Manager role: Difference between revisions
m (updated link to updated spanish version of page) |
|||
(33 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
{{Standard roles}} | {{Standard roles}} | ||
== Manager role abilities== | |||
The | The default Manager role enables users assigned the role to access courses and modify them, as well as perform certain administrative level tasks related to courses, users, grade settings, etc. | ||
Unlike the administrator role, the Manager role is a 'real role', whose capabilities you can edit, but is ''similar'' to Administrator (but much safer to use) due to its broad default powers. As a normal role, like Course Creator or Teacher, while the Manager role has almost very many capabilities by default, you can edit that role if you choose. | |||
(The way permission checks work in the Moodle code is that there is a function called has_capability. For admins, has_capability will '''always''' return true, no matter how the roles are set up. Thus there is no way to edit what permissions an Administrator has.) | |||
Adopting a best-practice based on the [https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/351-BSI.html?layoutType=plain Principle of Least Privilege] suggests that Admins should normally use a Manager role, and not use an Administrator account, similar to the way you are recommended not to log into Linux as root. | |||
The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role. | The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role. | ||
==Assigning the role of Manager | ==Assigning the role of Manager at the Site level== | ||
You can give someone the Manager role sitewide(to enable them for instance to add new users) by going to '' | You can give someone the Manager role sitewide (to enable them for instance to add new users) by going to ''Site Administration>Users>Permissions>Assign system roles'', selecting the Manager role and moving over your chosen user. | ||
When you do so, users in that role will have access to only some of the items in Site administration. They do not have access to areas such as Security, Server, Plugins, Advanced Features, which are reserved for those in the Site administrators group. They have access to most of the tools for User, Course and Grade system settings and tools. | When you do so, users in that role will have access to only some of the items in Site administration. They do not have access to areas such as Security, Server, Plugins, Appearance, or Advanced Features, which are reserved for those in the Site administrators group. They have access to most of the tools for User, Course and Grade system settings and tools. | ||
Specifically the | Specifically the Site-wide Manager role can see these in Site administration: | ||
Competencies | |||
Migrate frameworks | |||
Import competency framework | |||
Export competency framework | |||
Competency frameworks | |||
Learning plan templates | |||
Badges | |||
Badges settings | |||
Manage badges | |||
Add a new badge | |||
Language | |||
Language customisation | |||
Appearance | |||
Default Dashboard page | |||
Default profile page | |||
Manage tags | |||
User tours | |||
Front page | |||
Front page settings | |||
Users | Users | ||
Accounts | Accounts | ||
Browse list of users | |||
Bulk user actions | |||
Add a new user | |||
Cohorts | |||
Upload users | |||
Upload user pictures | |||
Permissions | Permissions | ||
Define roles | |||
Assign system role | |||
Check system permissions | |||
Capability overview | |||
Assign user roles to cohort | |||
Courses | Courses | ||
Add | Manage courses and categories | ||
Add a category | |||
Restore course | |||
Backups | Backups | ||
General backup defaults | |||
General import defaults | |||
Automated backup setup | |||
Grades | Grades | ||
General settings | General settings | ||
Line 43: | Line 66: | ||
Grade item settings | Grade item settings | ||
Scales | Scales | ||
Outcomes (if enabled on site) | |||
Letters | Letters | ||
Report settings | Report settings | ||
Grader report | |||
Grade history | |||
Overview report | |||
User report | |||
Plugins | |||
Question types | |||
Question preview defaults | |||
Reports | Reports | ||
Comments | Comments | ||
Backups | Backups | ||
Logs | Logs | ||
Live logs | Live logs | ||
Performance overview | |||
Security overview | Security overview | ||
Statistics | Statistics (if enabled on site) | ||
Event monitoring rules | |||
Notes: | |||
* Some of these can further restricted by editing specific capabilities of the role, e.g., create users, upload users from a file, manual enrolments, managing cohorts, language customisation, et cet. | |||
* Manager has access to Front page same as with other courses (as it is technically a course). | |||
* Manager has access to most system level reports but not the Configuration report. | |||
* Manager has the ability to assign other users as a sitewide Manager | |||
* Also, a Manager has the ability to edit the role of Manager itself - to disable this, you could prohibit the Create and manage roles ''moodle/role:manage'' capability | |||
==Assigning the role of Manager at the Category level== | |||
The Manager role can also be assigned in the context Category rather than sitewide. | |||
Do this if you want someone to be able to have access to all the courses in a single category and manage them, but do not want them to have access to any of Site administration tools. | |||
Assign this as follows: ''Site administration > Courses > Add/edit courses > '' (select a category) ''> Edit this category > Administration'' block: ''Assign roles > Manager >'' (select user) ''Add'' | |||
Notes: | |||
* A category-level manager is so only for the assigned category: to manage more than one category, you will need to assign them that role in each category separately | |||
* Category-level managers also [https://docs.moodle.org/en/Capabilities/moodle/category:manage manage any sub-categories] beneath the category they are assigned, including create new subcategories and move courses | |||
* They can create courses in the their assigned categories | |||
* A category-level manager will not have as many capabilities as a site-level manager, since certain capabilities can only be applied in the system context i.e. via a system role | |||
* Regarding the [[Capabilities/moodle/user:loginas|capability to login as another user]], for courses within the category that they manage, a category-level manager can only login as another course participant and browse within that course only | |||
Note that in some commands are in the Administration block. Managers must Turn editing on in order to have ''Edit category'' and ''Add category'' links. The screenshot below is a view of the Administration block for a Category level Manager with Editing turned on, showing the ''Edit this category'' and ''Add a sub-category'' commands: | |||
[[File:category-level-manager-settings.png]] | |||
==See also== | ==See also== | ||
Line 69: | Line 119: | ||
[[de:Manager-Rolle]] | [[de:Manager-Rolle]] | ||
[[es:Rol de Mánager]] |
Latest revision as of 13:49, 11 May 2017
Manager role abilities
The default Manager role enables users assigned the role to access courses and modify them, as well as perform certain administrative level tasks related to courses, users, grade settings, etc.
