Preventing access

@Maz can you please explain your issue...not sure I follow you when you say

“The problem is, if someone (be it internal team leader or power user) enrols them on a course, they can see it, even if it isn’t in the catalogs they can access.

How can we restrict content?”

Why do you want to hide a course the user is enrolled into?

Hi @Maz! Great question. For starters, you seem to be approaching this exactly the right way by using Catalogs to restrict visibility for certain audiences. That’s awesome and I would recommend that you continue to adopt this practice as you expand Docebo to additional audiences.

If I understand correctly, it seems that the main problem here is cases in which someone is enrolled into something that they technically shouldn’t have access to. The resulting concern is that you might have certain external audiences viewing restricted content, which could pose risks to your organization.

My recommendation here would be to focus on tightening up the governance of your platform. Rather than focusing on hiding a course that a user is enrolled into, your best bet is to make sure that they never get enrolled into/gain visibility to the content in the first place. Here are a few recommendations to help make sure that users aren’t accidentally given access to the wrong content.

  Restrict permissions for your internal Power Users

It’s important to ensure that you only grant the minimum level of access to your Power Users needed for them to be successful in their roles. You can assign specific Users, Groups, Branches, Courses, Learning Plans, Catalogs, and Locations. I recommend that you restrict your Power Users from being able to perform administrative action on the courses and/or users you’ve mentioned in this thread. Those users can’t break what they can’t touch.

  Mandate training for anyone with Superadmin access to your platform

With great power comes great responsibility. That’s why you should make sure that anyone who is granted Superadmin access in your platform goes through a set of training to prove they’re capable of administering the platform responsibly. In this training, you should cover which courses contain restricted content and which groups/branches absolutely should not get access to those courses.

In situations like these, I’ve often found that clear processes and enablement work best to ensure that your learners see what they should see (and, more importantly, don’t see what they shouldn’t).

Here are a few links to resources that might help you build out your Power User framework and build enablement for your Superadmins:

• Creating and Managing Power Users (KB article)
• Delegating Administrative Tasks with Power Users (DU course)

Link to a discussion thread about Power Users vs. Superadmins:

@Maz this is a really interesting concept. Do you have ideas about how Docebo could help further prevent/mitigate mistakes like these? What do you imagine this might look like in the platform?

just chiming in...you can also look to use the Auto-enrollment app coupled with Groups...if you have a field on your contractor profiles that identifies them as such, you could automate the whole process and not ever have those course placed in any catalogues (or create one that only super admins have access to view to keep these courses bundled)

HI @Lucy.blake only direct way I know of to prevent a manager, who is not a PU, to assign courses is to put them for sale...Ugh, not great cause it would cause everyone else to have to buy a course even if you make it $0.01...interesting hurdle.

Maybe if you deliberately remove the managers from there groups that manage catalogue access that could limit their ability to assign…??

This is a very interesting situation. I am not sure if this is the right approach, but here is what I would do:

• Create a “category” for the confidential courses and put all confidential courses under that category. 
• Make sure your power users are assigned to all categories except the confidential courses category. 
• Remove the course from the catalog. 
• Create an enrollment rule to auto-enroll the users into that course. 
• Set the course to “only those subscribed can view,” “subscriptions are closed,” and “only an admin can subscribe.”
• Unfortunately, all superadmins will still be able to see and enroll people into the course. 

Hope this helps!

Jessica 

We should have the ability to select at the course level which branches or groups can view them, not just catalog level.

We have just worked through this exact issue.

The problem was that we initially wanted a busy, senionr manager to be able to assign training to contractors. Because she also has access to training for her internal teams, we deemed the risk too high.

As a result, the have to limit the people with the ability to access the external courses to 1 power user and super admin. We then set up the senior manager as a power user with View only access to the external courses. Testing starts next week (fingers crossed).

What I think it really needed is the ability to provide different levels of Power User access for different courses - i.e., I can view only courses in Category 1 and create courses in Category 2. The limits of the power users granularity is becoming an increasing obstacle as we move into higher compliance training.