Note: You are currently viewing documentation for Moodle 3.2. Up-to-date documentation for the latest stable version of Moodle is probably available here: Manager role.

Manager role: Difference between revisions

From MoodleDocs
m (updated link to updated spanish version of page)
 
(33 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Standard roles}}
{{Standard roles}}
The default manager role enables users assigned the role to access courses and modify them.


The Manager role is a 'real role', ''similar'' to Administrator (but much safer to use).
== Manager role abilities==


The way permission checks work in the Moodle code is that there is a function called has_capability.  For admins, has_capability will '''always''' return true, no matter how the roles are set up.
The default Manager role enables users assigned the role to access courses and modify them, as well as perform certain administrative level tasks related to courses, users, grade settings, etc.  


However, the Manager role is a normal role, like Course Creator, or Teacher. By default the Manager role has almost every capability but, because it is a normal role, you can edit that role if you choose (there is no way to edit what permissions an Administrator has).
Unlike the administrator role, the Manager role is a 'real role', whose capabilities you can edit, but is ''similar'' to Administrator (but much safer to use) due to its broad default powers. As a normal role, like Course Creator or Teacher, while the Manager role has almost very many capabilities by default, you can edit that role if you choose.
Best-practice might suggest that Admins should normally use a Manager role, and not use an Administrator account.


This is similar to the way you are recommended not to log into Linux as root.
(The way permission checks work in the Moodle code is that there is a function called has_capability.  For admins, has_capability will '''always''' return true, no matter how the roles are set up. Thus there is no way to edit what permissions an Administrator has.)
 
Adopting a best-practice based on the [https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/351-BSI.html?layoutType=plain Principle of Least Privilege] suggests that Admins should normally use a Manager role, and not use an Administrator account, similar to the way you are recommended not to log into Linux as root.


The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role.
The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role.


==Assigning the role of Manager Sitewide ==
==Assigning the role of Manager at the Site level==
You can give someone the Manager role sitewide(to enable them for instance to add new users) by going to ''Settings>Site Administration>Users>Permissions>Assign system roles'', selecting the Manager role and moving over your chosen user.
You can give someone the Manager role sitewide (to enable them for instance to add new users) by going to ''Site Administration>Users>Permissions>Assign system roles'', selecting the Manager role and moving over your chosen user.


When you do so, users in that role will have access to only some of the items in Site administration. They do not have access to areas such as Security, Server, Plugins, Advanced Features, which are reserved for those in the Site administrators group. They have access to most of the tools for User, Course and Grade system settings and tools.
When you do so, users in that role will have access to only some of the items in Site administration. They do not have access to areas such as Security, Server, Plugins, Appearance, or Advanced Features, which are reserved for those in the Site administrators group. They have access to most of the tools for User, Course and Grade system settings and tools.


Specifically the site-wide Manager role can see these in Site administration:
Specifically the Site-wide Manager role can see these in Site administration:


    Competencies
        Migrate frameworks
        Import competency framework
        Export competency framework
        Competency frameworks
        Learning plan templates
    Badges
        Badges settings
        Manage badges
        Add a new badge
    Language
        Language customisation
    Appearance
        Default Dashboard page
        Default profile page
        Manage tags
        User tours
    Front page
        Front page settings
     Users
     Users
         Accounts
         Accounts
            Browse list of users
          Browse list of users
            Bulk user actions
          Bulk user actions
            Add a new user
          Add a new user
            Cohorts
          Cohorts
            Upload users
          Upload users
            Upload user pictures
          Upload user pictures
         Permissions
         Permissions
            Define roles
          Define roles
            Assign system role
          Assign system role
            Check system permissions
          Check system permissions
            Capability overview
          Capability overview
          Assign user roles to cohort
     Courses
     Courses
         Add/edit courses
        Manage courses and categories
         Add a category
        Restore course
         Backups
         Backups
            General backup defaults
          General backup defaults
            Automated backup setup
          General import defaults
          Automated backup setup
     Grades
     Grades
         General settings
         General settings
Line 43: Line 66:
         Grade item settings
         Grade item settings
         Scales
         Scales
        Outcomes (if enabled on site)
         Letters
         Letters
         Report settings
         Report settings
    Language
          Grader report
        Language customisation
          Grade history
    Front page
          Overview report
        Front page settings
          User report
        Front page roles
    Plugins
        Front page filters
         Question types
        Front page backup
          Question preview defaults
         Front page restore
        Front page questions
     Reports
     Reports
         Comments
         Comments
         Backups
         Backups
        Course overview
         Logs
         Logs
         Live logs
         Live logs
         Question instances
         Performance overview
         Security overview
         Security overview
         Statistics
         Statistics (if enabled on site)
        Event monitoring rules
 
Notes:
 
* Some of these can further restricted by editing specific capabilities of the role, e.g., create users, upload users from a file, manual enrolments, managing cohorts, language customisation, et cet.
* Manager has access to Front page same as with other courses (as it is technically a course).
* Manager has access to most system level reports but not the Configuration report.
* Manager has the ability to assign other users as a sitewide Manager
* Also, a Manager has the ability to edit the role of Manager itself - to disable this, you could prohibit the Create and manage roles ''moodle/role:manage'' capability
 
==Assigning the role of Manager at the Category level==
 
The Manager role can also be assigned in the context Category rather than sitewide.
 
Do this if you want someone to be able to have access to all the courses in a single category and manage them, but do not want them to have access to any of Site administration tools.
 
