Role risks
  • 16 Sep 2022
  • 1 Minute to read

Role risks

When working with roles in Totara and assigning permissions to different capabilities, it is important to make sure you are assessing the risks. In particular, there are certain risks associated with some capabilities. Below is a list of these risks and why you should consider them, as well as advice on how to proceed. 



You should be aware that some capabilities can allow the holder to change site configurations and behaviours. These are only intended to be allocated to the Site Administrator and Site Manager roles.

XSS (Cross-Site Scripting)

Certain capabilities could be misused to perform cross-site scripting attacks, such as those capabilities that allow users to post non-checked files and HTML with Javascript. These capabilities are only recommended for Site Administrators and trusted editors, such as Trainers in Totara Learn courses. 


Some capabilities allow access to other users' private information, such as non-public profile information. Therefore these capabilities should only be given to Site Administrators and trusted editors, such as Managers.


Some capabilities allow users to add content to the site, such as forum posts, so you should consider whether these could be misused by spammers and only allocate these capabilities where they are needed.

Risks for predefined roles

Certain roles have specific restrictions on them, as listed below:

  • Guest: Only capabilities without any risks are allowed
  • Learner: Certain capabilities with spam risks are allowed
  • Trainer: Certain capabilities with XSS and privacy risks are allowed
  • Administrator: All capabilities are allowed
Data lossSome capabilities allow users to permanently delete data from the system, potentially including compliance records or other data required to be kept for regulatory purposes.

© Copyright 2022 Totara Learning Solutions. All rights reserved. Some content originally obtained via GPLv3 license and continues to be available under GPLv3. All other content is the sole copyright of Totara Learning Solutions. 

Was this article helpful?

What's Next
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.