Roles and permissions

Hi Martin,
Thank you for starting this discussion! I hope we get lots of input, especially from people who have a stake in teacher training and consulting because this is going affect them most.

I'll start off the discussion by saying that I take issue with the way the question is phrased. You say

"Should teachers have the ability to safely override roles ...

I think the definition "safe" implicit in your question is too narrow. Yes, safeoverride eliminates cross-site scripting risk, spamming risk, etc. by removing the ability to override certain permissions. This leaves the presumably "safe" permissions that teachers can change, the ones that you refer to as "capabilities that are without risks." But how are they "without risks" when their misuse can lead to chaos in the classroom? We are neglecting perhaps the most important risk of all: "Ruining the learning experience risk."

The only way to avoid RLE risk (apologies to Richard Enison ) is to not allow safeoverriding by default. The administrator can grant safeoverride ability selectively to teachers who have been trained and tested. It's done using a simple delegation pattern.

When you can override, you can see the inner workings of roles, and you need a sophisticated understanding role internals. IMO you need to understand roles at the same level as the administrator. I can't think of a counterexample, i.e., something that the administrator needs to know that you don't.

Saying this will "give [teachers] a chance to learn about overrides and permissions" is like saying we should give car keys to our children so they can learn about driving. Administrators have had plenty of time (almost a year!) to learn about roles and capabilities, and I'm still waiting to meet the admin who really knows what he or she is doing.

OK, administrators, Quiz time: What do the highlighted cells on the override permissions page mean? What is "Inherit"? Now if administrators can't answer these questions, what makes us think teachers will be able to? On day one, with no training whatever?

I should also point out that we have many administrators who are using Moodle in compatibility mode (predefined roles only, everything as it comes "out of the box"). Now their teachers are going to be able to override roles?

Since RLE risk doesn't seem to be that much of a concern, let's consider risks that we can all agree are serious ones. I guess the ones that are considered "safe" are the ones without risk icons. OK, here's one: moodle/site:accessallgroups ("Access all groups"). Scenario: Teacher overrides Student in activity context, setting moodle/site:accessallgroups = Allow. A student discovers that Sally is a "classified" student and tells all his friends. Sally's parents sue the school. It is clearly not the students' fault. It is also not the teacher's fault; her lawyer successfully argues that she did not receive any safety training. The administrator argues that he never checked the default, since Moodle defaults always err on the side of safety. The school pays a fortune in damages and the administrator is looking for a new job.

The administrator would vote for a default of Not set!

In general, we use only legacy roles on our instance. We do understand that the roles system allows for many desirable things, but have not really had the time or need to implement them. None of us are full time moodle administrators, and we are thankful that the roles system was implemented where you could invoke as many or as few as you needed and still provide the services your users required.

I think we would much prefer the default to be off. As admins, you could easily grant the setting on a selective basis. It seems to me that you might base this decision on expected need rather than whether it is possible or not. For example:

My instructors seem to fall into 3 broad categories (as might be expected)--those who will never even look at the setting because they have no need, those who will look and call before they do anything, and a very few who will click a lot of radio buttons and find out they have a problem later! I am not denigrating any of these groups, but I think the largest number fall in the first group and then a very small number into the third group. Either way, the majority of our users would probably be better served by this particular setting not being granted as default.

After all, in time, won't we all acquire a great deal of knowledge about roles and how to use them? This conversation might not even be important in 3 more versions of moodle. It seems to me that it takes a very long time for such knowledge to become transparent for the majority of users (and I count myself in this group). We try, we fail, we discuss, we advise, and it eventually becomes something we take for granted. I am not there yet, and I think a lot of other people are somewhere along the road, but not at the end point!

In summary, I am in favor of having this capability, and I agree with Robert's comment that it be called "overriding safe permissions", but I would prefer to delay making the setting a default.

Just my 2 cents.
atw

Martin,

this *is* a useful new feature and all you say is true BUT from my experiences supporting (thousands) of real users I think it misses one or two points....

* Teachers have no concept whatsoever of roles for the most part. Even if you provide these facilities they will not use them because they don't know they are there
* Running on from that, the features that where "lost" in 1.7 (for example, the finely grained control over forum use) really where lost for ever. Newer users have no idea that these facilities exist and older ones inevitably decide not to bother when you explain what's involved ("that's nice, can you do that for me?").

As to this default setting, I'm certainly not passionate but I think my vote would be for "off". It's stuff teachers are going to fiddle with that they won't understand and will get into a mess. As an aside, I'd really like to see "restore defaults" buttons every where roles settings lurk. I think this capability would be added to my little list of things to allows turn off before realeasing a new site to make support tollerable.

I guess you could say that this could/should be addressed by user training, but my experience has been that training only ever gets a tiny percentage of the user base however hard you try. For the rest everything needs to be reasonable simple and unthreatening. The simple fact that we are dicussing this means the feature should be off I guess is what I am saying.

Just my $00.02.

Thanks to everyone contributing to this discussion, I think we're really thinking about some really good core issues.

I'll make sure the default setting is removed from 1.9.2+ (it won't have been in any weekly build, so no harm done).

For Moodle 2.0 I strongly believe we need to revisit this issue later together with all the other roles-related improvements that are planned and desired. I think we also need to work on educating/informing admins about roles settings to help them set their sites appropriately, perhaps as part of the upgrade/install process.

