Central principles of the rights system in ILIAS

Introduction

The ILIAS permissions system regulates access to the platform and the respective use of the content and functions offered.

As ILIAS has a role-based permissions system, all permissions are not directly linked to persons, but to roles. The sum of the roles that a user has results in the respective rights of this person in the system. The following example illustrates this:

David Lezent is a research assistant at a university. As a university lecturer, he is assigned to the role "Lecturer" in ILIAS. This global role, which applies to the entire ILIAS system, gives him or her the right to use ILIAS, to read all released content in the repository, and to use the search and the internal messaging system. At the same time, David is a lecturer but also a member of the Institute of Geology. He therefore also has the role of "Content creation geology". With this local role, which only applies to the geology sub-area, he can create and manage courses, create learning content and conduct surveys. However, he does not have these permissions outside of geology.

Objects and rights templates

Central functions in ILIAS and all objects in the repository have rights settings, the so-called "object rights". If a person accesses an object in ILIAS, the rights system checks which settings currently exist in the object rights. These vary in scope depending on the property type. For almost all object types, there are settings that determine whether the object is visible for a role and whether it can be used, edited, deleted or its rights setting edited. In rights management, these are always the top settings.

Some objects also have object-specific rights. For example, the object type "Forum" offers the rights "Create forum topic" and "Create forum post". This means that the type of use of the forum can be precisely controlled for each role. In contrast, the course object, for example, has numerous settings that determine which role in the course may create which new objects - i.e. learning modules, forums or files.

Object rights are defined automatically when an object is created in ILIAS. The object rights are derived from the rights templates of all roles that exist at this point in the repository. In addition to general authorizations, such as use of the search or the mail function, the rights templates primarily contain information for the creation of object rights. If the "User" role can read learning modules in the repository according to the current role template, this also automatically applies to a newly created learning module in the repository.

Global and local roles

As a rule, general user authorizations in ILIAS are defined via global roles. The term "global" indicates that these settings apply to the entire system. Authorizations for some central functions, such as the search or the mail system, can only be defined via global roles anyway.

Local roles, on the other hand, are limited to a defined area within the repository and the objects it contains. There is therefore only a local effect of the permissions settings.
 
Note: More on the properties of global and local roles in the chapter Role types.

Inheritance of rights

The general principle of rights inheritance applies to both global and local roles. The rights of a role are automatically transferred to all sub-areas within the ILIAS tree structure. This inheritance only takes place when the objects are created. The rights valid at this time are therefore adopted. If a role template is changed later, this initially has no effect on the design of these object rights. On the other hand, it is of course possible to subsequently adapt the automatically generated object rights to specific requirements and framework conditions. This is done via the respective rights management ("Rights" tab) of the object.

The derivation of rights to subordinate objects continues until the inheritance is interrupted. This can be done manually by a person who defines a new rights setting at a specific point. Or it happens automatically when courses and groups are created, as new rights settings apply within these objects by default. In both cases, the derivation of rights settings from a higher-level object is stopped and a new local access control is defined. The principle of inheritance also applies to this regulation.
 
Note: More on this in the Local roles chapter.

In possession of an object

If a user creates an object in ILIAS, this person is automatically the owner of the object in ILIAS. The user name of this person is displayed in the In possession of tab of the Rights tab. The entry can also be changed there.

As the person in possession of the object, you automatically have rights to this object, even if these are not assigned by a role. These are the rights to see this object, to read / call it up, to change settings (write permission) and to delete the object. Only the right to change the rights settings is not assigned with ownership of the object.

Important: Only one person at a time can be in possession of an object!
 
If you yourself are the person in possession of the object, the appointment of another ILIAS user as the person in possession of the object may result in you losing all or some of your rights to the object in question! Whether this actually happens depends on which roles you have and which rights these roles have in the corresponding place in the repository.