Unlike the administrator role, the Manager role is a 'real role', whose capabilities you can edit, but is similar to Administrator (but much safer to use) due to its broad default powers. As a normal role, like Course Creator or Teacher, while the Manager role has almost very many capabilities by default, you can edit that role if you choose.
(The way permission checks work in the Moodle code is that there is a function called has_capability. For admins, has_capability will always return true, no matter how the roles are set up. Thus there is no way to edit what permissions an Administrator has.)
Adopting a best-practice based on the Principle of Least Privilege suggests that Admins should normally use a Manager role, and not use an Administrator account, similar to the way you are recommended not to log into Linux as root.
The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role.
Assigning the role of Manager at the Site level
You can give someone the Manager role sitewide (to enable them for instance to add new users) by going to Site Administration>Users>Permissions>Assign system roles, selecting the Manager role and moving over your chosen user.
When you do so, users in that role will have access to only some of the items in Site administration. They do not have access to areas such as Security, Server, Plugins, Appearance, or Advanced Features, which are reserved for those in the Site administrators group. They have access to most of the tools for User, Course and Grade system settings and tools.
Specifically the Site-wide Manager role can see these in Site administration:
Competencies Migrate frameworks Import competency framework Export competency framework Competency frameworks Learning plan templates Badges Badges settings Manage badges Add a new badge Language Language customisation Appearance Default Dashboard page Default profile page Manage tags User tours Front page Front page settings Users Accounts Browse list of users Bulk user actions Add a new user Cohorts Upload users Upload user pictures Permissions Define roles Assign system role Check system permissions Capability overview Assign user roles to cohort Courses Manage courses and categories Add a category Restore course Backups General backup defaults General import defaults Automated backup setup Grades General settings Grade category settings Grade item settings Scales Outcomes (if enabled on site) Letters Report settings Grader report Grade history Overview report User report Plugins Question types Question preview defaults Reports Comments Backups Logs Live logs Performance overview Security overview Statistics (if enabled on site) Event monitoring rules
Notes:
- Some of these can further restricted by editing specific capabilities of the role, e.g., create users, upload users from a file, manual enrolments, managing cohorts, language customisation, et cet.
- Manager has access to Front page same as with other courses (as it is technically a course).
- Manager has access to most system level reports but not the Configuration report.
- Manager has the ability to assign other users as a sitewide Manager
- Also, a Manager has the ability to edit the role of Manager itself - to disable this, you could prohibit the Create and manage roles moodle/role:manage capability
Assigning the role of Manager at the Category level
The Manager role can also be assigned in the context Category rather than sitewide.
Do this if you want someone to be able to have access to all the courses in a single category and manage them, but do not want them to have access to any of Site administration tools.
Assign this as follows: Site administration > Courses > Add/edit courses > (select a category) > Edit this category > Administration block: Assign roles > Manager > (select user) Add
Notes:
- A category-level manager is so only for the assigned category: to manage more than one category, you will need to assign them that role in each category separately
- Category-level managers also manage any sub-categories beneath the category they are assigned, including create new subcategories and move courses
- They can create courses in the their assigned categories
- A category-level manager will not have as many capabilities as a site-level manager, since certain capabilities can only be applied in the system context i.e. via a system role
- Regarding the capability to login as another user, for courses within the category that they manage, a category-level manager can only login as another course participant and browse within that course only
Note that in some commands are in the Administration block. Managers must Turn editing on in order to have Edit category and Add category links. The screenshot below is a view of the Administration block for a Category level Manager with Editing turned on, showing the Edit this category and Add a sub-category commands: