Using MCommunity Groups to Manage Authorization for Drupal 10/11

As of July 9, 2025, new Drupal sites on U-M Pantheon are initialized with OpenID Connect (OIDC) enabled by default.  Additionally, the “umichoidc” (wwsauth) module is enabled and configured as well.  However, you will need to complete the configuration process in order to use MCommunity groups to manage authorization (authz) for your site.

This documentation assumes you have already created one or more MCommunity groups you intend to use for authorization and you have added members to each group as appropriate.

Note: You must have the "Groups Released" option configured for your OIDC client to function correctly. You can update your OIDC client configuration in the ITS Web Hosting Services Portal.

Login to Administrator account

Login to your Drupal 10/11 site with an account with the Administrator role.  The uniqname of the person who requested the site is configured as an administrator during site initialization.  Others may be configured with the Administrator role manually later.

Create Roles for MCommunity Groups

Navigate to "Manage → People → Roles", and add Roles with names matching MCommunity group names you will use for authorization.  If your group name has whitespace in it (for example, “my site editors”), use the “Also Known As” hyphenated name “my-site-editors” for the Role name.

Configure Role Permissions

Navigate to "Manage → People → Permissions", and check the checkbox next to each of the permissions you wish to assign to each MCommunity group named role.  Click the “Save permissions” button at the bottom of the page when you have completed the permissions selection for your role names.

Add Roles to OIDC Client

Navigate to "Manage → Configuration → OpenID Connect", then select “Edit” next to "Wolverine Web Services".  On the Edit screen, select/highlight the Role(s) matching the MCommunity groups in the “OIDC managed Roles” box, then click “Save”.

Drupal Role and MCommunity Group Maintenance

  • As you add/remove users in the MCommunity group(s), this module will add/remove Drupal roles for the user as they login
  • These roles DO NOT sync with MCommunity
  • When someone logs in, if they are a member of the corresponding MCommunity group, they will have the Drupal role added to their username at the time of login
  • Expect to maintain membership in the MCommunity group but the Drupal role will likely never reflect more than a snapshot of the MCommunity group membership at any given time
  • The membership in the role will only be accurate at any given time for the person who has logged in

Additional Information

For assistance or questions, contact [email protected].

Last Updated
Thursday, August 14, 2025