In our set-up we don't allow teachers to assign Student roles, but we do let them manually enrol and assign Teacher roles to people. This way we control students centrally.
So our Teacher role is defined as something like:
- Allow role assignments: Teacher
- enrol/manual:enrol - Allow
- enrol/manual:unenrol - Prevent
So the teacher can enrol another teacher, but not a student.
What we'd like to do, is to allow the teacher to unenrol the Teachers they have enrolled, but not the students. However, if I set enrol/manual:unenrol to Allow, they can unenrol anyone, regardless of their ability of assign/unassign roles. In effect, the Teacher role can unassign the Student role (by dint of the unenrol capability).
I was wondering if this was logical or whether extra checks should inhibit unenrolling people with roles Teachers have no capability to assign.
Or perhaps I'm lost in my own vortex of role assignments.