Configuration Options: System/User Permissions

Configuration Options: System/User Permissions

Synopsis

Concourse provides many permission types so that your system can be administered in the method that works best for your institution. You can set permissions from the syllabus level to the domain level to the system level. Individuals assigned System Permissions, also called User Permissions, have a high degree of control in your system and can make changes to system data, including courses and users. The three system permissions are:
  1. Administer System
  2. Create Courses
  3. Set Domain Permissions
We recommend that you provision System Permissions intentionally to distribute access appropriately, support your system’s security, and ensure systemwide uniformity in data and reporting. Continue reading for more information about setting System Permissions in Concourse.

Key Terms

  1. Administer System: the permission to process feeds, assign system permissions to other users, make changes to user accounts, purge users and courses, apply group permissions en masse, manage integrations, and manage domains.
  2. Create Courses: the permission to create new courses, both templates and non-templates, and clone existing courses. These users are not able to edit the courses they create unless they also have editing permissions through a domain or course role.
  3. Set Domain Permissions: the permission to give other users domain-level permissions. Users with Set Domain Permissions do not themselves have domain permissions; they are merely able to adjust other users’ access to provide domain permissions.
  4. Statistics Report: a system-level report available to Concourse admins, the Administrators block of this report provides the number of system administrators in the given system.
  5. User Report: this system-level report allows Concourse admins to search for all users in the system with a specific system permission; with this information, accounts and system permissions can be updated to accurately support your system’s needs.

Important to this Decision

Before making decisions about how your institution uses Concourse, you should consider how stakeholders, systems, timelines, and other factors are impacted. Review the important elements below to be better prepared to make changes to your Concourse configuration or implementation.
Key Players
Users with System Permissions play a significant role in the administration and daily functionality of Concourse. Users assigned these permissions should be:
  1. familiar with the different systems that interact with Concourse 
  2. aware of the institution’s processes and expectations for syllabus development
  3. carefully trained on the system’s functionality
  4. prepared to engage with Concourse regularly
Users assigned System Permissions may be members of the implementation team, but this is not always the case. These permissions may be distributed to any user who can support your institution’s long-term Concourse use.
Consideration
Users with System Permissions have the ability to create, modify, and delete system data, including courses, syllabus content, and user information. When it comes to these high-powered permissions, we recommend that you follow the rule of least privilege, which states that users should be granted the minimum access and permission required to perform their essential functions. In other words, distribute System Permissions only to users who truly need them. When determining the users who should be assigned System Permissions, think of users’ roles at your organization, their skill sets, and how they will engage with Concourse so that you assign them the permission and associated responsibility that is the best fit.
Timing
System permissions are typically assigned to users during the implementation process. It’s important to note, however, that system permissions are likely to change over time. As individuals’ roles at your institution change, their involvement with Concourse may also change, necessitating updates to system permissions. For example, your main System Administrator may be promoted and have to step away from Concourse; as a result, that user’s Administer System permission could be removed, and another user could be assigned Administer System permission to fill the gap. In other words, Concourse System Permissions should be adjusted as needed, regardless of how long you have been using Concourse or what time of the academic year it is.
Connected Systems & Locations
  1. Users with Administer System permission can process data feeds manually. If data feeds are also automated or will be automated at some point, users with this permission should be aware of how the feeds they process function alongside automated feeds. It is also helpful if these users are familiar with feed troubleshooting techniques to assist database administrators in the event that feeds present errors and require updates.
  2. Users with Create Courses permission should be aware of course creation processes in your system (e.g., via feed or LTI auto-create) and naming conventions in order to prevent duplicated courses, redundant system data, and user confusion.
  3. Users who can Set Domain Permissions must be aware of organizational schema and shifts, both institutionally and in Concourse, so that they can update domain permissions when Concourse domains are modified or added.
Method
To adjust a user’s System Permissions:
  1. Select Admin > Users in the main navigation menu.
  2. Search for the user whose permissions are to be updated.
  3. Select the appropriate user account from the Results block.
  4. On the user’s account page, select Edit in the Settings block.
  5. On the subsequent page, locate the System Permissions block. In the System Permissions block, select the checkbox for the permissions the user should have.
  6. Save.
Motivation & Impact
The approach you take to distributing System Permissions should reflect your institutional philosophies for technology administration, data management, and delegation of job responsibilities, and it should support your actual needs for Concourse administration. The size of your system is another contributing factor, as the scope of responsibilities may impact the number of users needed to accomplish a specific role. It is possible to successfully administer Concourse with only a few users having System Permissions or with a larger team of users. Again, we recommend that System Permissions be assigned to the fewest number of users possible to support functionality.

