PulseLMS Roles and Permissions - Complete Administrator Guide¶

Document Information¶

Field	Details
Document Title	Roles and Permissions Administration Guide
Version	2.0
Last Updated	2025
Audience	System Administrators, Course Administrators
Prerequisites	Site Administrator Access, Understanding of User Management

Table of Contents¶

Understanding Roles and Contexts
Default Roles
Capabilities Explained
Permission Levels
Creating Custom Roles
Role Archetypes
Assigning Roles
Role Overrides in Courses
Check Permissions Tool
Common Role Customizations
Best Practices for Permissions
Appendix A: Capability Quick Reference
Appendix B: Role Configuration Templates

1. Understanding Roles and Contexts¶

1.1 Introduction to Role-Based Access Control¶

PulseLMS uses a sophisticated role-based access control (RBAC) system to manage what users can do throughout the platform. This system provides granular control over user permissions at different levels of the platform hierarchy.

1.2 The Role System Architecture¶

┌─────────────────────────────────────────────────────────────────────┐
│                    PulseLMS Role Architecture                        │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │                         ROLES                                 │   │
│  │  ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │   │
│  │  │  Manager   │ │  Teacher   │ │  Student   │ │   Custom   │ │   │
│  │  └─────┬──────┘ └─────┬──────┘ └─────┬──────┘ └─────┬──────┘ │   │
│  │        │              │              │              │         │   │
│  └────────┼──────────────┼──────────────┼──────────────┼─────────┘   │
│           │              │              │              │             │
│           ▼              ▼              ▼              ▼             │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │                      CAPABILITIES                             │   │
│  │  ┌─────────────────────────────────────────────────────────┐ │   │
│  │  │  mod/forum:addpost   mod/quiz:attempt   course:view     │ │   │
│  │  │  mod/assign:grade    user:viewdetails   backup:course   │ │   │
│  │  └─────────────────────────────────────────────────────────┘ │   │
│  └──────────────────────────────────────────────────────────────┘   │
│                              │                                       │
│                              ▼                                       │
│  ┌──────────────────────────────────────────────────────────────┐   │
│  │                        CONTEXTS                               │   │
│  │                                                               │   │
│  │      System → Category → Course → Module → Block → User       │   │
│  │                                                               │   │
│  │  Higher context permissions flow down to lower contexts       │   │
│  └──────────────────────────────────────────────────────────────┘   │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

1.3 What is a Context?¶

A context represents a specific area or scope within PulseLMS where permissions apply. Think of contexts as containers that define where a role's capabilities are active.

1.4 Context Hierarchy¶

┌─────────────────────────────────────────────────────────────────────┐
│                       Context Hierarchy                              │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│                        ┌──────────────┐                              │
│                        │    SYSTEM    │  (Level 10)                  │
│                        │   Context    │  Site-wide permissions       │
│                        └──────┬───────┘                              │
│                               │                                      │
│              ┌────────────────┼────────────────┐                     │
│              │                │                │                     │
│              ▼                ▼                ▼                     │
│       ┌───────────┐    ┌───────────┐    ┌───────────┐               │
│       │   USER    │    │   FRONT   │    │ CATEGORY  │  (Level 40)   │
│       │  Context  │    │   PAGE    │    │  Context  │               │
│       └───────────┘    │  Context  │    └─────┬─────┘               │
│                        └───────────┘          │                      │
│                                               │                      │
│                               ┌───────────────┼───────────────┐      │
│                               │               │               │      │
│                               ▼               ▼               ▼      │
│                        ┌───────────┐   ┌───────────┐   ┌─────────┐  │
│                        │  COURSE   │   │  COURSE   │   │ COURSE  │  │
│                        │  Context  │   │  Context  │   │ Context │  │
│                        └─────┬─────┘   └───────────┘   └─────────┘  │
│                              │                                (50)   │
│              ┌───────────────┼───────────────┐                      │
│              │               │               │                      │
│              ▼               ▼               ▼                      │
│       ┌───────────┐   ┌───────────┐   ┌───────────┐                │
│       │  MODULE   │   │  MODULE   │   │   BLOCK   │  (Level 70/80) │
│       │  Context  │   │  Context  │   │  Context  │                │
│       └───────────┘   └───────────┘   └───────────┘                │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

1.5 Context Types and Levels¶

Context Type	Level	Description	Example
System	10	Entire PulseLMS site	Site-wide settings
User	30	Individual user profiles	Personal settings
Category	40	Course categories	Department/Division
Course	50	Individual courses	Marketing 101
Module	70	Activities within courses	Quiz, Forum, Assignment
Block	80	Side blocks	Calendar, News

1.6 Permission Inheritance¶

Permissions flow downward through the context hierarchy:

┌──────────────────────────────────────────────────────────────────┐
│                    Permission Inheritance Flow                    │
├──────────────────────────────────────────────────────────────────┤
│                                                                   │
│  SYSTEM CONTEXT                                                   │
│  ┌─────────────────────────────────────────────────────────────┐ │
│  │ Manager assigned: Can backup courses = Yes                   │ │
│  └─────────────────────────────────────────────────────────────┘ │
│                              │                                    │
│                              ▼ (Inherits down)                    │
│  CATEGORY CONTEXT                                                 │
│  ┌─────────────────────────────────────────────────────────────┐ │
│  │ Inherited: Can backup courses = Yes                          │ │
│  │ (No override defined)                                        │ │
│  └─────────────────────────────────────────────────────────────┘ │
│                              │                                    │
│                              ▼ (Inherits down)                    │
│  COURSE CONTEXT                                                   │
│  ┌─────────────────────────────────────────────────────────────┐ │
│  │ Inherited: Can backup courses = Yes                          │ │
│  │ (Can be overridden here if needed)                          │ │
│  └─────────────────────────────────────────────────────────────┘ │
│                              │                                    │
│                              ▼ (Inherits down)                    │
│  MODULE CONTEXT                                                   │
│  ┌─────────────────────────────────────────────────────────────┐ │
│  │ Inherited: Can backup courses = Yes                          │ │
│  │ (Final effective permission)                                 │ │
│  └─────────────────────────────────────────────────────────────┘ │
│                                                                   │
└──────────────────────────────────────────────────────────────────┘

1.7 Context Examples¶

Context	Assignment Example	Result
System	User assigned "Manager" role	Manager permissions everywhere
Category	User assigned "Teacher" in "Science"	Teacher in all Science courses
Course	User assigned "Student" in "Bio 101"	Student only in Bio 101
Module	User override on "Final Quiz"	Modified permissions for that quiz only

1.8 Key Concepts Summary¶

Concept	Definition
Role	A named collection of capabilities
Capability	A specific permission to perform an action
Context	A scope where permissions apply
Assignment	Linking a role to a user in a context
Override	Modifying inherited permissions in a context
Archetype	A template for creating roles

2. Default Roles¶

2.1 Overview of Default Roles¶

PulseLMS includes several predefined roles designed to cover common use cases:

┌─────────────────────────────────────────────────────────────────────┐
│                        Default Role Hierarchy                        │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│                    ┌───────────────────────┐                         │
│                    │    ADMINISTRATOR      │                         │
│                    │  (Site-level only)    │                         │
│                    └───────────┬───────────┘                         │
│                                │                                     │
│                    ┌───────────┴───────────┐                         │
│                    │       MANAGER         │                         │
│                    │ (Full management)     │                         │
│                    └───────────┬───────────┘                         │
│                                │                                     │
│                    ┌───────────┴───────────┐                         │
│                    │   COURSE CREATOR      │                         │
│                    │ (Create courses)      │                         │
│                    └───────────┬───────────┘                         │
│                                │                                     │
│              ┌─────────────────┼─────────────────┐                   │
│              │                 │                 │                   │
│              ▼                 ▼                 ▼                   │
│     ┌─────────────┐   ┌─────────────────┐   ┌─────────────┐         │
│     │   TEACHER   │   │  NON-EDITING    │   │   STUDENT   │         │
│     │ (Full edit) │   │    TEACHER      │   │  (Learner)  │         │
│     └─────────────┘   │ (Grade only)    │   └─────────────┘         │
│                       └─────────────────┘                            │
│                                                                      │
│                       ┌─────────────────┐                            │
│                       │      GUEST      │                            │
│                       │ (View only)     │                            │
│                       └─────────────────┘                            │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

2.2 Site Administrator¶

Note: Site Administrator is not a role but a special designation in PulseLMS.

Attribute	Details
Designation	Site Administrator (not a role)
Context	System-wide
Assignment	Defined in config or user settings
Capabilities	ALL capabilities implicitly allowed
Cannot be restricted	No overrides or prohibits apply

Site Administrator Characteristics:

Has access to Site Administration menu
Can manage all site settings
Can install plugins
Cannot be overridden by role assignments
Should be limited to essential personnel only

2.3 Manager Role¶

Attribute	Details
Shortname	manager
Archetype	manager
Assignable Contexts	System, Category, Course
Primary Purpose	Course and user management

Key Capabilities:

Capability	Permission	Description
moodle/site:viewreports	Allow	View site reports
moodle/course:create	Allow	Create new courses
moodle/course:delete	Allow	Delete courses
moodle/course:update	Allow	Update course settings
moodle/user:viewdetails	Allow	View user details
moodle/user:update	Allow	Edit user profiles
moodle/cohort:manage	Allow	Manage cohorts
moodle/backup:backupcourse	Allow	Backup courses
moodle/restore:restorecourse	Allow	Restore courses
moodle/role:assign	Allow	Assign roles

Manager Role Use Cases:

Scenario	Context	Purpose
Department Head	Category	Manage department courses
Training Director	System	Oversee all training
Regional Manager	Category	Manage regional courses
Course Admin	Course	Manage specific course

2.4 Course Creator Role¶

Attribute	Details
Shortname	coursecreator
Archetype	coursecreator
Assignable Contexts	System, Category
Primary Purpose	Create and configure courses

Key Capabilities:

Capability	Permission	Description
moodle/course:create	Allow	Create new courses
moodle/course:request	Allow	Request course creation
moodle/course:viewhiddencourses	Allow	View hidden courses
moodle/backup:backupcourse	Allow	Backup courses
moodle/restore:restorecourse	Allow	Restore courses

Course Creator vs Manager:

Capability	Course Creator	Manager
Create courses	Yes	Yes
Delete courses	No	Yes
Manage users	Limited	Yes
Assign roles	Limited	Yes
View reports	Limited	Yes
Manage cohorts	No	Yes

2.5 Teacher (Editing Teacher) Role¶

Attribute	Details
Shortname	editingteacher
Archetype	editingteacher
Assignable Contexts	Course (primarily)
Primary Purpose	Full course editing and instruction

Key Capabilities:

Capability	Permission	Description
moodle/course:update	Allow	Update course settings
moodle/course:viewhiddenactivities	Allow	View hidden activities
moodle/course:manageactivities	Allow	Add/edit activities
moodle/course:activityvisibility	Allow	Show/hide activities
moodle/course:managefiles	Allow	Manage course files
moodle/course:managescales	Allow	Manage grading scales
moodle/grade:manage	Allow	Manage gradebook
moodle/grade:edit	Allow	Edit grades
mod/assign:grade	Allow	Grade assignments
mod/quiz:grade	Allow	Grade quizzes
mod/forum:deleteanypost	Allow	Delete forum posts
enrol/manual:enrol	Allow	Manually enroll users

Teacher Permissions Matrix:

Activity Type	View	Create	Edit	Delete	Grade
Assignment	Yes	Yes	Yes	Yes	Yes
Quiz	Yes	Yes	Yes	Yes	Yes
Forum	Yes	Yes	Yes	Yes	N/A
Resource	Yes	Yes	Yes	Yes	N/A
Lesson	Yes	Yes	Yes	Yes	Yes
Workshop	Yes	Yes	Yes	Yes	Yes

2.6 Non-editing Teacher Role¶

Attribute	Details
Shortname	teacher
Archetype	teacher
Assignable Contexts	Course
Primary Purpose	Grading and support without content editing

Key Capabilities:

Capability	Permission	Description
moodle/course:viewhiddenactivities	Allow	View hidden activities
moodle/grade:viewall	Allow	View all grades
moodle/grade:edit	Allow	Edit grades
mod/assign:grade	Allow	Grade assignments
mod/quiz:grade	Allow	Grade quizzes
mod/forum:viewhiddenpost	Allow	View hidden posts

Non-editing Teacher Restrictions:

Capability	Status	Reason
moodle/course:manageactivities	Not Allowed	No content creation
moodle/course:update	Not Allowed	No course settings
moodle/backup:backupcourse	Not Allowed	No backup access
enrol/manual:enrol	Not Allowed	No enrollment control

Non-editing Teacher Use Cases:

Role	Description
Teaching Assistant	Grades work, supports students
Grader	Focuses on assessment
Mentor	Guides without editing
Subject Expert	Provides feedback

2.7 Student Role¶

Attribute	Details
Shortname	student
Archetype	student
Assignable Contexts	Course
Primary Purpose	Learning and participation

Key Capabilities:

Capability	Permission	Description
moodle/course:view	Allow	View course content
moodle/course:viewparticipants	Allow	See other participants
mod/assign:submit	Allow	Submit assignments
mod/quiz:attempt	Allow	Attempt quizzes
mod/forum:startdiscussion	Allow	Start forum discussions
mod/forum:replypost	Allow	Reply to forum posts
moodle/grade:view	Allow	View own grades

Student Activity Permissions:

Activity	Attempt	Submit	View Grades	Edit
Assignment	N/A	Yes	Own only	No
Quiz	Yes	Yes	Own only	No
Forum	Yes	Yes	N/A	Own posts
Choice	Yes	Yes	Maybe	No
Feedback	Yes	Yes	Maybe	No
Wiki	View	Maybe	N/A	Collaborative

2.8 Guest Role¶

Attribute	Details
Shortname	guest
Archetype	guest
Assignable Contexts	Course (via guest access)
Primary Purpose	View-only access

Key Capabilities:

Capability	Permission	Description
moodle/course:view	Allow	View course structure
mod/forum:viewdiscussion	Allow	View forum posts
mod/resource:view	Allow	View resources
mod/page:view	Allow	View pages

Guest Restrictions:

Action	Allowed
Submit assignments	No
Attempt quizzes	No
Post in forums	Usually No
View grades	No
Edit profile	No
Send messages	No

2.9 Role Comparison Matrix¶

Feature	Manager	Course Creator	Teacher	Non-editing Teacher	Student	Guest
Create courses	Yes	Yes	No	No	No	No
Delete courses	Yes	No	No	No	No	No
Edit course content	Yes	In own	Yes	No	No	No
Grade students	Yes	No	Yes	Yes	No	No
Enroll users	Yes	No	Yes	No	No	No
View all grades	Yes	No	Yes	Yes	No	No
Manage users	Yes	No	Limited	No	No	No
Backup courses	Yes	Yes	Yes	No	No	No
Assign roles	Yes	No	Limited	No	No	No
Submit work	No	No	No	No	Yes	No
View content	Yes	Yes	Yes	Yes	Yes	Limited

3. Capabilities Explained¶

3.1 What is a Capability?¶

A capability is a specific permission that controls a single action or feature in PulseLMS. Capabilities are the building blocks of roles.

3.2 Capability Structure¶

┌─────────────────────────────────────────────────────────────────────┐
│                      Capability Naming Structure                     │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│   Component/Plugin     :     Action/Permission                       │
│   ─────────────────        ─────────────────────                     │
│                                                                      │
│   Examples:                                                          │
│                                                                      │
│   mod/forum            :     addpost                                 │
│   ↑                          ↑                                       │
│   Forum module               Add a post action                       │
│                                                                      │
│   moodle/course        :     update                                  │
│   ↑                          ↑                                       │
│   Core course system         Update settings action                  │
│                                                                      │
│   enrol/manual         :     enrol                                   │
│   ↑                          ↑                                       │
│   Manual enrollment          Enroll users action                     │
│                              plugin                                  │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

3.3 Capability Categories¶

Core Capabilities (moodle/)¶

Category	Prefix	Examples
Course	moodle/course:	update, view, delete
User	moodle/user:	update, viewdetails
Site	moodle/site:	config, viewreports
Backup	moodle/backup:	backupcourse, backupsection
Restore	moodle/restore:	restorecourse, restoreactivity
Grade	moodle/grade:	manage, edit, view
Role	moodle/role:	assign, override, manage
Cohort	moodle/cohort:	manage, assign, view

Module Capabilities (mod/)¶

Module	Prefix	Common Capabilities
Forum	mod/forum:	addpost, viewdiscussion, deleteanypost
Assignment	mod/assign:	submit, grade, viewgrades
Quiz	mod/quiz:	attempt, view, grade, manage
Lesson	mod/lesson:	view, edit, manage
Resource	mod/resource:	view
Page	mod/page:	view
Wiki	mod/wiki:	edit, createpage, managewiki
Workshop	mod/workshop:	view, submit, peerassess

Block Capabilities (block/)¶

Block	Prefix	Common Capabilities
Calendar	block/calendar:	view, manageentries
News	block/news:	view, manageentries
Completion	block/completion:	view

Enrollment Capabilities (enrol/)¶

Plugin	Prefix	Common Capabilities
Manual	enrol/manual:	enrol, unenrol, manage
Self	enrol/self:	config, unenrol
Cohort	enrol/cohort:	config
Guest	enrol/guest:	config

3.4 Capability Properties¶

Each capability has defined properties:

Property	Description	Example Values
name	Unique identifier	mod/forum:addpost
riskbitmask	Security risk level	RISK_SPAM, RISK_XSS
captype	Capability type	read, write
contextlevel	Applicable contexts	CONTEXT_COURSE
archetypes	Default role permissions	student => CAP_ALLOW

3.5 Risk Levels¶

Capabilities may carry risks that administrators should understand:

Risk	Description	Example Capability
RISK_SPAM	Could send spam	mod/forum:addpost
RISK_PERSONAL	Access personal data	moodle/user:viewdetails
RISK_XSS	Cross-site scripting	moodle/site:trustcontent
RISK_CONFIG	Change configuration	moodle/site:config
RISK_MANAGETRUST	Trust content	moodle/site:manageblocks
RISK_DATALOSS	Could cause data loss	moodle/course:delete

3.6 Viewing Capabilities¶

Path: Site Administration → Users → Permissions → Define roles

Click on any role
View all capabilities with current permissions
Use filter to find specific capabilities

Filter Options:

Filter	Description
By capability name	Search by name
By permission	Show only allowed/prohibited
By risk	Show risky capabilities
By component	Filter by plugin

3.7 Common Capabilities Reference¶

Course Management¶

Capability	Description	Typical Roles
moodle/course:create	Create new courses	Manager, Course Creator
moodle/course:delete	Delete courses	Manager
moodle/course:update	Change course settings	Manager, Teacher
moodle/course:view	View course content	All enrolled
moodle/course:viewhiddencourses	View hidden courses	Manager, Teacher
moodle/course:manageactivities	Add/edit activities	Teacher
moodle/course:activityvisibility	Show/hide activities	Teacher
moodle/course:viewhiddenactivities	View hidden activities	Teacher, Non-editing Teacher
moodle/course:managefiles	Manage course files	Teacher
moodle/course:viewparticipants	View enrolled users	All enrolled

Grading¶

Capability	Description	Typical Roles
moodle/grade:manage	Manage gradebook	Teacher
moodle/grade:edit	Edit grades	Teacher, Non-editing Teacher
moodle/grade:view	View own grades	Student
moodle/grade:viewall	View all grades	Teacher
moodle/grade:viewhidden	View hidden grades	Teacher
moodle/grade:hide	Hide grades	Teacher
moodle/grade:import	Import grades	Teacher
moodle/grade:export	Export grades	Teacher

User Management¶

Capability	Description	Typical Roles
moodle/user:create	Create users	Manager
moodle/user:delete	Delete users	Manager
moodle/user:update	Update user details	Manager
moodle/user:viewdetails	View user profiles	Teacher
moodle/user:viewhiddendetails	View hidden fields	Manager
moodle/user:editprofile	Edit own profile	Authenticated User

4. Permission Levels¶

4.1 Understanding Permission Levels¶

PulseLMS uses four permission levels for each capability:

┌─────────────────────────────────────────────────────────────────────┐
│                       Permission Levels                              │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │  NOT SET (Inherit)                                             │  │
│  │  • No explicit permission defined                              │  │
│  │  • Inherits from parent context or role definition             │  │
│  │  • Most common state for most capabilities                     │  │
│  │  • Represented by: Empty or "Not Set"                          │  │
│  └───────────────────────────────────────────────────────────────┘  │
│                              │                                       │
│                              ▼                                       │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │  ALLOW                                                         │  │
│  │  • Explicitly grants the permission                            │  │
│  │  • User CAN perform the action                                 │  │
│  │  • Can be overridden by Prohibit                               │  │
│  │  • Represented by: Checkmark or "Allow"                        │  │
│  └───────────────────────────────────────────────────────────────┘  │
│                              │                                       │
│                              ▼                                       │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │  PREVENT                                                       │  │
│  │  • Removes the permission at this context                      │  │
│  │  • User CANNOT perform the action (here)                       │  │
│  │  • Can be overridden by Allow in child contexts                │  │
│  │  • Represented by: X mark or "Prevent"                         │  │
│  └───────────────────────────────────────────────────────────────┘  │
│                              │                                       │
│                              ▼                                       │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │  PROHIBIT                                                      │  │
│  │  • Absolutely forbids the permission                           │  │
│  │  • CANNOT be overridden anywhere                               │  │
│  │  • Use with extreme caution                                    │  │
│  │  • Represented by: Exclamation or "Prohibit"                   │  │
│  └───────────────────────────────────────────────────────────────┘  │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

