32. LMS User Roles and Permissions

The SharePointLMS security model is based on Microsoft Office SharePoint Server security but is simplified in terms of items, lists and libraries permission management.

The below mentioned LMS parts correspond to the following SharePoint parts:

SharePointLMS = SharePoint web application

SharePointLMS Organization = SharePoint Site Collection

SharePointLMS Course = SharePoint Site Collection

SharePointLMS Course Tools = SharePoint Lists and Libraries

SharePointLMS Course Tools Items = SharePoint List and Library Items

By default, the SharePointLMS security model includes User Roles on the following levels:

SharePoint administration level

Farm administrator - such users can create/change/delete the organization levels and configure the LMS Global Features. Farm administrators are responsible for operations dealing with LMS back up and LMS licensing

Farm administrators can change and add any Site Collection (Organization/Course) Administrator

SharePointLMS Organization level

Organization Administrator / Organization Site Collection Administrator – such users can modify/create/delete anything within their organization level

Course Creators are able to create new courses within a chosen SharePointLMS organization

Visitors (All authenticated users by default) can browse through the LMS but don’t have access to Courses tools or the possibility to add/change/delete data

SharePointLMS Course level

Teachers / Course Site Collection Administrators – users have unlimited access to a specific course and can add/delete/modify anything within the course by default

Teachers Assistants – users have similar permissions as Teacher but cannot delete course

Learners (Learner Permission Level) have limited access to the tools

Faculty – users in charge of faculty administration, such as secretaries etc. Users have limited access to tools

Visitors (All authenticated users by default) are allowed to browse through the LMS but don’t have access to Courses tools or ability to add/change/delete data

Note:

System account and farm admin account cannot be used for learning process due to the code limitations.

WHAT is a system account:

1. SHAREPOINT\System account is the same account used by application pool of your SharePoint web application in IIS at the time of creation/extension of respective web application.

2. This is the account which is used when you run your code in under elevated privileges by SPSecurity.RunWithElevatedPrivileges.

3. When you create/extend a web application in SharePoint and specify an Application Pool then the identity (Network Account) used by that Application pool becomes the SHAREPOINT\System account.

4. Every time you try to log in under this account, you account will be displayed as SHAREPOINT\System and lots of "Unexpected Error" messages will occur. That is why it is highly recommended that end user should not be allowed to use this account to avoid unexpected errors.

5. If you change the identity of App Pool account after creating/extending the SharePoint web application, the new account will not become the SHAREPOINT\System. The best practice is to separate different accounts, only granting the necessary privileges to particular ones. It’s better to install SharePoint and run the application pool by separate accounts (i.e. domain\spsetup for installation).