Role based access control with Moodle

2 November 2021 by Catalyst

One mechanism the Moodle Learning Management System (LMS) uses to create control over who does what within the system is its approach to what is known as Role Based Access Control (RBAC).  In this second post of our Moodle Security Mini Series, let’s explore what it is and how it helps to improve the cyber resilience of your LMS.

Mini Series Post 1 - Moodle security & privacy, the basics

RBAC provides Moodle administrators with the ability to create different types of users and system administrators, such that anyone logging into the platform only has access to the resources they need to carry out the tasks they require.  This may be students accessing classes and handing in assignments, teachers publishing course content and marking assignments, and administrators that are on-boarding new students into specific classes and granting access to a collection of course material. 

Understanding RBAC principles

RBAC is a common approach in security architecture to restrict access to important and critical data to those roles assigned the privileges to do so. The RBAC model can apply to administrators and users alike, but in the case of administrators it can overlap with another security concept known as Privileged Access Management (PAM), which we will talk about a little later.

RBAC allows anyone designing a Moodle LMS to determine access to resources, based on a predefined role applicable to the nature of the end user. In Moodle, this equates to obvious roles like student, teacher, or administrator, but you can also introduce custom roles like teaching assistant, parent, and supervisor, to which you can assign a tailored set of privileges and access. 

To implement RBAC in your Moodle platform, you need to first decide which roles are required by your organisation and what differentiates them, in terms of the privileges and access needed to certain resources. By way of example, if you decide teachers can edit course content but they cannot set teaching schedules, that constitutes the nature of the teacher permissions within the platform. Students may only be allowed access to specific courses they are enrolled into, and thus the content they can access is limited to only those courses. Furthermore, for a student, you may decide that all course content is read only. 

Developing a role based access model for Moodle

The RBAC capability is an incredibly powerful feature of the Moodle platform’s security model. However, it can present security risks that you need to be aware of, especially if you don’t design it properly. You will need to ensure you have mitigation strategies in place to counteract any of these potential risks, otherwise you may be exposed to attacks you had not considered. 

Visibility of permissions-based risks

On the plus side, Moodle can show you where any permissions-based risks are within your systems.  This allows you to plan how you implement the model. The risks are shows as potential impacts relating to specific attacks using Moodle’s built-in capability report and permission checker. Since the Moodle administrator is responsible for role definitions and their associated permissions, it’s advisable that you always use this capability report and system permission checker when designing your system, or making any changes to the RBAC model you have already rolled out to your user community. 

High risk roles to manage closely

Within Moodle, it has what are called ‘Global Role Assignments’. These global role assignments have permissions that span the entire Moodle site, which means they are very dangerous roles if they are compromised by an attacker. It is highly recommended that you minimise the number of global roles you create and tightly control who is allocated them as they will have access and control over every page and capability in your system.  This includes the front page and all your course content.

Another role to be aware of is the default ‘Authenticated User Role’. This role is assigned to everybody that logs into your Moodle site. The role doesn’t pose any permissions conflicts with other role allocations but it does guarantee essential Moodle operations can occur.  Consequently, you need to make sure you don’t accidentally change its ability to do more than it should or remove permissions that cause all user roles to break. 

Catalyst recommends that you don’t change the defined permission of role assignments of the Authenticated User Role, unless absolutely necessary.  Changes to every user can adversely affect your system’s risk profile.

Moodle and privileged access management

Moodle doesn’t have a specific solution for Privileged Access Management (PAM) as it’s inherent in the RBAC model. However, you should follow a design approach that consider PAM requirements so that you mitigate attacks where administration teams are targeted by knowable adversaries. 

Logically, PAM is just another form of RBAC designed to defend against the theft and misuse of privileged accounts, such as your Moodle administrators’ credentials. In Moodle, you have different levels of administrators, so PAM applies to both users and system administration roles alike. The ramifications of a teacher’s credentials being stolen are sometimes as grave as that of an administrator, as it could facilitate cheating and allow the value of your academic or professional qualifications to be undermined. 

Principle of least privilege

The best approach for PAM in Moodle is to use the principle of least privilege access for every user. To apply this principle, you’ll need to develop a precise list of the access each role in your RBAC model requires to do their job. Administrator accounts with global rights to the whole platform must be limited to just one or two individuals, while other administration tasks can be undertaken with lesser permission sets. If you need to have an administrator with lesser privileges to undertake a more complex task, assign them the permissions (or add them to a role) which provides that capability, but once the task is complete you can revoke it. 

Take steps to further improve the security of your Moodle

The Moodle security model is well aligned to industry standards and security architecture principles, so by following the Moodle best practice you will ensure your learning site is protected and any information you collect on your students and customers remains cyber resilient. 

Services to support your Moodle

red letter M with a red mortarboard hanging off the top left hand corner

Catalyst is a Premium Moodle Certified Partner, with a wealth of experience in RBAC implementations within Moodle.  We make sure our clients applications are protected from the day they are exposed to users.   Explore how we can help you get RBAC established quickly, and improve the security of your Moodle. 

Contact the team at Catalyst

Premium Moodle Certified Partner Logo