There are two rights to an object that are not assigned by the status as a person in possession of the object:

  • Change rights settings
  • Edit learning progress


Role types in ILIAS

Role types

There are two types of roles in ILIAS for assigning rights to users. Rights that should apply throughout the ILIAS system and that are largely the same everywhere are defined via global roles. These roles exist globally throughout the entire system. In contrast, rights that only exist at a specific location in the repository or rights tree are defined and managed via local roles. Accordingly, central rights, such as the use of the search, can only be defined via global roles.

Tip on rights design: The rights management in ILIAS is very flexible, but can also quickly become very extensive! It is therefore advantageous to always proceed as generally as possible when assigning rights, insofar as the scenario to be mapped allows this.

  1. First of all, general rights assignments should be made via global roles (see below).
  2. If exceptions are required at certain points, the inheritance of this global role can be interrupted and a new rights setting can be defined.
  3. Courses and groups that automatically generate their own rights and roles can be used for workgroups and events.
  4. Only when this is no longer sufficient to achieve the desired flexibility of the rights settings should you create local roles manually or even adapt rights settings on an object-specific basis.

Role types: Global roles

Global roles apply to the entire installation and therefore represent the basic rights of an assigned user.

By default, four global roles are created on every ILIAS installation, which have the following roughly outlined authorization scopes:

  1. Guest: Visibility of objects, but no read rights, no possibility to log in to areas with special membership rules such as groups or courses
  2. User: View and read rights in all areas and login rights as members as well as limited action rights, e.g. for forums
  3. Administrator: Full access and editing rights to all content and settings
  4. Anonymous: Read rights only for the public area without logon reservation (see also the section on activating the public area)

Note: The latter two roles are the only roles that cannot be deleted; the rights of the "Administrator" role cannot be edited either!

Rights settings for global roles are subject to rights inheritance. They are therefore first defined for the top level of the repository and then automatically "passed on" to all lower levels. This applies until the rights inheritance is interrupted.

Role types: Local roles

Local roles are used to assign modified or extended rights within a section of the repository or even for a single object. This can be an internal workspace for an institute, for example, to which only institute members have access.

Local roles and rights settings can be created in three possible ways:

  1. Automatically created local roles:ILIAS automatically creates local roles when a user creates a course, group or forum. Local roles are therefore created at the same time as such a new object is created. These are the local roles for course leaders, tutors and members, for forum moderators and for group leaders and members. For this purpose, ILIAS holds rights templates by defaultThese rights templates can of course be adapted to the respective requirements of an institution.[1]Display the role templates there and then edit the corresponding template. for these automatically created local rights.
  2. Manually created local roles:Local roles can also be created manually. This is always done at the point in the repository from which this roller is to take effect. Normally, a local role is created in a category. It then also applies to all subcategories and the objects they contain.
  3. Local access rules:Local access rules can also be defined for both global and local roles. The inheritance of rights is interrupted at one point in the repository so that the originally valid rights of the role no longer apply. Instead, a changed rights setting can be assigned to the role from this point onwards, which then also applies to all contained sub-objects.

When creating new local roles, please note that the users must first be assigned to such a role. This is done in the rights management of the respective role.

[1] This is done in the administration in the Roles area.

Effect of individual rights

The "classic" four rights

Individual permissions of a role are always certain possible operations on the objects of a certain type.

Operations that exist for each object type:
 
These "classic" four permissions are:

  • [...] is visible
  • [...] read or read access to [...]
    • Visible in the ILIAS permissions system means "view from outside" (if this right is not granted, the user will not even know that the object exists).
    • Read access, on the other hand, means "looking into" the object in question (if this right is not granted, the user will be able to see the object but will not be able to open it); if a container object (category, course, etc.) has read access without visibility, it can still be called up if there is a direct link to it or if its content objects are searched for.
    • The top repository level is also a container object (of which, however, only one copy exists). You can find the rights to this object in the "ILIAS system" section. Without read rights for this object, users cannot call up anything that is in the repository!
    • In the case of administration rights, the visual right only exists pro forma, it has no functional effect there!
  • [...] edit:This right gives a role the ability to change the content, settings and, if necessary, members of an object. It is then also possible to export the objects; please note that you cannot separate the various sub-aspects in the settings of an object type: Either you assign full editing rights or none at all! This right overrides any offline status, i.e. affected users can still see the object.
  • Change permissions settings:This can be used to adjust permissions on an object-specific basis.

