edit admin roles/capabilities on network

1. For the most part, yes. WP_User methods normally work fine.

2. The way things work by default, you specifically cannot add edit_user capability to any multi-site sub roles, including normal admin. It’s only available to super_admin. The logic for this is in the map_meta_cap() function in wp-includes/capabilities.php. However, you can override this logic via the ‘map_meta_cap’ filter. I don’t know if the control of this capability is managed elsewhere, so hooking this filter may not work in of itself, but it is certainly something to do first.

3. I’m pretty sure there are multi-site plugins that make it easy to manage roles and capabilities. They may even override the map_meta_cap() function for you. Adding a new role will not get around the default map_meta_cap() restriction.

OK, thanks. One more question if anyone is still reading: Is it possible to add a new custom (default) role that is available to all sites on a particular network?

Yes, you can create any role you like, and with certain exceptions, assign any capabilities you like. For example, you still will not be able to assign edit_user without additional hacking. I’m not sure how one assigns a default role using multi-site, but it should be easy enough.

Thanks for your help, but I’m still not able to solve this issue. According to my tests, using “remove_cap” on admin role (via plugin) does not succeed. For instance admins can still remove users despite running the function below:

function remove_theme_capabilities(){
global $wp_roles;
$role->remove_cap( ‘admin’, ‘remove_users’ );
$role->remove_cap( ‘admin’, ‘create_users’ );
$role->remove_cap( ‘admin’, ‘delete_users’ );
$role->remove_cap( ‘admin’, ‘list_users’ );
}
add_action( ‘admin_init’, ‘remove_theme_capabilities’ );

I also tried creating a new default role using “add_role” in a plugin that was network activated. This create the role for the first WP site (wp_options table) but the role was not visible to any other sites in the network.

These are the two ways I’m attempting to solve the issue of setting capabilities for a role across an entire network. Anyone else?

You don’t seem to be getting much interest. Most of the capabilities you’re trying to remove, along with edit_users, are in the category of “certain exceptions” I mentioned previously that you can’t change.

Your code is also not working because $role is undefined. Execute the method using this form:
$wp_roles->remove_cap('role name', 'capability');

It also looks like you are supplying a username as the first parameter. You should be supplying a Role name, such as ‘Administrator’.

You’re right BC. I had actually tried many different permutations of the different WP role/capability methods (some actually typed/scoped properly) and nothing seemed to work properly on the administrator role. As you mentioned, I think there are some “certain exceptions” when dealing with the administrator role. In addition to problems with meta caps like edit_users, my experience was that the administrator role was tied in with super admin capabilities on individual network sites. (Super admin was essentially acting as a regular admin on network sites).

In any case I ended up writing a plugin to set the roles/caps for our network sites. It was a more complicated process than I expected, but I believe the plugin works well. If it’s helpful to anyone else, some of the issues I needed to address were: setting capabilities by role on activation/deactivation, adding meta capabilities separately, checking permissions on particular pages/routines, and filtering editable roles.

As far as I know my plugin cannot be network enabled to work across all sites. It has to be activated on each individual site.

So if you’re not stubborn like me I’d recommend skipping this whole process and using a readily available plugin.