Roles and permissions
Roles and permissions
- An identifier of the user's status in some context, for example Teacher, Student and Forum moderator
- A description of a particular Moodle feature, for example moodle/blog:create
- A setting for a capability
- A "space" in Moodle, such as courses, activity modules or blocks
Permissions are settings for specific capabilities. There are four values:
- Not Set (formerly Inherit)
- This is the default value for all permissions when a new role is created. It means "use whatever setting the user already has". To determine what permission the user already has, Moodle searches upward through the nested contexts, looking for an explicit value (Allow, Prevent, Prohibit) for this capability. For example, if a role is assigned to a user in a course context, and some capability has a value of 'Not set,' then the actual permission will be whatever the user has at the category level, or (failing to find an explicit permission at the category level) at the site level. Note that the search terminates when an explicit permission is found. If no explicit permission is found, then the value in the current context becomes Prevent.
- By choosing this you are granting permission for this capability to people who are assigned this role. This permission applies for the context that this role gets assigned plus all "lower" contexts. For example, if this role is a student role assigned to a course, then students will be able to "start new discussions" in all forums in that course, unless some forum contains an override or a new assignment with a Prevent or Prohibit value for this capability.
- By choosing this you are removing permission for this capability, even if the users with this role were allowed that permission in a higher context.
- This is rarely needed, but occasionally you might want to completely deny permissions to a role in a way that can NOT be overridden at any lower context. An example of when you might need this is when an admin wants to prohibit one person from starting new discussions in any forum on the whole site. In this case they can create a role with that capability set to "Prohibit" and then assign it to that user in the system context.