Magazine-specific operations

Individual rights of a role are always certain possible operations on the objects of a certain type.

Operations that are only available for object types in the repository:

  • [...] deleteNote: Please note that this right also covers the options for linking or moving objects. However, for the successful completion of such an operation, it must be supplemented by the right to create an object of the relevant type at the target position.
  • Create new [...]:Creating a new object in ILIAS is not a right to this object itself (which does not even exist at this point in time), but a right to the surrounding container, i.e. a role can, for example, have the right to create tests in courses or upload files to categories: Please note that by assigning this right, users become the object owner of a newly created object.

Operations for specific object types in the magazine

Individual rights of a role are always certain possible operations on the objects of a certain type.

Operations that are only available for specific object types in the repository:

  • [...] copy:This operation is available for many, but not for all object types in the repository: It is only available for types for which a copy process is possible: Please note that to successfully complete such an operation, you must also have the right to create an object of the relevant type at the target position.
  • Operations that are only available for the container objects course and group:
    • Edit calendar: Appointments can be added to the object-specific calendar.
    • Join/Leave: Membership of the property can be started and/or ended independently: Please note that in order to join a course or group, it is also necessary to select a corresponding setting in the individual object so that the object offers an independent joining process at all.
  • Edit learning progress (only for object types that can output learning progress reports): This right enables a role to change the modalities under which ILIAS determines a learning progress status.
  • Specific rights in categories that are used with local accounts (see also chapter Local accounts: Basics)
  • Specific rights in communication objects such as moderating a chat room or creating a forum topic
  • Specific rights in survey objects such as access to test statistics or invite to survey

Effective administration rights outside the administration

Individual rights of a role are always certain possible operations on the objects of a certain type.

Administration rights that actually have an effect outside the administration:

  • Data protection and server security: Access to data on ILIAS accounts: This right enables a role to export data on ILIAS accounts from the system under certain other conditions (see chapter Protecting personal profile data). 
  • ILIAS accounts: Read access for local administrators: If you work with local accounts, you can use this permission to control whether roles that have been granted access to local accounts at a certain point can also see users who are not managed locally, but in the global administration of ILIAS accounts.
  • Search: Allow use of the search
  • Calendar: Create consultation appointments
  • Rights to the mail system: "Use internal mail system" and special permissions to it

Rights to specific administration objects

Individual rights of a role are always certain possible operations on the objects of a certain type.

Rights to specific administration objects:

  • ILIAS accounts
  • Rollers

In both cases, the editing right is divided into several sub-aspects, which can therefore be assigned separately.

Manage roles

Create and manage global roles

Click Administration in the main header and select the Roles option.

You will be taken to a view with a list of the roles created on your ILIAS installation, which allows you to set up and delete global roles (and role templates) and change their respective permissions settings.

If so many roles are entered that they do not all fit on the first page, the other pages can be called up using the click-active page numbers at the bottom right.

A filter above the list can also be used to restrict the display to a specific type of role.

Create new global role

Click on Administration in the main header bar and select the option Roles.ILIAS displays an alphabetical list of all roles.

To set up another global role, click on Create new role above the table.

A new field appears in which you can assign a title and a description to the new category.

Finally, click on the Create role button.

It is also possible to enable certain options for the newly created role:

  • Make the role available as an option in the registration form for self-registration (by default, this is only "Guest", see also section Enabling new self-registration)
  • Allow role for user assignment by local administrators (see also chapter Local accounts)
  • Add protection for the role's rights settings: Rights settings can be set differently for individual objects if a role has the right to change rights settings. This can be prevented by legal protection.

Overwrite rights settings: Basics

To avoid having to repeatedly enter rights settings when creating several identical or similar roles, you can transfer the rights of other (global) roles or role templates.

