IBM R1 Chapter 3 Controlling access to features through permissions

Chapter 3 Controlling access to features through permissions

You can limit or expand users’ access to the application’s features and functionality by setting the

permissions that define the roles that you assign to those users. These roles can either be ones

that come prepackaged with the application (Anonymous, Student, Administrator, Instructor,

and Manager) or ones that you create yourself. The Course Administrator Help system and the

System Administrator Guide explain how to create, modify, and assign roles to users.

There are two ways to assign a role to a user:

• You can assign a role automatically, by matching string. That is, the role is automatically

assigned to all the Learning Management System users who are identified in the LDAP

directory by the matching string you specify. The assignment automatically applies to

current Learning Management System users and to new users when they are added to the

Learning Management System database.

• You can assign one or more roles to existing the Learning Management System users

interactively.

Both of these methods are described below.

When you assign multiple roles to a user, the user enjoys the union of the privileges for those

roles. For example, by default, a user assigned the Student role doesn’t have permission to run

reports. By default, a user assigned the Instructor role does have permission to run reports.

Assuming that you don’t change the default settings, if a user is assigned both roles, he or she has

permission to run reports.

The Anonymous role is a special case. When users initialize the application, they are assigned the

Anonymous role until such time as they log in or exit. When users log in, the Anonymous role

no longer applies to them. So, for example, if you were to change the permissions for the

Anonymous role to allow anonymous users to run reports (not that you probably would), users

whose sole role is Student who ran the application could run reports until they logged in, after

which they couldn’t because their privileges as Anonymous had been discarded when they

logged in.

Automatically assigned roles are a somewhat different special case. If you automatically associate

a role with the set of users in the LDAP directory that are identified by a matching string, you

can’t override this assignment for a user by running the application, locating the user, and

changing his or her role assignments. For example, if everybody in your LDAP directory

identified by the string *,ou=Cambridge,o=IBM is automatically assigned the role of Student and

you want to remove this role assignment from user John Doe who is identified by that matching

string and assign him the role of Instructor instead, you need to either change the user’s LDAP

record so that the user is no longer identified by the matching string or change the matching

string that identifies the users to whom you want to automatically assign the role.

That being said, the following sections are a reminder for how to add a role to the system, change

the permissions for an existing role, and assign a role to a user.

1. Open the Administrator interface.

2. Click the Users tab.

3. Click Manage Roles.

4. Click Add Role.

Chapter 3: Controlling access to features 7