Configuration Options

Your institution’s approach to distributing System Permissions will be informed by a number of factors, including institutional size and organizational complexity, the amount of data in your system, and your institution’s approach to role-based access. Note that System Permissions are set on accounts individually, so it is possible to adjust your distribution of high-level permissions on an ad hoc basis in the future. To get started setting System Permissions, your institution may choose:
  1. Option A: Centralized Distribution of System Permissions
  2. Option B: Decentralized Distribution of System Permissions
If the choices below don’t fit your needs, reach out to Client Services for assistance.
Option A: Centralized Distribution of System Permissions
  1. Approach: With a centralized distribution of System Permissions, a limited group of users is selected to do the work of administering your Concourse system. The smallest number of users possible is assigned to each System Permission to keep your overall system access controlled. For example, your institution may find that having one user designated as the System Administrator (Administer System Permission) and another user assigned that permission and trained to the role as backup is sufficient. However, your institution may be large or complex enough that you need more individuals with this permission to keep your system running smoothly. This approach often assigns all three System Permissions to the same small group of users so that there are a few designated Concourse experts at your institution who can handle any tasks. When determining whether this approach is right for your organization, make sure that the workload of administering Concourse is something a user with System Permission can reasonably take on. If a few professionals at your organization are able to devote serious time and effort to Concourse, then this approach will likely be successful. If, on the other hand, there is a larger group of individuals who can each devote a smaller amount of time to Concourse, then choosing a decentralized distribution of System Permissions may be a better option.
  2. Better For: This option is used most often by institutions that have smaller or less complex systems to administer. 
  3. Effort: The time investment for setting System Permissions depends on the number of users who must be assigned permissions. Since System Permissions are set manually on a user-by-user basis, you can plan to spend approximately 1 minute to set each user’s permissions (e.g., five users with System Permissions equals five minutes to adjust permissions). The time investment of distributing System Permissions to a smaller number of users will naturally take less time. The most time-consuming part of the overall process is deciding which users should be assigned System Permissions and then training them on expectations and functionality. Whenever System Permissions are changed or added, users must be trained on their new role.
Advantages of Using a Centralized Distribution of System PermissionsDisadvantages of Using a Centralized Distribution of System Permissions
Responsibility is limited to ensure more control and uniformity in administration operations; in other words, if only a few people have System Permissions, then operations will be performed consistently over time and there is less concern about system data integrity.If a member of a small team of users with System Permissions is not able to perform their job function, a back-up or alternative user may not be trained and ready to take on the role, resulting in delays of essential functions.
If a limited number of users have System Permissions, the scope of each user’s job is clearer and there is less likely to be confusion about delegation of responsibilities within Concourse. While each user’s responsibility scope is clearly defined, with a smaller team of high-level users, each user may have a larger workload than if multiple users had the same permissions and divided tasks.
Option B: Decentralized Distribution of System Permissions
  1. Approach: With a decentralized distribution of System Permissions, a larger group of users is selected to do the work of administering your Concourse system; instead of three to five users doing all the work of administering your system, there may be three to five separate individuals (or more) assigned to each System Permission. This approach allows the workload of administering Concourse to be delegated or shared so that a larger team is able to keep your system running smoothly regardless of what other projects or unforeseen circumstances arise. It may be appealing from a control standpoint to have one user designated as the System Administrator (Administer System Permission), but your Concourse system may be too large or complex for a limited assignment to be possible. With the decentralized approach, users are tasked with maintaining one unique aspect of Concourse (such as setting domain permissions for one specific domain), trained carefully on the functions specific to their role, and managed by one high-level user. There isn’t a specific “right” number of users who should have each System Permission; we recommend that you assign these high-level permissions in the way that will best support your institution’s success while also only assigning the permissions to users whose roles require that level of access. 
  2. Better For: This option is used most often by institutions that have larger or more complex systems to administer.
  3. Effort: The time investment for setting System Permissions depends on the number of users who must be assigned permissions. Since System Permissions are set manually on a user-by-user basis, you can plan to spend approximately 1 minute to set each user’s permissions (e.g., five users with System Permissions equals five minutes to adjust permissions). The time investment of distributing System Permissions to a larger number of users will naturally take more time. The most time-consuming part of the overall process is deciding which users should be assigned System Permissions and then training them on expectations and functionality. Whenever System Permissions are changed or added, users must be trained on their new role.
Advantages of Using a Decentralized Distribution of System PermissionsDisadvantages of Using a Decentralized Distribution of System Permissions
If a larger group of users has System Permissions, then there is less concern about disruption of essential functions if one user is unavailable or diverted from Concourse support.Whenever any permission type is distributed to a larger group, there is the potential for inconsistencies or errors (e.g., two users may perform the same function in different ways or not all users may be trained adequately to complete a task).
Distributing System Permissions to a larger group of users likely means that each user has a smaller assigned workload or purview in Concourse. If more users are assigned System Permissions, it may be difficult to determine appropriate remediation and coaching for errors. In other words, determining which user with a specific System Permission performed an operation erroneously may be difficult.

