Just in their place...

Just in their place...

by Antonio Solis -
Number of replies: 17

Hello.

I have installed the last version of moodle for using in a series of little independent schools. The idea is, every school will have its own administrator, able to add courses and teachers and students and have power over them, but ONLY in their "space". That is, a general administrator will create "spaces" (in this case, categories). One category per school, and inside those categories will be the different courses. And on each category, a different administrator, only able to affect "that" category.

I don't know how to do that. Could you please, tell me how to create a rol for "individual category administrator" or something like that? Or any other way around to achieve the same purpose?

thank you all!

Average of ratings: -
In reply to Antonio Solis

Re: Just in their place...

by John Isner -
Let's say you have N users $$u_1, u_2, ... , u_N$$ and N categories $$c_1, c_2, ..., c_N$$. To make user $$u_i$$ the administrator in category $$c_i$$, assign the Course creator role to $$u_i$$ in the context of category $$c_i$$. Now user $$u_i$$ will be allowed to create courses, but only in category $$c_i$$.
Average of ratings: -
In reply to John Isner

Re: Just in their place...

by Amy Groshek -
Right, John, but will the user who is an administrator in only one category be able to create user accounts? I think that resides in a different area than course administration. That would be the thing to check for, Antonio. You may have to plan something for account creation if every school will not have its own pure admin account. Otherwise you're stuck with creating all the user accounts, and doing any support related to user accounts.

You could have schools send you csv with users, and admin could upload.

It's also not all that tough to run several small moodle installs on one server. You could give each school a little install, and give them admin access, and if they screw it up, you just blow it away and restore from a backup. That's another simpler solution--without having to mess around a lot with roles.

A
Average of ratings: -
In reply to Amy Groshek

Re: Just in their place...

by John Isner -
Hi Amy,
I read Antonio's post pretty carefully before I posted. I didn't see that he wanted school admins to have the ability to create and manage user accounts, but only the ability to assign roles (teacher, student) to existing users, which a Course creator can do. I assumed that account management was being done at the site level by the general administrator.

It is possible to give the school admin's the ability to create users, but it requires giving them permission to Create users, View user profiles and Update user profiles (they need the last two permissions in order to view and edit the profiles of users they manage). This will give them access to all user profiles throughout the site, including the general admin's. I wouldn't feel comfortable with that.
Average of ratings: -
In reply to John Isner

Re: Just in their place...

by Antonio Solis -

As a matter of fact, the hability to create and manage users accounts from each individual administrator is still not decided by the comitee. Anyway, i don't have an opinion there. I am just the "do it" guy. Right now i have followed your instructions (Thank you very much!) and i successfully created school admins, only capable of creating courses into their category.

Problem is, i followed your other instructions as well, giving the local admins permission to create, view and update users profiles, but that option doesn't appear on their panels. Not in the "general" level, not in the "course" level. Even when, theorically, they could, i can't see how.

What could i do in case the local admins are decided to be able to create user accounts? By the way, multiple installations is not an option. Was eliminated as an option since the beggining of the debate up there.

Thanks for your time.

Average of ratings: -
In reply to Antonio Solis

Re: Just in their place...

by John Isner -
Sorry, I should have given more explicit instructions. Do it like this:

Create a new role called CanCreateUsers and give it permission to Create users, View user profiles, and Update user profiles. Globally assign this role to each $$c_i$$ (Site administration -> Users -> Permissions -> Assign global roles).

Let me know if you still have problems.
Average of ratings: -
In reply to John Isner

Re: Just in their place...

by John Isner -
What's wrong with me today? The second sentence in the second paragraph should read

Globally assign this role to each $$u_i$$ (Site administration -> Users -> Permissions -> Assign global roles).
Average of ratings: -
In reply to Antonio Solis

Re: Just in their place...

by Steve Hyndman -

By the way, multiple installations is not an option. Was eliminated as an option since the beggining of the debate up there.

Well, they eliminated your best, simplest, most manageable option. Trying to address this through roles will likely be a nightmare.

