Note: You are currently viewing documentation for Moodle 2.4. Up-to-date documentation for the latest stable version of Moodle may be available here: Manager role.

Manager role: Difference between revisions

From MoodleDocs
(Category-level manager and login as capability)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Standard roles}}
{{Standard roles}}
The default manager role enables users assigned the role to access courses and modify them.


The Manager role is a 'real role', ''similar'' to Administrator (but much safer to use).
The default Manager role enables users assigned the role to access courses and modify them, as well as perform certain administrative level tasks related to courses, users, grade settings, etc.  


The way permission checks work in the Moodle code is that there is a function called has_capability.  For admins, has_capability will '''always''' return true, no matter how the roles are set up.
Unlike the administrator role, the Manager role is a 'real role', whose capabilities you can edit, but is ''similar'' to Administrator (but much safer to use) due to its broad default powers. As a normal role, like Course Creator or Teacher, while the Manager role has almost very many capabilities by default, you can edit that role if you choose.


However, the Manager role is a normal role, like Course Creator, or Teacher. By default the Manager role has almost every capability but, because it is a normal role, you can edit that role if you choose (there is no way to edit what permissions an Administrator has).
(The way permission checks work in the Moodle code is that there is a function called has_capability.  For admins, has_capability will '''always''' return true, no matter how the roles are set up. Thus there is no way to edit what permissions an Administrator has.)
Best-practice might suggest that Admins should normally use a Manager role, and not use an Administrator account.


This is similar to the way you are recommended not to log into Linux as root.
Adopting a best-practice based on the [https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/351-BSI.html?layoutType=plain Principle of Least Privilege] suggests that Admins should normally use a Manager role, and not use an Administrator account, similar to the way you are recommended not to log into Linux as root.


The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role.
The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role.
Line 70: Line 68:
* Manager has access to most system level reports but not the Configuration report.
* Manager has access to most system level reports but not the Configuration report.
* Manager has the ability to assign other users as a sitewide Manager  
* Manager has the ability to assign other users as a sitewide Manager  
* Also, a Manager has the ability to edit the role of Manager itself - to disable this, you could prohibit the Create and manage roles (moodle/role:manage) capability
* Also, a Manager has the ability to edit the role of Manager itself - to disable this, you could prohibit the Create and manage roles ''moodle/role:manage'' capability


==Assigning the role of Manager at the Category level==
==Assigning the role of Manager at the Category level==
Line 78: Line 76:
Do this if you want someone to be able to have access to all the courses in a single category and manage them, but do not want them to have access to any of Site administration tools.  
Do this if you want someone to be able to have access to all the courses in a single category and manage them, but do not want them to have access to any of Site administration tools.  


Do this as follows: ''Site administration > Courses > Add/edit courses > '' (select a category) ''> Edit this category > Settings'' block: ''Assign roles > Manager >'' (select user) ''Add''
Assign this as follows: ''Site administration > Courses > Add/edit courses > '' (select a category) ''> Edit this category > Settings'' block: ''Assign roles > Manager >'' (select user) ''Add''


Notes:
Notes:


* A Category level Manager is so only for the assigned category: to manage more than one category, you will need to assign them that role in each category separately
* A category-level manager is so only for the assigned category: to manage more than one category, you will need to assign them that role in each category separately
* Category level Managers also [https://docs.moodle.org/24/en/Capabilities/moodle/category:manage manage any sub-categories] beneath the category they are assigned
* Category-level managers also [https://docs.moodle.org/24/en/Capabilities/moodle/category:manage manage any sub-categories] beneath the category they are assigned, including create new subcategories and move courses
* They can create courses in the their assigned categories
* They can create courses in the their assigned categories
* A category-level manager will not have as many capabilities as a site-level manager, since certain capabilities can only be applied in the system context i.e. via a system role
* Regarding the [[Capabilities/moodle/user:loginas|capability to login as another user]], for courses within the category that they manage, a category-level manager can only login as as another course participant and browse within that course only


View of the Settings block for a Category level Manager with Editing turned on, showingthe ''Edit this category'' and ''Add a sub-category'' commands:
Note that in the new Moodle 2 interface, some commands are in the Settings blocks now. Managers must Turn editing on in order to have ''Edit category'' and ''Add category'' links/buttons both in Settings and on the main content area. The screenshot below is a view of the Settings block for a Category level Manager with Editing turned on, showing the ''Edit this category'' and ''Add a sub-category'' commands:


[[File:category-level-manager-settings.png]]
[[File:category-level-manager-settings.png]]
Line 95: Line 95:


[[de:Manager-Rolle]]
[[de:Manager-Rolle]]
[[es:Mánager]]

Latest revision as of 11:01, 1 March 2013


The default Manager role enables users assigned the role to access courses and modify them, as well as perform certain administrative level tasks related to courses, users, grade settings, etc.

