The best way I can think of doing this is to apply 'moodle/user:editprofile' at system context. The problem with this is that it would then allow that member of staff to change the administrators profile (and password, and then mascarade as them).
I know there is user context, but is there a resonable way of assigning a role to a group of users? Or alternative solutions? (Assuming 1.8... I know there are some semi-related bugs with user context open around this issue).
I think users with capabilities assigned on user contexts can not use the advancededit.php which allows changing of password etc. Instead they have to use the simplified edit.php. (in 1.8) This is to keep parents related users from accessing some part of that form. The only other way (currently) is to assign moodle/user:update at system context, but this would allow the users to edit everyone's profile/password less the primary admin's. There is no other way of doing this, as far as I know.
I would like to restrict student users from amending particular details in their user profiles - is it possible to have selective user profile amendments?
Is how we locked email, surname, unlocked first name, unlocked if empty user idnumber.
Since we are not a public school, changes to first names of students only perturbs teachers and supervisors
You can remove student capability to edit profiles altogether http://docs.moodle.org/en/Capabilities/moodle/user:editownprofile
Is there a way to limit the authorization based on their organization hierarchy? i.e. if they belong to organization ABC, they can only edit the user profile of people within the hierarchy?
We are using Moodle 2.6 and Totara.