Post-Decision Changes

Your institution’s needs may change over time and you may need to make changes to your configuration settings. In other words, the configuration decisions you make during the implementation phase might not be as efficient five or ten years afterward. Review the guidance below to better understand how changing this particular decision may affect your Concourse system or deployment in the future.

The process to change your approach to System Permissions is essentially the same whether you will increase (centralized to decentralized) or decrease (decentralized to centralized) the number of users with System Permissions. 
  1. Take inventory of the users in your system with each permission type and determine how permissions should change on a user-by-user basis (see “generating a User Report” below).
  2. Inform selected users of how their Concourse permissions will change (increased or decreased) and what their new responsibilities are.
  3. Adjust each selected user’s System Permissions manually (see instructions above).
  4. Train users on new Concourse functionality, expectations, and timelines for delivery.
Evaluating and adjusting high-level permissions should be part of your standard Concourse maintenance (at least annually), so you will become familiar with the process of adjusting users’ permissions and getting them up to speed. Depending on the number of users whose permissions are to be adjusted, this is a process that can take a few minutes to an hour. The time investment for notifying and training users also varies based on your institutional messaging and training practices.

Related Topics

Before making a decision about assigning system permissions, you should be familiar with some related issues and contexts. See the following articles for more information:
  1. Learn more about Administering Concourse.
  2. Find instructions for generating a User Report.
  3. Note that system permissions are different from domain permissions; if a user should be able to modify your system and syllabus content, they will likely need domain permissions as well. Learn more about Domain Permissions in Concourse.

Tell Us About Your Experience

Did this article answer your question? If you made a decision like this for your Concourse instance, let us know how it turned out. If we missed something in this article or if you have a question that isn’t addressed in our Knowledge Base, let us know how we can help by reaching out to support@campusconcourse.com

    • Related Articles

    • Configuration Options: Authentication

      Synopsis In Concourse terminology, authentication refers to the way in which your users’ accounts and access to Concourse are verified. Authentication can occur in your institution’s other systems or within Concourse, and the option you choose, ...

    • Configuration Options: Enabling Curriculum Vitae

      Synopsis The Curriculum Vitae (CV) feature allows registered users in your system to add CV content to their Concourse profiles. Users can add content to three rich text fields on their account pages: Education Experience Publications When selected ...

    • Configuration Options: Sharing Syllabi with Non-registered Users

      Synopsis Users are registered to courses in Concourse based on their roles in the associated Learning Management System course (e.g., instructor, student, assistant); those users can then view and/or edit each syllabus item based on their group’s ...

    • Configuration Options: Enabling Course Files

      Synopsis The Files feature allows users to upload artifacts to courses in Concourse; any file type can be uploaded, including documents and images, with the limit of 100MB of storage per course. This feature is not intended to substitute for files ...

    • Configuration Options: The Notifications Feature

      Synopsis The Notifications feature allows users with an editing role in a course to notify registered users, such as students, assistants, developers, and managers, via email when syllabus content is changed. Notifications are sent from ...