Manual:$wgGroupPermissions

Details
This is a two-dimensional array indexed by user group and available permissions, e.g.



where user is the group in question, and edit is the permission being granted or revoked. The true value grants the permission to that group.

Defaults
A number of default permissions are set up in DefaultSettings.php and grant all users the ability to create and edit pages, with move permissions deferred to autoconfirmed users, and administration tasks such as deletion, blocking of users, etc. reserved for sysop users.

User rights operations are set to be accessible by bureaucrats by default. You may wish to change these defaults, for example to block editing by anonymous users.

Groups
Users are placed in groups via Special:Userrights; the groups defined by this configuration setting will automatically determine the groups which are listed on that page.

Default groups

 * * : All users, including anonymous users
 * user : Registered, logged-in users
 * autoconfirmed : Users with the autoconfirm right
 * emailconfirmed : Users with the emailconfirm right
 * bot : Automated scripts that need to log in
 * sysop : Administrators who can delete pages, block users, etc.
 * bureaucrat : Users who are able to change other users' rights
 * developer : (deprecated) Site administration

Permissions
Permissions represent the right to perform individual tasks, such as creating and editing pages, deleting pages and files, blocking users, etc. If a permission for a user is 'true' for any of the groups they belong to then they will be able to perform the task. For example, if you set 'edit' to 'false' for sysops but it is 'true' for users then sysops will still be able to edit, because all sysops are users.


 * read : Allowed to read non-whitelisted pages (if set to false, only the pages on the whitelist can be read).
 * edit : Edit non-protected pages
 * createaccount : Register an account through Special:Userlogin
 * createpage : Create a page
 * createtalk : Create a discussion page
 * move : Move (rename) pages
 * upload : Upload images and other files (if uploads enabled)
 * upload_by_url : Upload files from URLs (if copy uploads enabled)
 * delete : Delete (and restore) pages and files
 * bot : Hides own changes from changes pages (e.g. Special:Recentchanges) by default
 * block : Block other users and IP addresses from editing (and restore their access)
 * editinterface : Edit interface text in the MediaWiki namespace
 * import : Import pages from other wikis using Special:Import
 * patrol : Mark edits as patrolled (if enabled)
 * protect : Protect pages and files from modification/renaming
 * rollback : Roll back changes to pages quickly
 * userrights : Edit user group membership via Special:Userrights
 * siteadmin : Lock and unlock the database via Special:Lockdb and Special:Unlockdb

Default Group Permission Values from DefaultSettings.php
The following is a listing of all of the default values for the group permission settings in DefaultSettings.php as of version 1.10.0. Previous versions may not have all of these values; for specific defaults for the version you are using, check includes/DefaultSettings.php for your particular installation. These values are overridden by any changes in LocalSettings.php.

// Implicit group for all visitors $wgGroupPermissions['*'   ]['createaccount']   = true; $wgGroupPermissions['*'   ]['read']            = true; $wgGroupPermissions['*'   ]['edit']            = true; $wgGroupPermissions['*'   ]['createpage']      = true; $wgGroupPermissions['*'   ]['createtalk']      = true;

// Implicit group for all logged-in accounts $wgGroupPermissions['user' ]['move']           = true; $wgGroupPermissions['user' ]['read']           = true; $wgGroupPermissions['user' ]['edit']           = true; $wgGroupPermissions['user' ]['createpage']     = true; $wgGroupPermissions['user' ]['createtalk']     = true; $wgGroupPermissions['user' ]['upload']         = true; $wgGroupPermissions['user' ]['reupload']       = true; $wgGroupPermissions['user' ]['reupload-shared'] = true; $wgGroupPermissions['user' ]['minoredit']      = true; $wgGroupPermissions['user' ]['purge']          = true; // can use ?action=purge without clicking "ok"

// Implicit group for accounts that pass $wgAutoConfirmAge $wgGroupPermissions['autoconfirmed']['autoconfirmed'] = true;

// Implicit group for accounts with confirmed email addresses // This has little use when email address confirmation is off $wgGroupPermissions['emailconfirmed']['emailconfirmed'] = true;

// Users with bot privilege can have their edits hidden // from various log pages by default $wgGroupPermissions['bot' ]['bot']             = true; $wgGroupPermissions['bot' ]['autoconfirmed']   = true; $wgGroupPermissions['bot' ]['nominornewtalk']  = true; $wgGroupPermissions['bot' ]['autopatrol']      = true;

// Most extra permission abilities go to this group $wgGroupPermissions['sysop']['block']          = true; $wgGroupPermissions['sysop']['createaccount']  = true; $wgGroupPermissions['sysop']['delete']         = true; $wgGroupPermissions['sysop']['deletedhistory'] 	= true; // can view deleted history entries, but not see or restore the text $wgGroupPermissions['sysop']['editinterface']  = true; $wgGroupPermissions['sysop']['import']         = true; $wgGroupPermissions['sysop']['importupload']   = true; $wgGroupPermissions['sysop']['move']           = true; $wgGroupPermissions['sysop']['patrol']         = true; $wgGroupPermissions['sysop']['autopatrol']     = true; $wgGroupPermissions['sysop']['protect']        = true; $wgGroupPermissions['sysop']['proxyunbannable'] = true; $wgGroupPermissions['sysop']['rollback']       = true; $wgGroupPermissions['sysop']['trackback']      = true; $wgGroupPermissions['sysop']['upload']         = true; $wgGroupPermissions['sysop']['reupload']       = true; $wgGroupPermissions['sysop']['reupload-shared'] = true; $wgGroupPermissions['sysop']['unwatchedpages'] = true; $wgGroupPermissions['sysop']['autoconfirmed']  = true; $wgGroupPermissions['sysop']['upload_by_url']  = true; $wgGroupPermissions['sysop']['ipblock-exempt']	= true;

// Permission to change users' group assignments $wgGroupPermissions['bureaucrat']['userrights'] = true;

Extensions
Extensions such as RenameUser, MakeBot etc. will add new rights which can be configured and assigned in the same manner.