User access re-written #30
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # Base User Roles | ||
|
|
||
| There are currently 3 base user roles: | ||
|
|
||
| ## STUDENT | ||
|
|
||
| Users with the STUDENT role have access only to student pages. There is only one class or type of STUDENT role, however access to specific modules is subject to enrollment as a student on that module. Enrolment of students is done by a teacher. | ||
|
|
||
| ## TEACHER | ||
|
|
||
| Users with the TEACHER role have access, in addition to student pages, to teacher pages. This includes, for example, the teacher home page (`/teacher`). Within TEACHER pages, users only have access to modules to which they are linked as a teacher or tutor. | ||
|
|
||
| Access as a _teacher_ requires enrollment as a teacher on the relevant module, which can be done in two different ways: | ||
|
|
||
| - by teachers on that module with the relevant permissions. | ||
| - by ADMIN users in the ADMIN pages. | ||
|
|
||
| Access as a _tutor_ to teacher pages of a module is by a link to a student who is enrolled on that module. The link is via a ['global tag'](user_tags.md), which is managed by an ADMIN. | ||
|
|
||
| On each module that a user is enrolled as a teacher, they will be assigned a teacher _role_. The number of different roles (such as 'MODULE OWNER' or 'TEACHING ASSISTANT'), and their respective permissions, is configurable by ADMIN users. Each role is defined by which permissions are, or are not, assigned to the role. Permissions include access to pages, tabs, menus, and features (such as enrolling or viewing statistics). | ||
|
|
||
| Permissions that can be assigned to a teacher role are visible when enrolling a teacher. The pop-up shows which permissions exist, which roles have been configured, and their intersection. An example is below. | ||
|
|
||
|  | ||
|
|
||
| Permissions are part of the application. Roles are configured by ADMIN users on the app. | ||
|
|
||
| ## ADMIN | ||
|
|
||
| Users with the ADMIN role have, in addtion to TEACHER and STUDET privileges, access to all admin pages. There is only one class of ADMIN. | ||
|
|
||
|
|
||
| # Teacher Roles | ||
|
|
||
| There are two fundamental TEACHER roles: OWNER and CUSTOM, with further configurations are possible through the CUSTOM role type, which are managed by ADMIN users. There is also a PERSONAL TUTOR role, which is an independent way to allocate permissions. | ||
|
|
||
| ## OWNER | ||
|
|
||
| A fixed role. ADMIN can modify the role’s name, but cannot delete the role or change its permissions. | ||
|
|
||
| OWNER is assigned automatically to the user who creates a new module instance, but it may also be reassigned to other users with TEACHER (or ADMIN) base roles. | ||
|
|
||
| ## CUSTOM | ||
|
|
||
| ADMINS can configure an unlimited number of custom roles, which can then be assigned to teachers by ADMIN, and by TEACHERs with relevant enrollment permissions on a given module. | ||
|
|
||
| # Personal tutor | ||
|
|
||
| Personal tutor is listed in the ADMIN panel with other teacher roles, but it is an independent access mechanism derived from student–tutor relationships (tutor access is not a teacher role). | ||
|
|
||
| Permissions for personal tutor always includes `View student data`. Other permissions are controlled by ADMIN users and can be enabled or disabled. Whatever permissions are applied, apply to all personal tutors - there is only one configuration of personal tutors. | ||
|
|
||
| ### Assigning a personal tutor | ||
|
|
||
| Personal tutors are implicitly assigned by linking a teacher to a Global (student) Tag. For example a Global Tag named '2028' could be applied to a cohort of students, and be linked to a teacher who is then a 'tutor'. | ||
|
|
||
| Tutor access to a module for a TEACHER (or ADMIN) requires at least one STUDENT in that module to share a Global Tag with the TEACHER (or ADMIN). Access to the module is then restricted by the permissions assigned to the PERSONAL TUTOR role. | ||
|
|
||
| Although the tutor role includes the `View student data` permission, that permission applies _only_ to students within the same tutor group (i.e. those sharing the same Global Tag); an exception is if the same user also has a TEACHER ROLE, on the same module, with `View student data` permission. Access to student data for tutors differs from normal TEACHER access, where permissions apply to all students within the module. | ||
|
|
||
| Note that a TEACHER can be enrolled on a module with a TEACHER role, and additionally by being linked as a TUTOR. Permissions then combine and are _additive_ (a permission from either role is sufficient for permission to be granted). | ||
|
|
||
| ## Moderator access | ||
|
|
||
| Moderator features require a TEACHER role to include the `Moderate student submissions` permission. TEACHER roles with these permissions cannot be assigned by other TEACHERs (including OWNERs), but can only be assigned by an ADMIN. | ||
|
|
||
| Moderators have privileged access to staff-specific comments on MEQ, and this privilege is above that of a module owner. Details available in [../student/MEQ#access-to-meq-data](../../../student/MEQ/#access-to-meq-data). | ||
|
Contributor
There was a problem hiding this comment. One clarification point: we currently also have custom teacher roles with owner-like names (e.g. “Owner-moderator”), which are not the fixed OWNER role type. In this sentence, “module owner” seems to refer specifically to the fixed OWNER role. It may be worth making that explicit to avoid confusion with owner-named custom roles. |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| Students can be allocated a module tag, which only applies within the relevant module; and/or a global tag, which applies across all modules. | ||
|
Contributor
There was a problem hiding this comment. Small clarification suggestion: “Global tags are used to group students for tutor access.” |
||
|
|
||
| Tags help filter data analytics and manage user access to student data. | ||
|
|
||
| Docs on applying tags will follow. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small clarification suggestion: it might be worth noting here that View student data for tutors is scoped to their tutor group only, and is not the same as teacher View student data (which applies to all students).
This is explained later, but mentioning it here could avoid confusion when reading this section in isolation.