It would be sad if the combined intelligence of this group can't come up with better interfaces for admins and teachers that can allow us to SAFELY (in all senses of the word) put this sort of power in the hands of teachers!

Martin, glad that you mentioned about "perhaps take a poll." That's why I suggested (in SF MoodleMoot) maybe moodle.org could implement a poll block on the front page of moodle.org (once you log in) so that people could vote on these important issues (instead of digging into the forum to find related threads). Just my $0.02.

Further discussion about this probably should be moved to "Moodle.org design"

I’m constantly and consistently amazed that role overrides for teachers is such an issue.

If we start with the premise that the people i.e. teachers, trainers, instructors, course designers, facilitators that we allow to create courses or engage with our learners are competent to do so then surely we should have sufficient confidence in them to allow them to modify the permissions for their online spaces and activities.

I imagine it’s fair to assume that the majority of teachers (I use this term as shorthand for all of the roles above) who encounter Moodle come with prior experience in face to face or ODL where the expectation is to be able to set parameters carefully with the outcomes of the activity/course/programme in mind and to be able to adapt (often within agreed boundaries) in order to best meet the needs of a particular cohort.

If we accept that teachers (again used as shorthand) are competent in other mediums for learning then why (oh, why) should they be hamstrung in an online medium – Moodle in this instance? Why restrict their ability to adapt and react here?

Addressing some of the points raised so far in this discussion:
1. @Martin, Petr
I’m not convinced that an arbitrary list of capabilities is appropriate. Who is to decide what is safe? This will vary based on a host of issues by organisation.

From Martin’s list:
1. I generally want to empower teachers with all the features of Moodle.
Yes, yes.
2. There was much criticism previously about the way some settings "disappeared" in Moodle 1.7 when we added roles (In forums, database activities, course settings etc) because they were moved to the overrides page.
Yes, this is an issue. But mainly because site admins (through lack of understanding, fear, or some unspoken objection) do not allow teachers the option to override permissions.
3. That move was made for security to protect teachers from some risks, but the new safeoverride option now only allows teachers to override capabilities that are without risks so that reason is gone.
As above, “safe” is in the eye of the beholder.
5. Administrators can still decide what they want - we are just talking about a default for an existing checkbox.
Refer to my “safe” comments above.
6. Teachers who don't understand it don't have to use it, but having it available does at least give them a chance to learn about overrides and permissions
Even more than that, teachers who don’t understand it will probably run a mile. Absolutely! Why should the defaults restrict the imagination and enthusiasm of teachers?
7. Overrides at module level are not anywhere near as complex as the situations Administrators have to deal with.
Agree. Overrides are very context specific.

@ John I

There is a case for selective release of the ability to override, but I’m still uneasy about a predefined view of what is safe/unsafe.

When you can override, you can see the inner workings of roles, and you need a sophisticated understanding role internals. IMO you need to understand roles at the same level as the administrator.

Owing to the specific nature of the capabilities available in overrides I don’t agree that this is enough in itself to not allow the ability override. For overrides does the understanding of the roles system need to be that sophisticated?

Saying this will "give [teachers] a chance to learn about overrides and permissions" is like saying we should give car keys to our children so they can learn about driving.

Surely they can already drive. To stretch the analogy isn’t this more about them being able to decide whether to be able to turn left or right?

Training: Yes, and perhaps I have a partial view as most of the Moodle users and organisations I meet have decided that training and or consultancy would be a good idea and that’s why I’m talking to them and discussing the issues. It’s absolutely clear that the vast majority of those tens of thousands of sites that use Moodle (and the unknown number of unregistered sites) don’t bother with informed help. That’s open source, that the way of the world and I’d swap the ability to “just do it” for any enforced training programme any day.

The legal scenario hat you have painted is one that has a much wider organisational failing at the heart of it. Should Moodle users in general be constrained because some organisations, bodies etc. don’t think through, plan and resource their online exploration adequately?

And what’s wrong with simply advising the that if they don’t understand what they are doing with overrides to leave them alone until they do?

@Howard

Teachers have no concept whatsoever of roles for the most part. Even if you provide these facilities they will not use them because they don't know they are there.

Yes, sadly I have to concur with this but it’s not a Moodle issue in itself. I think Alicia’s breakdown of potential behaviour is also usual here too.

…the finely grained control over forum use) really where lost for ever.

Isn’t it the case that they actually became more fine grained but were hidden (deliberately or otherwise) by site admins?

Training: Yes, sadly this is probably an accurate analysis. If keeping things simple equates to removing teachers’ ability to fine tune as required then the online experience for learners is destined to be formulaic, sterile and predictable. Better to focus all of our energies to make this degree of flexibility easy to master than off limits (and here I’m referring to the ability to override in general, having still not bought into “safe” overrides as a concept).

@John W

I've changed a role and things don't work the way they should

Teachers can’t change roles, they an only override permissions in a very specific way. I can’t see the distinction between this and a face-to-face situation of a where a teacher would be culpable if they embarked upon a course of action where they have not considered the consequences or lack the experience or training.

In summary:

One size fits all safe overrides for teachers – I don’t get it.
Default on or of?: It probably won’t make much difference either way.
Should teachers ability to function on a Moodle site always be approached from a lowest common denominator standpoint – No.