Assign this as follows: ''Site administration > Courses > Add/edit courses > '' (select a category) ''> Edit this category > Administration'' block: ''Assign roles > Manager >'' (select user) ''Add''
 
Notes:
 
* A category-level manager is so only for the assigned category: to manage more than one category, you will need to assign them that role in each category separately
* Category-level managers also [https://docs.moodle.org/en/Capabilities/moodle/category:manage manage any sub-categories] beneath the category they are assigned, including create new subcategories and move courses
* They can create courses in the their assigned categories
* A category-level manager will not have as many capabilities as a site-level manager, since certain capabilities can only be applied in the system context i.e. via a system role
* Regarding the [[Capabilities/moodle/user:loginas|capability to login as another user]], for courses within the category that they manage, a category-level manager can only login as  another course participant and browse within that course only
 
Note that in some commands are in the Administration block. Managers must Turn editing on in order to have ''Edit category'' and ''Add category'' links. The screenshot below is a view of the Administration block for a Category level Manager with Editing turned on, showing the ''Edit this category'' and ''Add a sub-category'' commands:
 
[[File:category-level-manager-settings.png]]


==See also==
==See also==
Line 69: Line 119:


[[de:Manager-Rolle]]
[[de:Manager-Rolle]]
[[es:Rol de Mánager]]

Latest revision as of 13:49, 11 May 2017


Manager role abilities

The default Manager role enables users assigned the role to access courses and modify them, as well as perform certain administrative level tasks related to courses, users, grade settings, etc.

Unlike the administrator role, the Manager role is a 'real role', whose capabilities you can edit, but is similar to Administrator (but much safer to use) due to its broad default powers. As a normal role, like Course Creator or Teacher, while the Manager role has almost very many capabilities by default, you can edit that role if you choose.

(The way permission checks work in the Moodle code is that there is a function called has_capability. For admins, has_capability will always return true, no matter how the roles are set up. Thus there is no way to edit what permissions an Administrator has.)

Adopting a best-practice based on the Principle of Least Privilege suggests that Admins should normally use a Manager role, and not use an Administrator account, similar to the way you are recommended not to log into Linux as root.

The Manager role therefore allows a site Administrator to give very powerful roles to others who are assigned a Manager role, but without having to give them a full Administrator role.

Assigning the role of Manager at the Site level

You can give someone the Manager role sitewide (to enable them for instance to add new users) by going to Site Administration>Users>Permissions>Assign system roles, selecting the Manager role and moving over your chosen user.

When you do so, users in that role will have access to only some of the items in Site administration. They do not have access to areas such as Security, Server, Plugins, Appearance, or Advanced Features, which are reserved for those in the Site administrators group. They have access to most of the tools for User, Course and Grade system settings and tools.

Specifically the Site-wide Manager role can see these in Site administration:

   Competencies
       Migrate frameworks
       Import competency framework
       Export competency framework
       Competency frameworks
       Learning plan templates
   Badges
       Badges settings
       Manage badges
       Add a new badge
   Language
       Language customisation 
   Appearance
       Default Dashboard page
       Default profile page
       Manage tags
       User tours
   Front page
       Front page settings
   Users
       Accounts
          Browse list of users
          Bulk user actions
          Add a new user
          Cohorts
          Upload users
          Upload user pictures
       Permissions
          Define roles
          Assign system role
          Check system permissions
          Capability overview
          Assign user roles to cohort
   Courses
       Manage courses and categories
       Add a category
       Restore course
       Backups
          General backup defaults
          General import defaults
          Automated backup setup
   Grades
       General settings
       Grade category settings
       Grade item settings
       Scales
       Outcomes (if enabled on site)
       Letters
       Report settings
          Grader report
          Grade history
          Overview report
          User report
    Plugins
       Question types
          Question preview defaults
   Reports
       Comments
       Backups
       Logs
       Live logs
       Performance overview
       Security overview
       Statistics (if enabled on site)
       Event monitoring rules

Notes:

  • Some of these can further restricted by editing specific capabilities of the role, e.g., create users, upload users from a file, manual enrolments, managing cohorts, language customisation, et cet.
  • Manager has access to Front page same as with other courses (as it is technically a course).
  • Manager has access to most system level reports but not the Configuration report.
  • Manager has the ability to assign other users as a sitewide Manager
  • Also, a Manager has the ability to edit the role of Manager itself - to disable this, you could prohibit the Create and manage roles moodle/role:manage capability

Assigning the role of Manager at the Category level

The Manager role can also be assigned in the context Category rather than sitewide.

Do this if you want someone to be able to have access to all the courses in a single category and manage them, but do not want them to have access to any of Site administration tools.

Assign this as follows: Site administration > Courses > Add/edit courses > (select a category) > Edit this category > Administration block: Assign roles > Manager > (select user) Add

Notes:

  • A category-level manager is so only for the assigned category: to manage more than one category, you will need to assign them that role in each category separately
  • Category-level managers also manage any sub-categories beneath the category they are assigned, including create new subcategories and move courses
  • They can create courses in the their assigned categories
  • A category-level manager will not have as many capabilities as a site-level manager, since certain capabilities can only be applied in the system context i.e. via a system role
  • Regarding the capability to login as another user, for courses within the category that they manage, a category-level manager can only login as another course participant and browse within that course only

Note that in some commands are in the Administration block. Managers must Turn editing on in order to have Edit category and Add category links. The screenshot below is a view of the Administration block for a Category level Manager with Editing turned on, showing the Edit this category and Add a sub-category commands:

category-level-manager-settings.png

See also