4.2 Permission Level Details¶

Not Set (Inherit)¶

Aspect	Details
Value	CAP_INHERIT or empty
Behavior	Uses parent context permission
Override possible	Yes
Use when	No specific permission needed

Example: - Student role has mod/forum:addpost = Allow - In Course A, this capability is Not Set - Result: Student CAN post (inherits from role)

Allow¶

Aspect	Details
Value	CAP_ALLOW
Behavior	Grants the capability
Override possible	Yes (by Prohibit only)
Use when	Explicitly granting permission

Example: - Teacher role has mod/quiz:manage = Allow - Teacher CAN manage quizzes in their courses

Prevent¶

Aspect	Details
Value	CAP_PREVENT
Behavior	Removes the capability in this context
Override possible	Yes (can be re-allowed in children)
Use when	Temporarily or contextually removing access

Example: - Student role has mod/forum:addpost = Allow (site-wide) - In Announcements Forum, set to Prevent - Result: Student CANNOT post in that forum only

Prohibit¶

Aspect	Details
Value	CAP_PROHIBIT
Behavior	Absolutely forbids the capability
Override possible	NO - cannot be overridden
Use when	Security-critical situations only

Example: - User is assigned "Restricted Student" role - mod/quiz:preview = Prohibit - Result: User can NEVER preview quizzes, regardless of other roles

4.3 Permission Resolution¶

When a user has multiple roles or overrides, permissions are resolved:

┌─────────────────────────────────────────────────────────────────────┐
│                    Permission Resolution Process                     │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  Step 1: Check for PROHIBIT                                          │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ IF any role or context has PROHIBIT                             ││
│  │    → Result: PROHIBITED (cannot override)                       ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼ (No prohibit found)                   │
│  Step 2: Check for ALLOW                                             │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ IF any role or context has ALLOW                                ││
│  │    → Result: ALLOWED                                            ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼ (No allow found)                      │
│  Step 3: Check for PREVENT                                           │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ IF any role or context has PREVENT                              ││
│  │    → Result: NOT ALLOWED                                        ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼ (No prevent found)                    │
│  Step 4: Default                                                     │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ No permission defined                                           ││
│  │    → Result: NOT ALLOWED (deny by default)                      ││
│  └─────────────────────────────────────────────────────────────────┘│
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

4.4 Permission Scenarios¶

Scenario 1: Multiple Roles¶

Role	Capability	Permission
Student	mod/forum:addpost	Allow
Restricted	mod/forum:addpost	Prevent

Result: User CAN post (Allow wins over Prevent)

Scenario 2: Prohibit Override¶

Role	Capability	Permission
Teacher	mod/quiz:preview	Allow
Restricted	mod/quiz:preview	Prohibit

Result: User CANNOT preview (Prohibit wins always)

Scenario 3: Context Override¶

Context	Capability	Permission
Course (Role)	mod/forum:addpost	Allow
Forum (Override)	mod/forum:addpost	Prevent

Result: User CANNOT post in that specific forum

4.5 Permission Best Practices¶

Practice	Reason
Use Allow sparingly	Start restrictive, add as needed
Avoid Prohibit unless necessary	Cannot be undone
Document Prohibit uses	Track security decisions
Prefer Prevent over Prohibit	More flexible
Test permission changes	Verify expected behavior
Review inherited permissions	Understand full picture

5. Creating Custom Roles¶

5.1 When to Create Custom Roles¶

Create custom roles when:

Scenario	Example
Default roles don't fit needs	Department coordinator
Specialized permissions needed	Content reviewer
Subset of existing role	Limited teacher
Organizational requirement	Compliance officer
Temporary access pattern	Exam proctor

5.2 Role Creation Process¶

┌─────────────────────────────────────────────────────────────────────┐
│                    Custom Role Creation Process                      │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  Step 1: Plan the Role                                               │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ • Define purpose and responsibilities                           ││
│  │ • Identify required capabilities                                ││
│  │ • Choose archetype (template)                                   ││
│  │ • Determine assignable contexts                                 ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼                                       │
│  Step 2: Create Role                                                 │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ • Navigate to Define roles                                      ││
│  │ • Click "Add a new role"                                        ││
│  │ • Choose archetype or start blank                               ││
│  │ • Enter role details                                            ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼                                       │
│  Step 3: Configure Capabilities                                      │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ • Review inherited capabilities                                 ││
│  │ • Add required capabilities                                     ││
│  │ • Remove unnecessary capabilities                               ││
│  │ • Set appropriate permission levels                             ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼                                       │
│  Step 4: Test the Role                                               │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ • Assign to test user                                           ││
│  │ • Verify permissions work correctly                             ││
│  │ • Use "Check permissions" tool                                  ││
│  │ • Test in various contexts                                      ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼                                       │
│  Step 5: Deploy and Document                                         │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ • Assign to production users                                    ││
│  │ • Document role purpose and capabilities                        ││
│  │ • Train administrators on usage                                 ││
│  │ • Monitor for issues                                            ││
│  └─────────────────────────────────────────────────────────────────┘│
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

5.3 Step-by-Step Role Creation¶

Step 1: Access Role Management¶

Path: Site Administration → Users → Permissions → Define roles

Step 2: Add New Role¶

Click "Add a new role" button
Choose creation method:

Method	Description	When to Use
Use role or archetype	Start from template	Most cases
No archetype	Start from scratch	Unique requirements
Duplicate role	Copy existing	Minor modifications

Step 3: Configure Role Properties¶

Property	Required	Description	Example
Short name	Yes	System identifier	contentreviewer
Custom full name	No	Display name	Content Reviewer
Custom description	No	Role purpose	Reviews content before publication
Role archetype	Yes	Template basis	None or existing

Step 4: Set Context Types¶

Context	Check If	Description
System	Role applies site-wide	Rarely needed
User	Role for user profiles	Special cases
Category	Role for categories	Department roles
Course	Role for courses	Most common
Activity module	Role for activities	Activity-specific
Block	Role for blocks	Block-specific

Step 5: Set Role Assignment¶

Setting	Description
Allow role to be assigned	Contexts where role can be assigned
Allow role to be overridden	Where overrides are permitted
Allow role to be switched	Where role switching allowed

Step 6: Configure Capabilities¶

Review all capabilities in the list
For each required capability:
Change from "Not set" to "Allow"
For restricted capabilities:
Change to "Prevent" or "Prohibit"
Use filters to find specific capabilities

5.4 Custom Role Examples¶

Example 1: Content Reviewer¶

Purpose: Reviews course content without editing privileges

Property	Value
Short name	contentreviewer
Full name	Content Reviewer
Archetype	None
Contexts	Course, Activity module

Capabilities:

