The SharePointLMS security model is based on Microsoft Office SharePoint Server security but is simplified in terms of items, lists and libraries permission management.
The below mentioned LMS parts correspond to the following SharePoint parts:
SharePointLMS = SharePoint web application
SharePointLMS Organization = SharePoint Site Collection
SharePointLMS Course = SharePoint Site Collection
SharePointLMS Course Tools = SharePoint Lists and Libraries
SharePointLMS Course Tools Items = SharePoint List and Library Items
By default, the SharePointLMS security model includes User Roles on the following levels:
SharePoint administration level
Farm administrator - such users can create/change/delete the organization levels and configure the LMS Global Features. Farm administrators are responsible for operations dealing with LMS back up and LMS licensing
Farm administrators can change and add any Site Collection (Organization/Course) Administrator
SharePointLMS Organization level
Organization Administrator / Organization Site Collection Administrator – such users can modify/create/delete anything within their organization level
Course Creators are able to create new courses within a chosen SharePointLMS organization
Visitors (All authenticated users by default) can browse through the LMS but don’t have access to Courses tools or the possibility to add/change/delete data
SharePointLMS Course level
Teachers / Course Site Collection Administrators – users have unlimited access to a specific course and can add/delete/modify anything within the course by default
Teachers Assistants – users have similar permissions as Teacher but cannot delete course
Learners (Learner Permission Level) have limited access to the tools
Faculty – users in charge of faculty administration, such as secretaries etc. Users have limited access to tools
Visitors (All authenticated users by default) are allowed to browse through the LMS but don’t have access to Courses tools or ability to add/change/delete data
System account and farm admin account cannot be used for learning process due to the code limitations.
WHAT is a system account:
1. SHAREPOINT\System account is the same account used by application pool of your SharePoint web application in IIS at the time of creation/extension of respective web application.
2. This is the account which is used when you run your code in under elevated privileges by SPSecurity.RunWithElevatedPrivileges.
3. When you create/extend a web application in SharePoint and specify an Application Pool then the identity (Network Account) used by that Application pool becomes the SHAREPOINT\System account.
4. Every time you try to log in under this account, you account will be displayed as SHAREPOINT\System and lots of "Unexpected Error" messages will occur. That is why it is highly recommended that end user should not be allowed to use this account to avoid unexpected errors.
5. If you change the identity of App Pool account after creating/extending the SharePoint web application, the new account will not become the SHAREPOINT\System. The best practice is to separate different accounts, only granting the necessary privileges to particular ones. It’s better to install SharePoint and run the application pool by separate accounts (i.e. domain\spsetup for installation).