Separate Permission for Grade Entry vs. Markbook Structure Editing

Feature Requests
1

@Ali @sandra

Summary:
Currently, users with edit permissions (e.g. Edit Markbook_singleClass) can:

  • Add, edit, or delete Markbook columns

  • Enter and modify student grades

I would like to request a separation of these capabilities into distinct permissions.

Description:
Introduce a new permission that allows users to:

  • Enter and edit grade data only

  • Export Markbook data (e.g. to Excel)

While restricting them from:

  • Adding new Markbook columns

  • Editing existing column structure/settings

  • Deleting columns

Use Case:
This would be especially useful in schools where:

  • Teachers or assistants are responsible for data entry only

  • Academic coordinators or administrators manage assessment structure

  • There is a need to prevent accidental structural changes

Problem Statement:
Currently, granting edit access to allow grade entry also enables users to modify or delete Markbook columns.

This can lead to:

  • Accidental deletion or modification of assessment columns

  • Loss of data or structure that is difficult to restore

  • Additional administrative overhead to correct unintended changes

Benefits:

  • Improves data integrity and system reliability

  • Reduces risk of accidental structural changes

  • Supports role-based workflows (e.g. teacher vs. coordinator)

  • Aligns with best practices in permission granularity

Suggested Implementation (Optional):

  • Split current permission into two:

    • Edit Markbook Structure (columns, settings)

    • Enter Markbook Data (grades only)

  • Ensure users with “data entry only” permission can still:

    • View all columns

    • Input/edit grades

    • Export data

Closing:
This enhancement would provide safer and more flexible permission control, especially for schools with distributed grading responsibilities.

Thanks

1 Like
2

Thanks Tieku for your clear and structured feature request, I can appreciate where this level of control for markbook data could be necessary for schools. The prevention of data loss is also why the Reports module is designed with higher levels of permissions and time-controlled access, as it is aimed to be used as a repository for final assessment grades, and the markbook is more of a living document and set of records for teachers to manage their grades. However, I can see where given a school of a certain size or complexity, the additional markbook permissions would be helpful as well.

There is a newly refactored markbook coming shortly to v31, which finally tackles and improves the massive markbook_view_allClassesAllData.php script. Once this is added, this could be a good opportunity to look at new permissions as well. If you’d like, you’d be welcome to try your hand at a PR for these changes.

3

Hi Sandra,

I’ve implemented the permission split. Here’s what was done:

Database changes:

  1. Four new actions added to gibbonAction for the Markbook module:

    • Enter Markbook Data_singleClass

    • Enter Markbook Data_multipleClassesInDepartment

    • Enter Markbook Data_multipleClassesAcrossSchool

    • Enter Markbook Data_everything

  2. These actions include markbook_edit_data.php, markbook_edit_dataProcess.php, markbook_viewExport.php, markbook_viewExportContents.php and markbook_edit.php in their URLList — but intentionally exclude markbook_edit_add.php, markbook_edit_edit.php, markbook_edit_delete.php, markbook_edit_copy.php and markbook_edit_addMulti.php.

  3. Precedence values are set lower than the Edit Markbook_* actions so that if a role has both, Edit Markbook_* wins.

PHP changes:

  • markbook_view_allClassesAllData.php — splits $canEditThisClass and $canEnterData so the Enter Data and Export icons show for data-entry users, but Edit and Delete icons do not.

  • markbook_edit_data.php — accepts Enter Markbook Data_* in the class access query, and hides the Edit Column header button for data-entry-only users.

Result:

  • A role with Enter Markbook Data_singleClass + View Markbook_myClasses can enter grades and export, but cannot add, edit or delete columns.

  • A role with Edit Markbook_singleClass + View Markbook_myClasses retains full existing behaviour.

Let me know if this looks right to you before I put together a PR.

Regards