There are two conceivable approaches for this purpose:

  • from the starting position, i.e. from the role whose rights are to be copied to one or more other rolesNote: This option is only available for local roles, regardless of whether they were created manually or automatically.
  • from the target position, i.e. from the role to which rights are to be copiedWhen designing local roles, the rights settings of other roles or role templates can alternatively be copied during creation.

We describe the two procedures below.

Overwrite rights settings (from the starting position)

You are in the Administration in the Roles dialog. To transfer the rights of a global role or an already created role template, proceed as follows:

If necessary, select a different filter setting, e.g. if you want to transfer settings from a role template.

Click on Copy rights in the "Actions" column for the corresponding role.

ILIAS displays an input field for a search term, which can be used to enter the destinations of the copying process. Enter a suitable term and click on Search.

ILIAS displays a list of hits. Select one or more roles and click Next.note: Both the roll itself and the position where it was created in the repository can be called up from here to get a more precise picture in case of doubt. If necessary, it is best to do this in a new window or tab so that you do not have to start the procedure from the beginning. The Back button takes you back to the mask for the search term.

ILIAS asks whether inheritance should be triggered when copying the rights, i.e. whether the copied rights should also take effect for existing objects. select the desired option and click Copy role.

ILIAS returns to the role overview and reports: "The rights have been transferred to the selected roles."

Design roles

Shaping a new global role

To make settings for a role (especially with regard to its rights), click on its title.

The table that is then displayed gives you an overview of all possible rights that can be assigned to the role (see also the section on the effect of individual rights).

When creating a new global role, all checkboxes are initially empty and the table displayed contains all object types that can occur in the repository (including the rights at the top repository level under ILIAS system). you can find further rights settings by switching to the second page Administration rights. Here you will also find rights to the search and mail system.

For example, to give members of a role the right to participate in discussions in forums, select the Read forum and Create forum posts rights in addition to the already selected Forum is visible right (the Edit forum right, on the other hand, refers to the right to change the name of the forum, for example).

If objects already exist on the ILIAS installation when you create the global role, the rights settings made for the role can also be applied to these objects by checking the Change existing objects checkbox before clicking Save. <br/>Otherwise, the new role will have no rights to these objects! This option is only offered for the rights on the "Repository rights" page. For administration objects, changes are simply applied when they are saved.

In the event that only very specific rights settings (e.g. relating to a specific object type such as "Forum") are to be applied to existing objects, but not others, a separate option Change existing ... is available for each of the rights blocks in the table.<br/><br/>For the rights blocks not relating to object types (e.g. authentication/new registration), this option is called ... customize.

Assign people to a role

Just as from ILIAS accounts, you can also assign an ILIAS account to a specific role within the role administration, regardless of whether you assign people to roles via the role or account administration - the result is the same. However, the two approaches are recommended in different situations:

  1. From ILIAS accounts:
    • ... if you want to assign/revoke several roles to an ILIAS account at once.
    • ... if you want to check what other roles a user has beforehand.
  2. From the role administration:
    • ... if you want to assign/revoke a role to several users at once.
    • ... if you want to check beforehand which other users have a role.

To do this, use the Account assignment dialog in the edit mode of a role.

You can assign any of the assigned users ...

  • Note:There is also a collection option for this function; in this case, the users are marked beforehand using the checkbox to the left of their name.
  • edit (i.e. jump to the edit mode of the ILIAS account).
  • via ILIAS internal mail system) (message).


Placing objects in the dashboard overview

In ILIAS there are several ways for objects to reach the dashboard of users:

  1. Users can do this themselves by clicking on Add to favorites next to the title of an object in the repository.
  2. Courses, groups and exercises are automatically added to the dashboard for members.

Below you will find instructions on how to implement case 3):

  1. Select one of the roles; whether global or local does not matter.
  2. Open the Recommended content tab and click on Add.
  3. From the overview of the repository that now appears, you can select any object by clicking on it.


Export roles

Since version 4.3, roles that you have created in ILIAS can also be transferred to other ILIAS installations (or other clients of the same installation) by first exporting them in XML format and then importing them again.

