Question Asked:

Can I restrict administrative access to my Design-a-Course account? Posted 3 years ago by Dave Smith in Design-a-Course

The following roles are defined within the Design-a-Course (DaC) application and determine how much a logged in user of the system can do.

  • Take courses
  • Author courses
  • Monitor course scores
  • Assign courses to students
  • Manage users
  • Administer the company's account

The last of these, "Administer the company's account," gives the user unlimited administrative access to all courses, users, and groups within the account. The other less privileged roles allow the user limited administrative access. For example, a user with the "Author courses" role can upload new courses to the account but cannot add or modify user accounts, view courses results, or make course assignments.

However, after assigning one of the lesser roles to a user, that user gets the following error when he tries to use that permission.

ERROR! You do not have a permission needed to do this.

This is the answer to the question:

3 years ago by Dave Smith (Staff Member)

Granting access for a user always requires two parts, a role and a permission; however, there are shortcuts for a couple of the roles. What is shown in the question is a list of the available roles for a user. On the other side of this same screen you will find a section much like this example, where you will assign the permissions.

Permissions that may be assigned to a user

First I will explain the two shortcuts. If a user is assigned the “Administer the company’s account” role, then permission checking is not enforced. A user with the “Administer account” role is a super-user and is automatically granted all permissions. This explains why things work for those who have this role. At the other end of the permission scale is the “Take courses” role. Every user login (account) is automatically granted the “Take courses” role when their login is created (but this role can be remove by an administrator). When a user is assigned to a group that user is automatically given permission to take any course that is also assigned to the same group. In this way, we implement our simple course assignment method – Since every user has the “Take courses” role and assigning them to a group grants them the permission to take any course in that group, both the role and permission are supplied by simply adding the user account and then placing that user and the desired course(s) in the same group.

Now let’s talk about what I like to call the sub-administrator roles, or those roles that allow a user limited administrative access to the system. I will illustrate with an example.

Let’s say you have a department head. You want this user to be able to monitor course status of the people in his department, but you do not want him to be able to create or modify users, create or modify courses, etc. Looking at the list of roles, in the question, you would check the box that grants this user the “Monitor course scores” role. Then, on the left side of that same window, you would click the option to edit the permission named, “Courses this user may monitor.” That brings up the following window:

Choose which courses a user may monitor

Ignore, for the moment, the “except:” part of the screen. At the top you have options to assign this permission at the group level, i.e. apply it to all courses in a given group, or at the individual object (course, in this example) level. As usual, the easiest method is to assign the permission to the group, which will ensure that this user has the permission on any future courses that get added to this group. However, your configuration may require that this user be able to monitor all courses in a particular group plus one (or more) courses that are not in that group. When you click on one of the top two links on this page, you are adding a “grant” of the associated permission to that user for that object (course) or group of objects.

Finally, let’s talk about the lower part of the screen, below the word except:

To extend our current example, we will create a scenario where UserA needs to monitor all of the courses in GroupA except for the course named “COURSE_DO_NOT_MONITOR.” You have already granted UserA the role to monitor course scores and the permission to monitor all courses in GroupA. Now you click on the link, “Add more individual courses” at the bottom of the screen (below except: ) and choose the course COURSE_DO_NOT_MONITOR. This applies a “Deny” against this user for this specific course. Denies always override grants; therefore, this user can now monitor scores for all courses in GroupA except the one course named COURSE_DO_NOT_MONITOR.

We hope that this explanation was helpful. Please add your comments and questions.

Dave Smith

Brindle Waye

1 reply to this question Post a reply