Override permissions: Difference between revisions

Latest revision as of 07:58, 24 October 2011

This page requires updating for Moodle 2.0. Please do so and remove this template when finished.

Overrides are specific permissions designed to override a role in a specific context, allowing you to "tweak" your permissions as required.

Overrides may be used to "open up" areas by giving users extra permissions. For example, an override may be used to enable students to rate forum posts (see Forum settings for details).

Overrides may also be used to prevent actions, such as starting new discussions in an archived forum.

Permissions

Override permissions in Moodle 1.9

There are four settings for each permission capability:

Inherit: The default setting. If a capability is set to inherit, the user's permissions remain the same as they are in a less specific context, or another role where the capability is defined. For example, if a student is allowed to attempt quiz questions at the course level, their role in a specific quiz will inherit this setting. Ultimately, if permission is never allowed at any level, then the user will have no permission for that capability.

Allow: This enables a user to use a capability in a given context. This permission applies for the context that the role gets assigned plus all lower contexts. For example, if a user is assigned the role of student in a course, they will be able to start new discussions in all forums in that course (unless a forum contains an override with a prevent or prohibit value for the capability).

Prevent: By choosing this you are removing permission for this capability, even if the users with this role were allowed that permission in a higher context.

Prohibit: This is rarely needed, but occasionally you might want to completely deny permissions to a role in a way that can NOT be overridden at any lower context. An example of when you might need this is when an admin wants to prohibit one person from starting new discussions in any forum on the whole system. In this case they can create a role with that capability set to "Prohibit" and then assign it to that user in the system context.

Conflict resolution of permissions

Permissions at a "lower" context will generally override anything at a "higher" context (this applies to overrides and assigned roles). The exception is PROHIBIT which can not be overridden at lower levels.

If two roles are assigned to a person in the same context, one with ALLOW and one with PREVENT, which one wins? In this case, Moodle will look up the context tree for a "decider".

For example, a student has two roles in a course, one that allows them to start new discussions, one that prevents them. In this case, we check the categories and the system contexts, looking for another defined permission to help us decide. If we don't find one, then permission is PREVENT by default (because the two settings cancelled each other out, and thus you have no permission).

Special exceptions

Note that the guest user account will generally be prevented from posting content (eg forums, calendar entries, blogs) even if it is given the capability to do so.

Locations for overriding permissions

Front page context: "Override permissions" tab via Site Administration > Front Page > Front Page roles (in Moodle 1.8 onwards)
Course category context: "Override permissions" tab via assign roles link in course categories page
Course context: "Override permissions" tab via assign roles link in course administration block
Module context: "Override permissions" tab in editing activity page
Block context: "Override permissions" tab via assign roles link course block (with editing turned on)
User context: "Override permissions" link via roles tab in user profile page

Ability to override permissions

Users who have the capability moodle/role:override allowed (or, in Moodle 1.9.3 onwards, the capability moodle/role:safeoverride allowed) can override permissions for selected roles (as set in Allow role overrides).

The default administrator role has the capability moodle/role:override allowed, and admins can override permissions for all other roles by default.

Enabling teachers to override permissions

By default, only administrators are able to override permissions. Teachers can be enabled to do so as follows:

Access Administration > Users > Permissions > Define roles.
Edit the teacher role and change the capability moodle/role:override (or moodle/role:safeoverride in Moodle 1.9.3 onwards) to allow.
Click the button "Save changes".
Click the tab "Allow role overrides" (in Administration > Users > Permissions > Define roles).
Check the appropriate box(s) in the teacher row to set which role(s) teachers can override. Most likely it will just be the student role (you don't want teachers to be able to override admins), so check the box where the teacher row intersects with the student column.
Click the button "Save changes".

If preferred, a new role for overriding permissions may be created and selected teachers assigned to it.

Overriding permissions for selected students

Sometimes a teacher will want to over ride permissions for selected students. Typically they will assign a student a role locally. For example, assign a student as a non-editing teacher. However, administrators can override specific permission in a role. This does not create a new role. It modifies an existing specific role and affects all users assigned to that role in the context.

Sometimes the administrator (or someone with the permissions to) will create a new role. For example, the administrator will copy all the student permissions to a new role, then change specific permissions. The teacher then assigns specific students to this role without having to worry about checking off the correct role permissions.

