
The Sector Drupal sitebuilder role is the default administrator role in Drupal. It is used in Sector as Site Builder and Administrator role with full access to all site building features. This role should only ever been given to trusted developers and experienced sitebuilders.
Sector approach to user roles and permissions
Permissions on a need-to-have basis
When editorial users have the ability to manage user accounts, they have more permissions than they need to do their day-to-day tasks. If you consider the number of editorial users on your site, that could be a considerable security issue.
Giving users only the permissions they need reduces the risk of unauthorised access to sensitive or critical areas of a system.
User need to have the clearance and knowledge appropriate to their roles
User administration permissions have critical security implications - user administration requires training and expertise in security, privacy, and advanced Drupal administration.
Giving Drupal's 'Administer users' permission to a user role lets users with that role administer any user on the website. This means that they are able to administer the UID1 account - the 'superuser', i.e. the user account with the greatest permissions on the website.
When you allow users to administer other users, you potentially give them access to user accounts with greater permissions than their own. Only the most trusted users should be given this ability, as it allows them to use accounts which have more control over the site.
Administer permissions, such as administer content and administer users, are usually reserved for the most trusted site users. These administration privileges grant users extensive control of the specific module(s) described by the permission title.
Next to the the security implications, users administrators also need to be aware how Drupal works behind the scenes - for example users are linked to their content, and if the user administrator deletes a user they might delete all the content that is owned by that user (node author).
Sector out of the box
Rather than adding this hefty permission to an editorial user role, in Sector user administrators rights are only available to the sitebuilder user role. The Drupal sitebuider role is the Sector label for the Drupal Administrator role that comes with the Drupal core and has access-all-areas by default. Out of the box, the Drupal 8 permissions for the Drupal Administrator can not be restricted. So rather than assigning user administration rights to further roles, Sector out of the box leaves the permissions with a role inherited by Drupal core.
Highly privileged administrative accounts should not be used for high risk or day to day user activities.
Sector Content Editors and Content Administrators can still manage their own user account - e.g. change their username and password - but can't manage other users. This should be enough for them to complete their standard website tasks.
I need to know more about how user roles and permissions are set-up in Sector.
Our guide on Preconfigured user roles, user profiles and permissions is here to help!
For your site
We recommend to create a risk assessment strategy for your site and to create a site specific user roles and permissions strategy. Group permissions by task and create additive roles that ensure that access is limited to the right staff at the right time. Review your user table regularly and always block users that no longer require access. Make sure to reassign content to current users before deleting user profiles.