1. Correct, I also allow them webservice/rest:use and have Webservices and REST enabled on the site.
2. Seems to make sense.
3. I know I can override a permission in for example the course context,
but I can't give the existing student role the createtoken capability at the System context level, right?
4. When enrolling a user in a course, their role is selected.
You can later add another role for that user (Course admin - Users enrolled users),
but you can not select multiple roles at enrolment time, right?
To give my questions a bit more context;
I'm creating a question type that integrates with a custom mobile app.
That means that the students in a course that has a quiz which contains that question type, should have access to the REST Webservice that handles the interaction.
For now I'll enable WS and REST protocol at the site level, and moodle/webservice:createtoken and webservice/rest:use at the authenticated user level.
But what I was looking for, and haven't found yet, was a way to only let those students that need it access the WS.
Mind you; I do check if the person using the WS is enrolled in the course etc, so it is more or less covered. But I was wondering it I could even stop then from accessing the WS.
BTW This is a rework of the POC that copied the entire quiz engine