@@ Line 1: / Line 1: @@
 {{Roles}}
+{{Update}}
+Overrides are specific permissions designed to override a role in a specific context, allowing you to "tweak" your permissions as required.
-Overrides are specific permissions designed to override a role in a specific context, allowing you to "tweak" your permissions as required.  Overriding does not create a new role. It modifies an existing role and affects all users assigned to that role in the context.
+Overrides may be used to "open up" areas by giving users extra permissions. For example, an override may be used to enable students to rate forum posts (see [[Forum settings]] for details).
-[[Image:Roles OverRide tab.JPG|thumb|300px|left|Overrides page]]For example, users with the Student role can normally start new discussions in forums.  Suppose there is a particular forum in which you want to restrict this capability.  Within the forum, set an override that PREVENTS the capability for Students to "Start new discussions."
+Overrides may also be used to prevent actions, such as starting new discussions in an archived forum.
-If you want to prevent only a few selected students from starting discussions in the forum, you cannot do it by overriding the Student role, since doing so would affect all Students.  You need a new role.  Unfortunately, you (as a teacher) cannot create one.  Only the administrator can create new roles.  The best solution is to ask the administrator to create a copy of the Student role.  Then, within the forum, override the copied role as described in the paragraph above.  Finally, assign the selected students to this role within the forum.
+==Permissions==
+[[Image:Override permissions.png|thumb|Override permissions in Moodle 1.9]]
+There are four settings for each permission capability:
-Overrides can also be used to "open up" areas of your site and courses to give users extra permissions where it makes sense. For example, you may want to experiment giving Students the ability to grade some assignments.
+;Inherit
+:The default setting. If a capability is set to inherit, the user's permissions remain the same as they are in a less specific context, or another role where the capability is defined. For example, if a student is allowed to attempt quiz questions at the course level, their role in a specific quiz will inherit this setting. Ultimately, if permission is never allowed at any level, then the user will have no permission for that capability.
-The interface for overriding roles is similar to the one for defining roles, except sometimes only relevant capabilities are shown, and you will also see some capabilities highlighted to show you what the permission for that role would be WITHOUT any override active (ie when your override is set to NOT SET).
+;Allow
+:This enables a user to use a capability in a given context. This permission applies for the context that the role gets assigned plus all lower contexts. For example, if a user is assigned the role of student in a course, they will be able to start new discussions in all forums in that course (unless a forum contains an override with a prevent or prohibit value for the capability).
-==Enabling teachers to override roles==
+;Prevent
+:By choosing this you are removing permission for this capability, even if the users with this role were allowed that permission in a higher context.
-By default, only administrators are able to override roles. You can enable teachers to do so as follows:
+;Prohibit
-#Access ''Administration > Users > Permissions > Define roles''
+:This is rarely needed, but occasionally you might want to completely deny permissions to a role in a way that can NOT be overridden at any lower context. An example of when you might need this is when an admin wants to prohibit one person from starting new discussions in any forum on the whole system. In this case they can create a role with that capability set to "Prohibit" and then assign it to that user in the system context.
-#Edit the teacher role and change the capability [[Capabilities/moodle/role:override|moodle/role:override]] to allow
-#Click the button "Save changes"
-#Click the tab "Allow role overrides" (in ''Administration > Users > Permissions > Define roles'')
-#Check the appropriate box to allow a teacher to override the student role
-#Click the button "Save changes"
-If preferred, a new role for overriding the student role may be created and selected teachers assigned to it.
+==Conflict resolution of permissions==
+Permissions at a "lower" context will generally override anything at a "higher" context (this applies to overrides and assigned roles). The exception is PROHIBIT which can not be overridden at lower levels.
+If two roles are assigned to a person in the same context, one with ALLOW and one with PREVENT, which one wins? In this case, Moodle will look up the context tree for a "decider".
+For example, a student has two roles in a course, one that allows them to start new discussions, one that prevents them. In this case, we check the categories and the system contexts, looking for another defined permission to help us decide. If we don't find one, then permission is PREVENT by default (because the two settings cancelled each other out, and thus you have no permission).
+===Special exceptions===
+Note that the guest user account will generally be prevented from posting content (eg forums, calendar entries, blogs) even if it is given the capability to do so.
+==Locations for overriding permissions==
+*Front page context: "Override permissions" tab via ''Site Administration > Front Page > Front Page roles'' (in Moodle 1.8 onwards)
+*Course category context: "Override permissions" tab via assign roles link in course categories page
+*Course context: "Override permissions" tab via assign roles link in course administration block
+*Module context: "Override permissions" tab in editing activity page
+*Block context: "Override permissions" tab via assign roles link course block (with editing turned on)
+*User context: "Override permissions" link via roles tab in user profile page
+==Ability to override permissions==
+Users who have the capability [[Capabilities/moodle/role:override|moodle/role:override]] allowed (or, in Moodle 1.9.3 onwards, the capability [[Capabilities/moodle/role:safeoverride|moodle/role:safeoverride]] allowed) can override permissions for selected roles (as set in [[Allow role overrides]]).
+The default administrator role has the capability moodle/role:override allowed, and admins can override permissions for all other roles by default.
+==Enabling teachers to override permissions==
+By default, only administrators are able to override permissions. Teachers can be enabled to do so as follows:
+#Access ''Administration > Users > Permissions > Define roles''.
+#Edit the teacher role and change the capability [[Capabilities/moodle/role:override|moodle/role:override]] (or moodle/role:safeoverride in Moodle 1.9.3 onwards) to allow.
+#Click the button "Save changes".
+#Click the tab "Allow role overrides" (in ''Administration > Users > Permissions > Define roles'').
+#Check the appropriate box(s) in the teacher row to set which role(s) teachers can override. Most likely it will just be the student role (you don't want teachers to be able to override admins), so check the box where the teacher row intersects with the student column.
+#Click the button "Save changes".
+If preferred, a new role for overriding permissions may be created and selected teachers assigned to it.
+==Overriding permissions for selected students==
+Sometimes a teacher will want to over ride permissions for selected students. Typically they will assign a student a role locally. For example, assign a student as a non-editing teacher.  However, administrators can override specific permission in a role.  This does not create a new role. It modifies an existing specific role and affects all users assigned to that role in the context.
+Sometimes the administrator (or someone with the permissions to) will create a new role.  For example, the administrator will copy all the student permissions to a new role, then change specific permissions. The teacher then assigns specific students to this role without having to worry about checking off the correct role permissions.
+[[cs:Přenastavení oprávnění]]
 [[es:Anular_roles]]
+[[eu:Baimenak_kendu]]
 [[fr:Définir des dérogations aux rôles]]
 [[ja:ロールのオーバーライド]]
 [[ru:Переопределение ролей]]
+[[de:Zugriffsrechte ändern]]

Documentation