Capability	Permission	Reason
moodle/course:view	Allow	View course
moodle/course:viewhiddenactivities	Allow	See hidden content
moodle/course:viewhiddensections	Allow	See hidden sections
moodle/course:isincompletionreports	Prevent	Not in reports
mod/forum:viewdiscussion	Allow	View discussions
mod/forum:addpost	Prevent	No posting
mod/quiz:view	Allow	View quizzes
mod/quiz:attempt	Prevent	No attempting

Example 2: Department Coordinator¶

Purpose: Manages courses within a department category

Property	Value
Short name	deptcoord
Full name	Department Coordinator
Archetype	Manager
Contexts	Category

Modified Capabilities (from Manager):

Capability	Permission	Reason
moodle/user:create	Prevent	No user creation
moodle/user:delete	Prevent	No user deletion
moodle/course:delete	Prevent	No course deletion
moodle/site:config	Prevent	No site config
moodle/cohort:manage	Allow	Manage dept cohorts

Example 3: Exam Proctor¶

Purpose: Supervises exam sessions without grading access

Property	Value
Short name	examproctor
Full name	Exam Proctor
Archetype	None
Contexts	Course, Module

Capabilities:

Capability	Permission	Reason
moodle/course:view	Allow	View course
moodle/course:viewparticipants	Allow	See students
mod/quiz:viewreports	Allow	View attempt status
mod/quiz:grade	Prevent	No grading
mod/quiz:manage	Prevent	No quiz editing
moodle/grade:view	Prevent	No grade access

5.5 Role Templates¶

Minimal Custom Role Template¶

Short name: [rolename]
Full name: [Role Display Name]
Description: [What this role does]
Archetype: [none/student/teacher/etc]
Contexts: [Course/Category/System]

Required Capabilities:
- capability1: Allow
- capability2: Allow

Restricted Capabilities:
- capability3: Prevent
- capability4: Prevent

5.6 Role Modification Checklist¶

Step	Action	Completed
1	Document current role state	[ ]
2	Identify needed changes	[ ]
3	Test in sandbox environment	[ ]
4	Make changes to role	[ ]
5	Verify changes with test user	[ ]
6	Document changes made	[ ]
7	Communicate to affected users	[ ]

6. Role Archetypes¶

6.1 What are Archetypes?¶

Archetypes are templates that define the default capabilities for roles. They provide a starting point for role creation and ensure consistency across similar roles.

6.2 Available Archetypes¶

Archetype	Purpose	Typical Use
manager	Full management	Administrative roles
coursecreator	Course creation	Content developers
editingteacher	Course editing	Instructors
teacher	Grading without editing	TAs, graders
student	Learning	Learners
guest	View only	Previews
user	Authenticated user	All logged-in users
frontpage	Front page access	Anonymous users

6.3 Archetype Capabilities¶

Manager Archetype¶

Category	Key Capabilities
Course	Create, update, delete courses
User	View and manage users
Role	Assign and manage roles
Backup	Full backup and restore
Reports	View all reports

Course Creator Archetype¶

Category	Key Capabilities
Course	Create courses
Backup	Backup and restore
Import	Import course content
Role	Limited role assignment

Editing Teacher Archetype¶

Category	Key Capabilities
Course	Update settings, manage activities
Grade	Full gradebook access
Enrollment	Enroll/unenroll users
Content	Add, edit, delete content
Backup	Course backup

Non-editing Teacher Archetype¶

Category	Key Capabilities
Course	View hidden items
Grade	Grade submissions
Content	View only
Enrollment	View only

Student Archetype¶

Category	Key Capabilities
Course	View, participate
Activities	Attempt, submit
Grade	View own grades
Profile	Manage own profile

6.4 Using Archetypes¶

When Creating a New Role¶

Choose archetype as starting point
All archetype capabilities are inherited
Modify as needed

When Plugin Adds New Capability¶

Plugin defines archetype defaults
Existing roles based on archetype inherit
Custom roles may need manual update

6.5 Archetype vs No Archetype¶

Aspect	With Archetype	Without Archetype
Starting capabilities	Inherited from archetype	All "Not Set"
New plugin capabilities	May auto-inherit	Must manually set
Upgrade behavior	Follows archetype updates	No automatic changes
Configuration time	Faster	More work

7. Assigning Roles¶

7.1 Role Assignment Concepts¶

┌─────────────────────────────────────────────────────────────────────┐
│                    Role Assignment Components                        │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌─────────────┐   ┌─────────────┐   ┌─────────────┐               │
│  │    USER     │ + │    ROLE     │ + │   CONTEXT   │ = ASSIGNMENT  │
│  │             │   │             │   │             │               │
│  │  John Smith │   │  Teacher    │   │ Marketing   │  John is      │
│  │             │   │             │   │   101       │  Teacher in   │
│  │             │   │             │   │             │  MKT101       │
│  └─────────────┘   └─────────────┘   └─────────────┘               │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

7.2 Assignment Methods¶

Method 1: System-Level Assignment¶

Path: Site Administration → Users → Permissions → Assign system roles

Steps: 1. Select a role from the list 2. Search for users 3. Add users to the assigned list 4. Click "Add"

Use For: - Site-wide managers - Course creators - Global permissions

Method 2: Category-Level Assignment¶

Path: Category → Settings → Assign roles

Steps: 1. Navigate to the category 2. Click category settings 3. Select "Assign roles" 4. Choose role and add users

Use For: - Department managers - Category coordinators - Regional administrators

Method 3: Course-Level Assignment¶

Path: Course → Participants → Enrol users (or) Enrolled users → Edit enrolment

Steps: 1. Navigate to the course 2. Go to Participants 3. Click "Enrol users" 4. Select role and users 5. Complete enrollment

Alternative via Role Assignment: 1. Course → Participants 2. Click gear icon → "Enrolled users" 3. Find user → Edit enrollment 4. Change role assignment

Use For: - Teachers - Students - Teaching assistants

Method 4: Activity-Level Assignment¶

Path: Activity → Settings → Locally assigned roles

Steps: 1. Edit the activity 2. Go to "Locally assigned roles" 3. Add role assignments

Use For: - Activity-specific moderators - Forum managers - Quiz overseers

7.3 Role Assignment Interface¶

┌─────────────────────────────────────────────────────────────────────┐
│                    Role Assignment Interface                         │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │                      Assign Role: Teacher                      │  │
│  └───────────────────────────────────────────────────────────────┘  │
│                                                                      │
│  ┌─────────────────────────┐    ┌─────────────────────────────┐    │
│  │  Existing users (2)     │    │  Potential users            │    │
│  │─────────────────────────│    │─────────────────────────────│    │
│  │  • Jane Doe             │    │  Search: [_____________]    │    │
│  │  • Bob Wilson           │    │                             │    │
│  │                         │    │  • John Smith               │    │
│  │                         │    │  • Mary Johnson             │    │
│  │                         │    │  • Tom Brown                │    │
│  │                         │    │  • Lisa Garcia              │    │
│  │                         │    │                             │    │
│  │    [Remove ←]           │    │    [→ Add]                  │    │
│  │                         │    │                             │    │
│  └─────────────────────────┘    └─────────────────────────────┘    │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

