Roles and permissions

Revision as of 08:21, 4 October 2007 by Helen Foster (talk | contribs) (permissions (moved from Manage roles)

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 3.1. Up-to-date documentation for the latest stable version of Moodle is probably available here: Roles and permissions.

Template:Moodle 1.7Roles and capabilities in Moodle 1.7 onwards provides great flexibility in managing how users interact. Prior to Moodle 1.7, there were only six roles possible: guest, student, non-editing teacher, editing teacher, course creator, and administrator. Whilst these roles may still be used, it's now possible to create additional roles, and to change what a given role can do in a particular activity.


An identifier of the user's status in some context, for example Teacher, Student and Forum moderator
A description of a particular Moodle feature, for example moodle/blog:create
A setting for a capability
A "space" in Moodle, such as courses, activity modules or blocks


Permissions are settings for specific capabilities. There are four values:

Not Set (formerly Inherit)
This is the default value for all permissions when a new role is created. It means "use whatever setting the user already has". To determine what permission the user already has, Moodle searches upward through the nested contexts, looking for an explicit value (Allow, Prevent, Prohibit) for this capability. For example, if a role is assigned to a user in a course context, and some capability has a value of 'Not set,' then the actual permission will be whatever the user has at the category level, or (failing to find an explicit permission at the category level) at the site level. Note that the search terminates when an explicit permission is found. If no explicit permission is found, then the value in the current context becomes Prevent.
By choosing this you are granting permission for this capability to people who are assigned this role. This permission applies for the context that this role gets assigned plus all "lower" contexts. For example, if this role is a student role assigned to a course, then students will be able to "start new discussions" in all forums in that course, unless some forum contains an override or a new assignment with a Prevent or Prohibit value for this capability.
By choosing this you are removing permission for this capability, even if the users with this role were allowed that permission in a higher context.
This is rarely needed, but occasionally you might want to completely deny permissions to a role in a way that can NOT be overridden at any lower context. An example of when you might need this is when an admin wants to prohibit one person from starting new discussions in any forum on the whole site. In this case they can create a role with that capability set to "Prohibit" and then assign it to that user in the site context.

See also