Login
    Contents x
    Role risks
    • 05 Jul 2023
    • 1 minute to read
    Contents

    Role risks

    • Updated on 05 Jul 2023
    • 1 minute to read
    Article Summary

    When working with roles in Totara and assigning permissions to different capabilities, it is important to make sure you are assessing the risks. In particular, there are certain risks associated with some capabilities. Below is a list of these risks and why you should consider them, as well as advice on how to proceed. 

    Risk
    		Description

    Configuration

    You should be aware that some capabilities can allow the holder to change site configurations and behaviours. These are only intended to be allocated to the Site Administrator and Site Manager roles.

    XSS (Cross-Site Scripting)

    Certain capabilities could be misused to perform cross-site scripting attacks, such as those capabilities that allow users to post non-checked files and HTML with Javascript. These capabilities are only recommended for Site Administrators and trusted editors, such as Trainers in Totara Learn courses. 

    Privacy

    Some capabilities allow access to other users' private information, such as non-public profile information. Therefore these capabilities should only be given to Site Administrators and trusted editors, such as Managers.

    Spam

    Some capabilities allow users to add content to the site, such as forum posts, so you should consider whether these could be misused by spammers and only allocate these capabilities where they are needed.

    Risks for predefined roles

    Certain roles have specific restrictions on them, as listed below:

    • Guest: Only capabilities without any risks are allowed
    • Learner: Certain capabilities with spam risks are allowed
    • Trainer: Certain capabilities with XSS and privacy risks are allowed
    • Administrator: All capabilities are allowed
    Data lossSome capabilities allow users to permanently delete data from the system, potentially including compliance records or other data required to be kept for regulatory purposes.

    © Copyright 2024 Totara Learning Solutions. All rights reserved. Some content originally obtained via GPLv3 license and continues to be available under GPLv3. All other content is the sole copyright of Totara Learning Solutions. 

    Was this article helpful?
    What's Next
    Follow us

    © Copyright 2024 Totara Learning Solutions. All rights reserved. Some content originally obtained via GPLv3 license and continues to be available under GPLv3. All other content is the sole copyright of Totara Learning Solutions.

    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout