Manual:$wgGroupPermissions

Details
This is a two-dimensional array indexed by user group and available permissions, e.g.



where user is the group in question, and edit is the permission being granted or revoked. The true value grants the permission to that group.

Defaults
A number of default permissions are set up in DefaultSettings.php and grant all users the ability to create and edit pages, with move permissions deferred to autoconfirmed users, and administration tasks such as deletion, blocking of users, etc. reserved for sysop users.

User rights operations are set to be accessible by bureaucrats by default. You may wish to change these defaults, for example to block editing by anonymous users.

Groups
Users are placed in groups via Special:Userrights; the groups defined by this configuration setting will automatically determine the groups which are listed on that page.

Default groups

 * * : All users, including anonymous users
 * user : Registered, logged-in users
 * autoconfirmed : Users with the autoconfirm right
 * emailconfirmed : Users with the emailconfirm right
 * bot : Automated scripts that need to log in
 * sysop : Administrators who can delete pages, block users, etc.
 * bureaucrat : Users who are able to change other users' rights
 * developer : (deprecated) Site administration

Permissions
Permissions represent the right to perform individual tasks, such as creating and editing pages, deleting pages and files, blocking users, etc. If a permission for a user is 'true' for any of the groups they belong to then they will be able to perform the task. For example, if you set 'edit' to 'false' for sysops but it is 'true' for users then sysops will still be able to edit, because all sysops are users.


 * read : Allowed to read non-whitelisted pages (if set to false, only the pages on the whitelist can be read).
 * edit : Edit non-protected pages
 * createaccount : Register an account through Special:Userlogin
 * createpage : Create a page
 * createtalk : Create a discussion page
 * move : Move (rename) pages
 * upload : Upload images and other files (if enabled)
 * delete : Delete (and restore) pages and files
 * bot : Hides own changes from changes pages (e.g. Special:Recentchanges) by default
 * block : Block other users and IP addresses from editing (and restore their access)
 * editinterface : Edit interface text in the MediaWiki namespace
 * import : Import pages from other wikis using Special:Import
 * patrol : Mark edits as patrolled (if enabled)
 * protect : Protect pages and files from modification/renaming
 * rollback : Roll back changes to pages quickly
 * userrights : Edit user group membership via Special:Userrights
 * siteadmin : Lock and unlock the database via Special:Lockdb and Special:Unlockdb

Extensions
Extensions such as RenameUser, MakeBot etc. will add new rights which can be configured and assigned in the same manner.