The AAM Access Policies is already a revolutionary way to manage access and security settings for WordPress websites. Today, Access Policies already offer way more possibilities than AAM UI, so choosing this route for your entire access management is a very smart and mature decision.
To help you with the administrative tasks, we constantly building the library of ready-to-use policies that can be installed from the Access Policy Hub.
The most effective way to define access controls to your users with policies is to start from the "ground zero". WordPress core designed in the way that each user has to have at least one role assigned. On the single-site setup, you either assign a role to a user during manual creation or a role is automatically assigned to newly-registered users based on settings defined on the Settings->General page. The 5 basic WordPress roles already have already some capabilities assigned so we already losing a bit of flexibility when additional customization is needed.
We strongly encourage you to create a new custom role (e.g. "Empty Role") that has absolutely no capabilities assigned to it. This would be considered the "ground zero" role and all desired users can be assigned to it. Then you can simply attach your access policies to the role and by doing this, you manage the access controls your way 100%.
For example. Let's say you need to have a website, where all registered users can create only one page that they can manage (edit, delete, publish) and also upload files that can be attached to it. No other pages or uploaded media files can be seen or managed. Below is just a few simple steps that allow you to facilitate these needs:
- Create a new custom role "Empty Role".
- On the Settings->General, for the "New User Default Role", select "Empty Role". From here all newly registered users automatically get assigned to this role;
- On the AAM page navigate to the "Access Policies" tab and we are going to install couple policies;
- Install policy "Allow to create and manage own pages" AAM000027;
- Install policy "Protect a user’s uploaded files" AAM000019;
- Install Policy "Allow users to upload files to media library" AAM000028
- Install Policy "Allow users to create and manage only one page" AAM000029
- Make sure that 4 policies are attached to the "Empty Role" role.
- Make sure that all the necessary dependencies are installed: Plus Package add-on, AAM Protected Media Files plugin, AAM Enhanced Access Policy plugin.
As you can see, you can have the flexibility to configure any possible and impossible access requirements by creating policies that also become well-documented security artifact.