Two different processes are required to transfer a role in this way:

  • Export role:
    1. Click on the Export tab in the editing mode of the role.
    2. In the following view, you can create a .zip file by clicking on the Create [...] export file button.
    3. To download the file, select it and click on Download.
  • Import role:
    1. For local roles:Call up any object where you want to create a local role and click on the Rights tab.For global roles:Click on Administration in the main header bar and select Roles.
    2. In the field that appears, click on the Import role button.
    3. Then select the (zipped) file of the object from your local computer and click Import to finish.

Note: If you work with several clients, exporting and importing is the only way to exchange content between clients.


Create and edit role templates

A role template is a set of rights settings. It can serve as a template for new global or local roles to be created.

The ILIAS system itself also uses native role templates for the automatic creation of local roles.

Note: By modifying the corresponding role templates for courses, for example, you can influence the rights structure of all courses created in the future.

The same applies to some other object types for which ILIAS automatically creates local roles, i.e. groups and - if activated - virtual classrooms such as netucate iLinc, Centra or Adobe Connect (see also the section on settings for third-party software).

Editing the system's own role templates

Click Administration in the main header and select the Roles option.

In the filter apparatus above the table, select the option Only role templates and click on Apply filter.

The available role templates are displayed, including those for courses.

When you open the role template to be edited, it can be customized according to your requirements (see chapter Designing a global role).

Create role templates manually

Role templates can be created using the same procedure described in the Creating a new global role section. At the beginning of the procedure, simply select Role template [add] instead of Role [add].

Note: Please note that not all rights settings that exist for global roles are possible in role templates, but only those that relate to types of learning objects in the repository, but e.g. no rights to administration aspects.<br/>The reason for this is that role templates can be used for both global and local roles - the latter are only valid in the repository.


Overwrite rights settings

Overwrite rights settings: Basics

To avoid having to repeatedly enter rights settings when creating several identical or similar roles, you can transfer the rights of other (global) roles or role templates.

There are two conceivable approaches for this purpose:

  • from the starting position, i.e. from the role whose rights are to be copied to one or more other rolesNote: This option is only available for local roles, regardless of whether they were created manually or automatically.
  • from the target position, i.e. from the role to which rights are to be copiedNote: When designing local roles, the rights settings of other roles or role templates can alternatively be transferred during creation.

We describe the two procedures below.

Overwrite rights settings (from the target position)

They can be found in the Administration in the Roles dialog (or in the Rights tab of any object).

To transfer the rights of a global role or an already created role template, proceed as follows:

  1. First click on the name of an existing or newly created role.
  2. Above the table you will find a Copy rights settings button, which you can use to view a list of other roles or role templates and copy the rights settings of one of them for the role currently being edited.
  3. To do this, select one of the radio buttons (round selection buttons) and click on Copy.

You return to the table with the rights settings that have now been applied.

ILIAS reports:

<font color="#800000">Rights settings taken over from '[...]'.</font><font color="#800000">(The settings have been saved!)</font>

Note: Please note that transferring the rights has not yet triggered any inheritance. If the transferred rights are also to take effect for existing objects, the rights settings must be saved again using the Change existing objects option (or one of the object type-specific equivalents).


Define settings for the role system

Activate history of changes in the rights system

In the ILIAS rights system, it is possible to track all rights-relevant changes made to any object, i.e. who changed what and when. The changes that affect the object currently being edited are displayed. In addition to changes to the rights settings themselves, the following activities are also relevant to rights:

  • Create, move, link or copy objects
  • Apply role templates to objects
  • Change ownership of an object

A filter can be used to display these changes in a targeted manner, and the time period from which changes are to be displayed can also be limited.

This option is only available if you activate a corresponding option, proceed as follows:

  1. Click on "Administration" in the main header and select the option "Data protection and server security".
  2. Check the option "Rights settings log" and you can optionally specify how long such log entries should be retained (in months, maximum: 24)
  3. Save at the end.

You are in the "Rights" tab of any object; now switch to the "Log" view via the submenu.