What is a Drupal permissions matrix?

A grid that maps user roles (columns) to permissions (rows), showing which role is granted which permission. It is the clearest way to document and audit access control on a Drupal site.

What does this tool export?

Three formats: a Markdown table for documentation or a pull request, a CSV you can open in a spreadsheet, and user.role.*.yml configuration blocks you can drop into your config sync directory.

How are permissions stored in Drupal config?

Each role is a config entity stored as user.role. .yml, with a permissions list of permission machine names (e.g. 'access content'). Since Drupal 9.3, every permission a role holds must be defined by a module's permissions.yml or a permission callback.

Where do I find the exact permission machine names?

They are the human-readable strings each module declares, such as access content, administer nodes, or create article content. Check the module's permissions.yml file, or the Permissions admin page, for the precise wording.

Can I use this just for an audit, without the YAML?

Yes. Many teams use it purely to produce the Markdown or CSV matrix for security reviews and documentation. The user.role.*.yml output is there when you also want to version the roles in code.

Wasim's Site

Drupal Permissions Matrix Generator

Map Drupal roles to permissions in a grid and export a Markdown audit table, CSV, and user.role.*.yml configuration.

Roles

Permissions

Permission Matrix

Permission	Anonymous user	Authenticated user
access content

Markdown Table (audit / docs)

| Permission | Anonymous user | Authenticated user |
| --- | :---: | :---: |
| access content |  |  |

CSV

permission,Anonymous user,Authenticated user
access content,no,no

user.role.*.yml (config)

One role config per block. Split into separate files named by the comment header.

# user.role.anonymous.yml
langcode: en
status: true
dependencies: {  }
id: anonymous
label: 'Anonymous user'
weight: 0
is_admin: false
permissions: {  }

# user.role.authenticated.yml
langcode: en
status: true
dependencies: {  }
id: authenticated
label: 'Authenticated user'
weight: 1
is_admin: false
permissions: {  }

Documenting Drupal Roles and Permissions

Access control is one of the easiest things to get wrong on a Drupal site and one of the hardest to audit, because permissions are scattered across the admin UI and dozens of modules. A role-by-permission matrix makes the whole picture visible at a glance. This tool lets you build that matrix and export it as documentation or as the user.role.*.yml config that actually drives Drupal.

Three Outputs, One Source of Truth

Markdown table: drop into a README, wiki, or pull request for a security review.
CSV: open in a spreadsheet to sort, filter, or share with non-developers.
user.role.*.yml: version your roles in code and import them with configuration management.

How to Use This Generator

Add roles — anonymous and authenticated are included to start.
Add permissions using their exact machine strings (e.g. create article content).
Toggle the grid to grant each permission per role.
Copy the output you need — docs, CSV, or config.

Frequently Asked Questions

What is a Drupal permissions matrix?: A grid that maps user roles (columns) to permissions (rows), showing which role is granted which permission. It is the clearest way to document and audit access control on a Drupal site.
What does this tool export?: Three formats: a Markdown table for documentation or a pull request, a CSV you can open in a spreadsheet, and user.role.*.yml configuration blocks you can drop into your config sync directory.
How are permissions stored in Drupal config?: Each role is a config entity stored as user.role.<role_id>.yml, with a permissions list of permission machine names (e.g. 'access content'). Since Drupal 9.3, every permission a role holds must be defined by a module's permissions.yml or a permission callback.
Where do I find the exact permission machine names?: They are the human-readable strings each module declares, such as access content, administer nodes, or create article content. Check the module's permissions.yml file, or the Permissions admin page, for the precise wording.
Can I use this just for an audit, without the YAML?: Yes. Many teams use it purely to produce the Markdown or CSV matrix for security reviews and documentation. The user.role.*.yml output is there when you also want to version the roles in code.

Official Resources

Roles and Permissions (Drupal.org)