7.4 Bulk Role Assignment¶

Using User Upload¶

Path: Site Administration → Users → Upload users

CSV Fields for Role Assignment:

Field	Description	Example
username	User identifier	jsmith
role1	First role	student
course1	First course	MKT101
role2	Second role	teacher
course2	Second course	MKT102

Example CSV:

username,role1,course1,role2,course2
jsmith,student,MKT101,teacher,MKT102
mjohnson,student,MKT101,,
tbrown,teacher,MKT101,,

Using Cohort Sync¶

Create cohort with target users
Set up cohort sync enrollment in course
Configure desired role
All cohort members get role automatically

7.5 Role Assignment Duration¶

Temporary Assignments¶

Method	Duration Control
Manual enrollment	Set start/end dates
Self enrollment	Configure duration
Cohort sync	Membership-based
User upload	Set enrolment dates

Managing Duration¶

Path: Course → Participants → Edit enrollment

Field	Purpose
Enrolment starts	When access begins
Enrolment ends	When access expires
Status	Active or Suspended

7.6 Multiple Role Assignments¶

A user can have multiple roles simultaneously:

Context	Role 1	Role 2	Result
Course A	Student	-	Student permissions
Course B	Teacher	-	Teacher permissions
Course C	Student	Non-editing Teacher	Combined permissions

Permission Resolution with Multiple Roles: - All Allow permissions are combined - Prohibit always wins - User gets the sum of capabilities

7.7 Role Assignment Reports¶

View Current Assignments:

Path: Site Administration → Users → Permissions → Assign system roles

Shows all users with system-level role assignments.

Course-Level View:

Path: Course → Participants

Use filters to view users by role.

8. Role Overrides in Courses¶

8.1 What are Role Overrides?¶

Role overrides modify the capabilities of a role within a specific context, without changing the role definition globally.

8.2 Override Hierarchy¶

┌─────────────────────────────────────────────────────────────────────┐
│                    Role Override Hierarchy                           │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ROLE DEFINITION (Global)                                            │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ Student: mod/forum:addpost = Allow                              ││
│  │         (This is the default for all students everywhere)       ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼                                       │
│  COURSE OVERRIDE (if exists)                                         │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ In Course "Announcements": Student role override                ││
│  │ mod/forum:addpost = Prevent                                     ││
│  │ (Students in this course can't start forum posts)               ││
│  └─────────────────────────────────────────────────────────────────┘│
│                              │                                       │
│                              ▼                                       │
│  MODULE OVERRIDE (if exists)                                         │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ In specific Forum "General Discussion": Student role override   ││
│  │ mod/forum:addpost = Allow                                       ││
│  │ (Students CAN post in this specific forum)                      ││
│  └─────────────────────────────────────────────────────────────────┘│
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

8.3 Creating Course Overrides¶

Step-by-Step Process¶

Step 1: Navigate to Course Permissions

Course → Participants → Permissions (gear icon)

Step 2: Select "Override permissions"

Choose the role you want to override (e.g., Student)

Step 3: Modify Capabilities

Current	Override To	Effect
Inherit	Allow	Grant in this context
Inherit	Prevent	Block in this context
Allow	Prevent	Remove existing permission
Allow	Prohibit	Permanently block

Step 4: Save Changes

Click "Save changes" to apply overrides.

8.4 Creating Activity Overrides¶

Step 1: Edit the Activity

Click the activity → Settings (gear) → Edit settings

Step 2: Access Permissions

In the settings, find "Permissions" or "Locally assigned roles"

Step 3: Override Role Permissions

Same process as course overrides, but applies only to this activity.

8.5 Override Examples¶

Example 1: Read-Only Forum¶

Goal: Students can view but not post in Announcements forum

Location: Forum activity settings → Permissions

Capability	Role	Override
mod/forum:startdiscussion	Student	Prevent
mod/forum:replypost	Student	Prevent
mod/forum:viewdiscussion	Student	Allow (inherited)

Example 2: Extended Quiz Time¶

Goal: Allow specific role extra time on quiz

Location: Quiz activity settings → Permissions

Capability	Role	Override
mod/quiz:ignoretimelimits	Extended Time Student	Allow

Example 3: Hidden Participation¶

Goal: Students cannot see each other in course

Location: Course → Permissions → Override roles

Capability	Role	Override
moodle/course:viewparticipants	Student	Prevent

8.6 Override vs Permission¶

Aspect	Permission (in Role)	Override (in Context)
Scope	All contexts	Specific context only
Persistence	Global change	Local change
Impact	All users with role	Users with role in context
Reversibility	Affects everyone	Easy to remove

8.7 Override Best Practices¶

Practice	Reason
Document all overrides	Track changes
Minimize use of Prohibit	Cannot be undone
Test before applying	Verify expected behavior
Review regularly	Remove unnecessary overrides
Use for exceptions only	Don't rely on overrides for normal permissions

9. Check Permissions Tool¶

9.1 Overview¶

The Check Permissions tool allows administrators to verify what a specific user can do in a given context.

9.2 Accessing the Tool¶

Path 1: From Course

Course → Participants → Select user → Check permissions

Path 2: From User Profile

User Profile → Administration → Check permissions

Path 3: From Site Administration

Site Administration → Users → Permissions → Check system permissions

9.3 Using the Check Permissions Tool¶

┌─────────────────────────────────────────────────────────────────────┐
│                    Check Permissions Interface                       │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │  User: John Smith                                              │  │
│  │  Context: Marketing 101 Course                                 │  │
│  └───────────────────────────────────────────────────────────────┘  │
│                                                                      │
│  Search for capability: [mod/forum____________] [Search]            │
│                                                                      │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │  Capability Results                                            │  │
│  │─────────────────────────────────────────────────────────────── │  │
│  │                                                                │  │
│  │  mod/forum:addpost                                             │  │
│  │  ┌─────────────────────────────────────────────────────────┐  │  │
│  │  │ Permission: YES (Allowed)                                │  │  │
│  │  │                                                          │  │  │
│  │  │ Roles providing permission:                              │  │  │
│  │  │ • Student (in Marketing 101)                             │  │  │
│  │  │                                                          │  │  │
│  │  │ No overrides affecting this capability                   │  │  │
│  │  └─────────────────────────────────────────────────────────┘  │  │
│  │                                                                │  │
│  │  mod/forum:deleteanypost                                       │  │
│  │  ┌─────────────────────────────────────────────────────────┐  │  │
│  │  │ Permission: NO (Not Allowed)                             │  │  │
│  │  │                                                          │  │  │
│  │  │ No roles provide this capability                         │  │  │
│  │  └─────────────────────────────────────────────────────────┘  │  │
│  │                                                                │  │
│  └───────────────────────────────────────────────────────────────┘  │
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

9.4 Check Permissions Workflow¶

Step 1: Select or Navigate to User

Find the user whose permissions you want to check.

Step 2: Choose Context

Select the context (course, activity, etc.) to check.

Step 3: Search for Capability

Enter the capability name or part of it.