Steve

Average of ratings: -
In reply to Steve Hyndman

Re: Just in their place...

by John Isner -
Hi Steve,
For once, I'm going to disagree with you. Roles are complicated and have a way to go before they're fully worked out, but what Antonio wants to do with them is pretty straightforward. If he were trying something more complicated, I'd also have second thoughts.
Average of ratings: -
In reply to John Isner

Re: Just in their place...

by Steve Hyndman -

John...no problem, the freedom to disagree is a good thing smile

The Donkey talked about Onions and Layers in one of the Shrek movies...I see roles like the onion. You have to be very careful that you don't solve one problem with a new role and create two new problems smile.  Seems that may already be happening here.

Steve

Average of ratings: -
In reply to Antonio Solis

Re: Just in their place...

by Amy Groshek -
John, my sincere apologies. Didn't mean to offend. I was only thinking out loud about what that would mean for user admin and support... which is often the most time-consuming thing once a system is up and running.

Ability to update user profiles should be accessible for these users within Course > Participants. This user type should be able to access/edit user profile from there by clicking on a user, then selecting Edit Profile tab. Since everything your custom "category admin" does takes place within a course-restricted context, the admin block is not going to show all options.

Average of ratings: -
In reply to Amy Groshek

Re: Just in their place...

by John Isner -
Amy,
I wasn't the slightest bit offended and I'm really sorry if my reply sounded that way.

Are you saying that a Course creator within a specific category can edit user profiles without any other permissions? I don't think so. The user would also need permission to Create users, Update user profiles, and View user profiles in the site context. Then they will get a Site administration block with just a Users menu like this:

Attachment site_administration_block.png
Average of ratings: -
In reply to John Isner

Re: Just in their place...

by Antonio Solis -

Ok, thank you all! this is getting so much helpful.

I have created and assign the global role for JUST user account manadgement to the local admis. Now they actually can create, update, view and delete accounts.

Two questions:

1) I don't know how, but the site administration block the local admin gets has TWO menus. "Users" and  "Main page". I can't find where in the two roles for the local admin i gave him permission to modify the main page. Where is that? Or is it kind of a "default" thingy?

2) The only problem i have with the local admins being capable of manage all accounts is with the GLOBAL ADMIN account. They can erase that account too. I think it could be acceptable (Not quite good, but acceptable) that the local admins can see and play with all accounts no matter where they come from, but i think is a must they cannot see the global admin, so he could continue being the "high-high" account. Is there some way to do that?

Thank you!

Average of ratings: -
In reply to Antonio Solis

Re: Just in their place...

by John Isner -
the user menu the local admin gets has TWO general options. "Users" and "Main page"

You must be getting extra permissions (e.g., Change site configuration) somehow. Try this experiment:
  • create a test user
  • create a role with ONLY the permission to Create users, View user profiles, and Update user profiles
  • assign the role to your test user
When you log in as the user, you should see ONLY the menu items in my screenshot.

the local admins can see and play with all accounts no matter where they come from, but i think is a must they cannot see the global admin, so he could continue being the "high-high" account. Is there some way to do that?

I don't know how. But maybe someone else does. Notice on the demo moodle site that Martin's profile is not editable, even by the admin. I wonder how this was done.

Attachment browse_list_of_accounts.png
Average of ratings: -
In reply to John Isner

Re: Just in their place...

by Antonio Solis -

Ok. All set but this little detail... if i could just make the global admin account invisible for the local admin accounts, this thing would work just about perfect for my case.

Hope someone over here could help me out with this little detail.

Thank you all for your excellent and kind help!

Average of ratings: -
In reply to Antonio Solis

Re: Just in their place...

by Amy Groshek -
Antonio, also check Front Page > Front Page roles. Make sure these users don't have admin for the front page as well. Give them a different role for that page (moodle treats it conceptually like another course).

Not sure how to lock down a global root admin account...

A
Average of ratings: -
In reply to Amy Groshek

Re: Just in their place...

by Ulrike Montgomery -
Hi everybody,

I've just come across this post since I'm in the same situation as Antonio.

I'm about to set up one single Moodle installation (1.9) for several smaller schools. Each school will be a category with its own admin. Each admin should be able to upload users without having access to users of the other schools (Germany's data protection laws are very strict).

I wonder if there is a way to do this. Does anybody have any ideas?

---Ulrike


Average of ratings: -