I have created a role with the ability to manage calendar events, and have assigned a user to this role at the system level (Site Administration | Users | Permissions | Assign system roles). However this user cannot add site events, only course or user events.
Trying to understand what is wrong, I looked in the database and found something in the table mdl_role_capabilities which I don't understand. There is a row where the roleid is the id of my Calendar Editor role, capability is calendar:manageentries, permission is 1, and contextid is 1 (the system context). So far so good. However, there is another row with the same roleid and capability, but contextid is 2 and permission is -1000. Contextid 2 is the context with level CONTEXT_COURSE corresponding to the first row in mdl_course, the "site course" I guess you call it.
There are a couple of things about this that are confusing. In general, why is there a contextid on the role_capabilities table? I understand why there is a context on role_assignments because a user has to be assigned a role in a specific context. But I don't understand how capabilities themselves are assigned to different contexts.
More specifically to solve my problem, my user is evidently blocked from adding site events because of the row in role_capabilities where contextid is 2 and permission is -1000. What action do I take to change this? How did it get there to begin with? I don't want to just delete rows from the database of course, I want to do it correctly through the user interface, but how is that done?
Thanks to any who can help.