I need to know if I'm on the right track or if there's a better way to do this.
This is our scenario: The staff on our university IT Service Desk (SD) assist teachers with their Moodle problems. The SD staff have individual accounts with the Manager role site-wide. Occasionally an SD staffer will take a Moodle course as a legitimate enrolled student while continuing to work on the Service Desk; this happens several times a year and is on the increase. While we trust our SD staffers implicitly, in the interests of good and appropriate security we need to disable an SD staffer's Manager privileges, but only in the particular course they're taking.
When I started working on this last week, (and after a little testing) I thought the way to do this would be to define a new role (called "NotManager"), set Prohibit on all the capabilities that weren't available to the Student role, and apply that role to the individual staffer in the Course context. It's been a long and ugly slog, comparing Student and Manager capabilities and making the corresponding Prohibit settings in the NotManager role.
Am I on the right track? I want to make the actual process of restricting the SD staffer's privs in a particular course fairly straightforward and simple.
Is using Prohibit this way appropriate? It seemed more cut-and-dried than Prevent, which felt like it could be overridden by multiple-roles-in-the-same-context calculations.
Is there any easier way to transfer the intent of the privs from the Student role to the NotManager role? I tried exporting the settings from Student and importing to NotManager, but didn't get the results I was hoping for. (The difference between Not Set and Allow, I think.)
I'm also concerned about sustainability -- what happens to the NotManager role when/if new capabilities in either the Student or Manager roles arrive?
Comments and suggestions are warmly welcomed.
Kwantlen Polytechnic University