Tenant administrator role
This feature is part of Moodle Workplace, which is available through Moodle Partners.
The tenant administrator role is created automatically when Moodle Workplace is installed. This role can not be removed, however the main admin can modify the capabilities. This role is issued automatically to the users who are set as tenant administrators in the Multi-tenancy feature.
Such users will be able to browse users, add and edit users and manage theme settings for their own tenant. They can also create and manage programs, certifications, dynamic rules, custom reports, organisation structure and certificates for their tenants as well as assign the respective roles to the other users.
Some core capabilities are also included in this role, for example 'moodle/role:assign', 'moodle/site:uploadusers', 'moodle/site:viewuseridentity', 'moodle/badges:awardbadge', 'moodle/badges:viewawarded'. Even though these capabilities are defined by core, the core code was modified in Moodle Workplace to limit the users the tenant administrator can view to the list of users in their own tenant. This means the tenant administrator will not be able to assign roles to users outside of their tenant, award or view awarded badges. Examples of places that have been modified:
- User selector used when manually enrolling users in a course
- User selector used when assigning roles
- User selector used when issuing badges
It is important to remember that there are still a lot of core capabilities that, if granted, would allow the user to see or work with all users in the system. If the capability is not included in the default "Tenant administrator" role, it may not be multi-tenant compatible. When modifying the "Tenant administrator" role it is better not to add any more capabilities to it.