Is there a way to let users toggle roles when logging in?

Options
Kevin.G.504
Kevin.G.504 Posts: 3 🌱
edited October 2023 in Higher Ed / Postsecondary
There are sometimes scenarios where specific users need to be granted user rights beyond their "day job". This could be in support of a project or other specialized role. Rather than add user rights to a subset of users, its beneficial to setup a separate role for that need. However, one user cannot have two roles, necessitating the creation of separate local accounts. Is there a means to associate two roles to one user? That would allow us to maintain the security of SSO and MFA for the user account, allow the user to toggle roles as needed, and give IT the flexibility to revoke the added role when no longer needed. I've seen this in other enterprise systems and it works well.
Tagged:
· Share on Twitter

Answers

  • Chris.S.534
    Chris.S.534 Posts: 201
    Options

    Hi Kevin,

    In any one context a user can only have one role. Typically, after authenticating a user lands on the Brightspace homepage (Org or Organisation) in their contextual role, e.g. Teacher/Learner/Administrator etc. This is their org level role you allocate to them when creating their user account. Similarly, for every course offering the user needs access to they are allocated a role via their enrolment into it.

    The exception to this is of course when a user is allocated a cascading role at the org level or similar through which they have an implied enrolment into every course offering/org unit below the level at which they have been enrolled. If you want a user, in a cascading role, to access a course offering in a different role you must unenrol them from the course offering and explicitly enrol them into it e.g. as a Learner.

    Some clients like to have seperation in the local user accounts for the different task a user needs to perform, such as PD/compliance courses etc. Others trust Adminsitrative staff will do the right thing when it comes to course access given they can access anything in the environment regardless. That is, use a local user account for Administrative tasks (not using SSO but using local MFA), and a formal/institutional account using SSO for PD/compliance activities.

    Hope that helps!

    · Share on Twitter
  • Kevin.G.504
    Kevin.G.504 Posts: 3 🌱
    Options

    Hi Chris,

    What you describe in the third paragraph is the situation I'm envisioning. In my experience, its IT best practice to not provision additional user accounts. Associating multiple roles to a single user account allows for ease of tracking and user management, while also enforcing needed security protocols. The creation of an added local account opens the door for a host of issues. Is there the potential for development work that would allow a role toggle at login for select users?

    Thanks,

    Kevin

    · Share on Twitter

Categories