Step 4: Review Results

Field	Description
Permission	Yes (Allowed) or No (Not Allowed)
Roles	Which roles grant this permission
Overrides	Any overrides affecting the result
Prohibit	Any prohibitions in effect

9.5 Troubleshooting with Check Permissions¶

Common Scenarios¶

User Can't Access Something They Should:

Check permissions for the expected capability
Verify role assignment in the context
Look for Prevent or Prohibit overrides
Check parent context permissions

User Can Access Something They Shouldn't:

Check which role grants the capability
Look for unexpected role assignments
Check for Allow overrides
Verify context is correct

9.6 Check Permissions Report¶

Generate a full permissions report:

Path: Site Administration → Reports → Capability overview

Option	Description
Select capability	Choose capability to report on
Select role	Filter by role
View	Show all contexts where set

10. Common Role Customizations¶

10.1 Frequently Requested Modifications¶

Limiting Student Capabilities¶

Request	Capability	Change To
Prevent forum posting	mod/forum:startdiscussion	Prevent
Block file downloads	mod/resource:view	Prevent
Hide participant list	moodle/course:viewparticipants	Prevent
Disable messaging	moodle/site:sendmessage	Prevent
Block profile viewing	moodle/user:viewdetails	Prevent

Expanding Teacher Capabilities¶

Request	Capability	Change To
Allow user creation	moodle/user:create	Allow
Enable bulk actions	moodle/course:bulkmessaging	Allow
Full backup access	moodle/backup:userinfo	Allow
Manage cohorts	moodle/cohort:manage	Allow
Delete courses	moodle/course:delete	Allow

10.2 Creating a Limited Teacher Role¶

Purpose: Teacher who can grade but not modify content

Base: Non-editing Teacher archetype

Modifications:

Capability	Permission	Purpose
mod/assign:grade	Allow	Grade assignments
mod/quiz:grade	Allow	Grade quizzes
moodle/grade:edit	Allow	Edit gradebook
moodle/grade:manage	Prevent	No gradebook setup
moodle/course:manageactivities	Prevent	No content changes
moodle/course:update	Prevent	No course settings

10.3 Creating a Course Manager Role¶

Purpose: Manages a single course completely

Base: Manager archetype

Modifications:

Capability	Permission	Purpose
moodle/course:delete	Prevent	Can't delete course
moodle/user:create	Prevent	Can't create users
moodle/site:config	Prevent	No site settings
moodle/backup:backupcourse	Allow	Full backup
enrol/manual:enrol	Allow	Manage enrollment
enrol/self:config	Allow	Configure self-enroll

Contexts: Course only

10.4 Creating a Content Developer Role¶

Purpose: Creates and edits content without student access

Base: Editing Teacher archetype

Modifications:

Capability	Permission	Purpose
moodle/grade:manage	Prevent	No grading
moodle/grade:edit	Prevent	No grade editing
moodle/grade:viewall	Prevent	No grade viewing
enrol/manual:enrol	Prevent	No enrollment
mod/assign:grade	Prevent	No assignment grading
moodle/user:viewdetails	Prevent	No student details

10.5 Creating a Mentor Role¶

Purpose: Guides specific students, limited course access

Base: Student archetype

Modifications:

Capability	Permission	Purpose
moodle/user:viewdetails	Allow	See mentee profiles
moodle/grade:viewall	Allow	See mentee grades
mod/assign:viewblinddetails	Allow	View submission details
moodle/course:viewhiddenactivities	Allow	See full course
moodle/site:sendmessage	Allow	Message mentees
mod/assign:grade	Prevent	No grading

10.6 Role Customization Templates¶

Template: Restricted Student¶

Purpose: Limited student access for specific courses
Base Archetype: Student

PREVENT these capabilities:
- moodle/course:viewparticipants
- mod/forum:startdiscussion
- moodle/site:sendmessage
- moodle/user:viewdetails

KEEP these capabilities:
- All activity submission capabilities
- moodle/grade:view (own grades)
- moodle/course:view

Template: Teaching Assistant¶

Purpose: Grade and support without full edit
Base Archetype: Non-editing Teacher

ALLOW these capabilities:
- mod/assign:grade
- mod/quiz:grade
- moodle/grade:edit
- mod/forum:viewhiddenpost
- moodle/course:viewhiddenactivities

PREVENT these capabilities:
- moodle/course:manageactivities
- moodle/course:update
- enrol/manual:enrol

Template: Department Head¶

Purpose: Manage department category
Base Archetype: Manager

MODIFY these capabilities:
- moodle/user:create: Prevent
- moodle/user:delete: Prevent
- moodle/course:delete: Prevent
- moodle/cohort:manage: Allow
- moodle/backup:backupcourse: Allow

Assignable Context: Category

10.7 Role Testing Checklist¶

Test	Description	Pass
Access test	Can access expected areas	[ ]
Restriction test	Cannot access restricted areas	[ ]
Activity test	Can perform expected activities	[ ]
Override test	Overrides work correctly	[ ]
Edge case test	Handles unusual scenarios	[ ]

11. Best Practices for Permissions¶

11.1 Permission Design Principles¶

┌─────────────────────────────────────────────────────────────────────┐
│                    Permission Design Principles                      │
├─────────────────────────────────────────────────────────────────────┤
│                                                                      │
│  1. PRINCIPLE OF LEAST PRIVILEGE                                     │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ Grant only the minimum permissions necessary for the role       ││
│  │                                                                  ││
│  │ ✓ Start restrictive, add as needed                              ││
│  │ ✗ Start permissive, remove problems                             ││
│  └─────────────────────────────────────────────────────────────────┘│
│                                                                      │
│  2. SEPARATION OF DUTIES                                             │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ Divide responsibilities among multiple roles                    ││
│  │                                                                  ││
│  │ ✓ Content creator separate from grader                          ││
│  │ ✗ One role with all permissions                                 ││
│  └─────────────────────────────────────────────────────────────────┘│
│                                                                      │
│  3. CONTEXT APPROPRIATENESS                                          │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ Assign roles at the most specific context needed                ││
│  │                                                                  ││
│  │ ✓ Teacher assigned at course level                              ││
│  │ ✗ Teacher assigned at system level                              ││
│  └─────────────────────────────────────────────────────────────────┘│
│                                                                      │
│  4. DOCUMENTATION AND AUDITING                                       │
│  ┌─────────────────────────────────────────────────────────────────┐│
│  │ Maintain records of all role configurations and assignments     ││
│  │                                                                  ││
│  │ ✓ Document custom roles and their purpose                       ││
│  │ ✗ Create roles without documentation                            ││
│  └─────────────────────────────────────────────────────────────────┘│
│                                                                      │
└─────────────────────────────────────────────────────────────────────┘

11.2 Role Management Best Practices¶

Practice	Description
Limit custom roles	Use default roles when possible
Name clearly	Use descriptive role names
Document purpose	Record why each role exists
Regular review	Audit roles periodically
Test thoroughly	Verify before deployment
Version control	Track role changes

11.3 Permission Assignment Best Practices¶

Practice	Description
Assign at correct level	Don't over-assign
Use cohorts	For group assignments
Set durations	Automatic cleanup
Review assignments	Regular audits
Document exceptions	Track non-standard assignments

11.4 Override Best Practices¶

Practice	Description
Minimize overrides	Prefer role modifications
Document all overrides	Track what's changed
Avoid Prohibit	Use Prevent instead
Regular cleanup	Remove unnecessary overrides
Test after override	Verify behavior