Unlike the administrator role, the Manager role is a 'real role', whose capabilities you can edit, but is similar to Administrator (but much safer to use) due to its broad default powers. As a normal role, like Course Creator or Teacher, while the Manager role has almost very many capabilities by default, you can edit that role if you choose.

(The way permission checks work in the Moodle code is that there is a function called has_capability. For admins, has_capability will always return true, no matter how the roles are set up. Thus there is no way to edit what permissions an Administrator has.)

Adopting a best-practice based on the Principle of Least Privilege suggests that Admins should normally use a Manager role, and not use an Administrator account, similar to the way you are recommended not to log into Linux as root.

The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role.

Assigning the role of Manager at the Site level

You can give someone the Manager role sitewide (to enable them for instance to add new users) by going to Settings>Site Administration>Users>Permissions>Assign system roles, selecting the Manager role and moving over your chosen user.

When you do so, users in that role will have access to only some of the items in Site administration. They do not have access to areas such as Security, Server, Plugins, Appearance, or Advanced Features, which are reserved for those in the Site administrators group. They have access to most of the tools for User, Course and Grade system settings and tools.

Specifically the sitewide Manager role can see these in Site administration:

   Users
       Accounts
           Browse list of users
           Bulk user actions
           Add a new user
           Cohorts
           Upload users
           Upload user pictures
       Permissions
           Define roles
           Assign system role
           Check system permissions
           Capability overview
   Courses
       Add/edit courses
       Backups
           General backup defaults
           Automated backup setup
   Grades
       General settings
       Grade category settings
       Grade item settings
       Scales
       Letters
       Report settings
   Language
       Language customisation
   Front page
       Front page settings
       Front page roles
       Front page filters
       Front page backup
       Front page restore
       Front page questions
   Reports
       Comments
       Backups
       Course overview
       Logs
       Live logs
       Question instances
       Security overview
       Statistics

Notes:

  • Some of these can further restricted by editing specific capabilities of the role, e.g., create users, upload users from a file, manual enrolments, managing cohorts, language customisation, et cet.
  • Manager has access to Front page same as with other courses (as it is technically a course).
  • Manager has access to most system level reports but not the Configuration report.
  • Manager has the ability to assign other users as a sitewide Manager
  • Also, a Manager has the ability to edit the role of Manager itself - to disable this, you could prohibit the Create and manage roles moodle/role:manage capability

Assigning the role of Manager at the Category level

The Manager role can also be assigned in the context Category rather than sitewide.

Do this if you want someone to be able to have access to all the courses in a single category and manage them, but do not want them to have access to any of Site administration tools.

Assign this as follows: Site administration > Courses > Add/edit courses > (select a category) > Edit this category > Settings block: Assign roles > Manager > (select user) Add

Notes:

  • A category-level manager is so only for the assigned category: to manage more than one category, you will need to assign them that role in each category separately
  • Category-level managers also manage any sub-categories beneath the category they are assigned, including create new subcategories and move courses
  • They can create courses in the their assigned categories
  • A category-level manager will not have as many capabilities as a site-level manager, since certain capabilities can only be applied in the system context i.e. via a system role
  • Regarding the capability to login as another user, for courses within the category that they manage, a category-level manager can only login as as another course participant and browse within that course only

Note that in the new Moodle 2 interface, some commands are in the Settings blocks now. Managers must Turn editing on in order to have Edit category and Add category links/buttons both in Settings and on the main content area. The screenshot below is a view of the Settings block for a Category level Manager with Editing turned on, showing the Edit this category and Add a sub-category commands:

category-level-manager-settings.png

See also