Permission granularity over Students/Users

Administration
1

Hi,

When assigning permissions to a Role I wanted to allow the Role to edit student information.
I found no permission to do that under Students on the permissions page. (at least I didn’t realize from the names)
To allow editing I had to grant Manage Users_edit under User Admin.

This is fine, except for the fact that this permission will allow the Role to modify the information of any user including Staff and Administrators. (and this is potentially dangerous)

Is there another permission that allows for only modifying Students?

Thank you!!
Regards
Ricardo

2

Well, I found an alternative, but I would like to have your confirmation on the way it works, because it is not like I would have imagined it.

If I assign all the Update XXX Data_any permissions, on Personal, Family, Medical, etc information, I will get links in the Data Updater menu to modify information on the topics I have granted permissions on.
In fact, what you get is the ability to make a modification, and request approval from the Administrator to validate the change.
The Administrator will receive notification of your request, and will have to take action (approve or not)

This method splits the original information (the one in the Application Form) into different sections, Family, Medical, etc., and allows you to modify each part individually.
This is a bit counterintuitive (until you understand it, of course :wink: ), but on the bright side, it allows better granularity.

So far so good.
Now, what I find a bit confusing is the following:

For Finance and Medical, the filter is automatically set to students, so in the listbox you will see only students. Seems reasonable.
For Family information, on the other hand, instead of showing students, the list shows parents only. I would have expected to see the students, as this is Family information for the Student. This filter forces you to know the name of the parents. I guess that this filtering was based on a particular workflow at the time it was built, but in general I would say that you look for the Family of a student, and don't know the name of the parents
.
Finally, for Personal information, there is no filter, so again you can modify the information of all the users in the system. So no granularity at all here.

Is it possible to change these filtering criteria?
Otherwise, this option is not much different from setting the Manage Users_edit permission, as it will allow unrestricted access to all users’ information.

Thank you!
Ricardo

3

Hi Ricardo,

The alternative to use the Data Updater can work well for any users who you don’t trust with full access to the Manage Users page. Even when a user can submit data updates for any user in the system, it’s not identical to the Manage Users_edit permission, as it still requires approval first, and cannot be used to change passwords or roles.

The Data Updater can be quite handy for getting users to update their own data as well, be sure to check the User Admin > Data Updater settings, which can enable a redirect and cutoff date so users are prompted to update their data.

4

Hi Sandra,
I hope you are fine!

You didn’t answer (at least directly) my question about the fixed filtering criteria in the Data Updater.
However, if I understand correctly you are telling me that the fact that the changes have to be approved before being applied will do the trick, at least for Personal information, which is the unrestricted one, because an Administrator can reject changes on a per-change basis. Is this correct?

The Family filtering criterium remains unexplained to me, as you will have to know the name of the parents to modify the student’s Family information. This is not reasonable to me because Teachers and Staff are more likely to know the names of the students than the names of the parents; unless of course … there is a rationale I don’t know/understand behind it.
If so, could you please explain that?

Thank you!!
Regards
Ricardo

5

A quick note …
When you use the Data Updater option, the form/fields that show up to update Personal Data is the legacy form.
I guess this will be also changed in the next version of the application. Am I right?