11.5 Security Best Practices¶

Practice	Reason
Limit admin accounts	Reduce risk exposure
Regular capability audits	Catch permission creep
Monitor high-risk capabilities	Track XSS, config risks
Review guest access	Ensure appropriate limits
Audit role changes	Track modifications

11.6 Governance Framework¶

Role Governance¶

Aspect	Recommendation
Ownership	Assign role owner
Review cycle	Quarterly review
Change process	Documented approval
Documentation	Up-to-date records

Assignment Governance¶

Aspect	Recommendation
Request process	Formal request
Approval	Manager approval
Duration	Set expiration
Review	Regular audit

11.7 Common Mistakes to Avoid¶

Mistake	Better Approach
Using Prohibit unnecessarily	Use Prevent instead
System-level assignments	Use appropriate context
Too many custom roles	Leverage archetypes
Undocumented changes	Maintain documentation
Skipping testing	Always test changes
Permanent assignments	Set durations where appropriate

11.8 Permission Troubleshooting Guide¶

Symptom	Investigation Steps
User can't access	Check role assignment, context, overrides
User has too much access	Check all assigned roles, look for extras
Permission inconsistent	Check for conflicting overrides
Override not working	Verify context level, check for Prohibit
New capability missing	Check archetype inheritance

11.9 Permission Documentation Template¶

Role: [Role Name]
Created: [Date]
Created By: [Administrator]
Purpose: [Description of role purpose]
Base Archetype: [Archetype name or None]

Assignable Contexts:
- [Context 1]
- [Context 2]

Key Capabilities Allowed:
- capability1: [Reason]
- capability2: [Reason]

Key Capabilities Prevented:
- capability3: [Reason]
- capability4: [Reason]

Prohibited Capabilities:
- capability5: [Reason] (if any)

Known Overrides:
- [Course/Context]: [Override details]

Review History:
- [Date]: [Changes made]
- [Date]: [Changes made]

Assigned Users/Groups:
- [List or reference to list]

11.10 Annual Permission Audit Checklist¶

Audit Area	Actions	Completed
Custom Roles	Review necessity, capabilities	[ ]
Role Assignments	Verify appropriateness	[ ]
System Assignments	Minimize system-level roles	[ ]
Overrides	Remove unnecessary overrides	[ ]
Guest Access	Review course guest settings	[ ]
Admin Accounts	Verify necessity	[ ]
Documentation	Update all documentation	[ ]
Orphaned Assignments	Clean up removed users	[ ]

Appendix A: Capability Quick Reference¶

A.1 Course Capabilities¶

Capability	Description
moodle/course:create	Create courses
moodle/course:delete	Delete courses
moodle/course:update	Update course settings
moodle/course:view	View course
moodle/course:viewhiddencourses	View hidden courses
moodle/course:manageactivities	Manage activities
moodle/course:activityvisibility	Control activity visibility
moodle/course:viewhiddenactivities	View hidden activities
moodle/course:viewhiddensections	View hidden sections
moodle/course:managefiles	Manage course files
moodle/course:viewparticipants	View participants
moodle/course:bulkmessaging	Send bulk messages
moodle/course:enrolconfig	Configure enrollment
moodle/course:enrolreview	Review enrollments

A.2 Grade Capabilities¶

Capability	Description
moodle/grade:manage	Manage gradebook
moodle/grade:edit	Edit grades
moodle/grade:view	View own grades
moodle/grade:viewall	View all grades
moodle/grade:viewhidden	View hidden grades
moodle/grade:hide	Hide grades
moodle/grade:lock	Lock grades
moodle/grade:unlock	Unlock grades
moodle/grade:import	Import grades
moodle/grade:export	Export grades

A.3 User Capabilities¶

Capability	Description
moodle/user:create	Create users
moodle/user:delete	Delete users
moodle/user:update	Update users
moodle/user:viewdetails	View user details
moodle/user:viewhiddendetails	View hidden details
moodle/user:editprofile	Edit profile
moodle/user:editownprofile	Edit own profile
moodle/user:viewalldetails	View all details

A.4 Role Capabilities¶

Capability	Description
moodle/role:assign	Assign roles
moodle/role:manage	Manage roles
moodle/role:override	Override roles
moodle/role:safeoverride	Safe override only
moodle/role:review	Review permissions
moodle/role:switchroles	Switch roles

A.5 Common Activity Capabilities¶

Module	Capability	Description
Assignment	mod/assign:submit	Submit assignment
Assignment	mod/assign:grade	Grade assignment
Assignment	mod/assign:view	View assignment
Quiz	mod/quiz:attempt	Attempt quiz
Quiz	mod/quiz:view	View quiz
Quiz	mod/quiz:grade	Grade quiz
Quiz	mod/quiz:manage	Manage quiz
Forum	mod/forum:viewdiscussion	View discussions
Forum	mod/forum:startdiscussion	Start discussions
Forum	mod/forum:replypost	Reply to posts
Forum	mod/forum:deleteanypost	Delete any post

Appendix B: Role Configuration Templates¶

B.1 Standard Roles Summary¶

Role	Archetype	Primary Context	Main Purpose
Manager	manager	System/Category	Full management
Course Creator	coursecreator	System/Category	Create courses
Teacher	editingteacher	Course	Edit and teach
Non-editing Teacher	teacher	Course	Grade only
Student	student	Course	Learn
Guest	guest	Course	View only

B.2 Custom Role Templates¶

Content Developer¶

Shortname: contentdeveloper
Fullname: Content Developer
Archetype: editingteacher
Contexts: Course

Key ALLOW:
- moodle/course:manageactivities
- moodle/course:update
- moodle/course:viewhiddenactivities
- moodle/backup:backupcourse

Key PREVENT:
- moodle/grade:edit
- moodle/grade:manage
- enrol/manual:enrol
- mod/assign:grade

Teaching Assistant¶

Shortname: teachingassistant
Fullname: Teaching Assistant
Archetype: teacher
Contexts: Course

Key ALLOW:
- mod/assign:grade
- mod/quiz:grade
- moodle/grade:edit
- moodle/grade:viewall

Key PREVENT:
- moodle/course:manageactivities
- moodle/course:update
- enrol/manual:enrol

Department Coordinator¶

Shortname: deptcoord
Fullname: Department Coordinator
Archetype: manager
Contexts: Category

Key ALLOW:
- moodle/course:create
- moodle/course:update
- moodle/cohort:manage

Key PREVENT:
- moodle/user:create
- moodle/user:delete
- moodle/course:delete
- moodle/site:config

External Reviewer¶

Shortname: externalreviewer
Fullname: External Reviewer
Archetype: None
Contexts: Course

Key ALLOW:
- moodle/course:view
- moodle/course:viewhiddenactivities
- moodle/course:viewhiddensections
- mod/forum:viewdiscussion
- mod/quiz:view

Key PREVENT:
- All participation capabilities
- All editing capabilities
- All grading capabilities

Document History¶

Version	Date	Author	Changes
1.0	2024	Admin Team	Initial creation
2.0	2025	Admin Team	Comprehensive update

This document is part of the PulseLMS Administrator Documentation Series.