Skip to main content

Hi all,

I’d like to pick your brains over sensitive data exposure & Docebo course access.

We have two groups of people accessing our LMS, one are internal, the others contractors. There are courses that we do not want contractors to view. Thus I have set up catalogs so that they can only search or browse to those courses that we allow access to. We do not use the public catalog at all.

The problem is, if someone (be it internal team leader or power user) enrols them on a course, they can see it, even if it isn’t in the catalogs they can access.

How can we restrict content?

Wihlst at the moment this isn’t major, as contractors are covered explicitly by contracts, this question will become critical when we open the platform to a further third group of partners who are not covered by contracts.

@Maz can you please explain your issue...not sure I follow you when you say

“The problem is, if someone (be it internal team leader or power user) enrols them on a course, they can see it, even if it isn’t in the catalogs they can access.

How can we restrict content?”

Why do you want to hide a course the user is enrolled into?


I want to prevent the enrolment or viewing of a course froma specific branch/group. To separate and protect internal confidential training vs more generic training for consultants/contractors.


Hi @Maz! Great question. For starters, you seem to be approaching this exactly the right way by using Catalogs to restrict visibility for certain audiences. That’s awesome and I would recommend that you continue to adopt this practice as you expand Docebo to additional audiences.

 

If I understand correctly, it seems that the main problem here is cases in which someone is enrolled into something that they technically shouldn’t have access to. The resulting concern is that you might have certain external audiences viewing restricted content, which could pose risks to your organization.

 

My recommendation here would be to focus on tightening up the governance of your platform. Rather than focusing on hiding a course that a user is enrolled into, your best bet is to make sure that they never get enrolled into/gain visibility to the content in the first place. Here are a few recommendations to help make sure that users aren’t accidentally given access to the wrong content.

 

1️⃣  Restrict permissions for your internal Power Users

It’s important to ensure that you only grant the minimum level of access to your Power Users needed for them to be successful in their roles. You can assign specific Users, Groups, Branches, Courses, Learning Plans, Catalogs, and Locations. I recommend that you restrict your Power Users from being able to perform administrative action on the courses and/or users you’ve mentioned in this thread. Those users can’t break what they can’t touch.

 

2️⃣  Mandate training for anyone with Superadmin access to your platform

With great power comes great responsibility. That’s why you should make sure that anyone who is granted Superadmin access in your platform goes through a set of training to prove they’re capable of administering the platform responsibly. In this training, you should cover which courses contain restricted content and which groups/branches absolutely should not get access to those courses.

 

In situations like these, I’ve often found that clear processes and enablement work best to ensure that your learners see what they should see (and, more importantly, don’t see what they shouldn’t).

 

Here are a few links to resources that might help you build out your Power User framework and build enablement for your Superadmins:

Link to a discussion thread about Power Users vs. Superadmins:

 

 


Thanks for confirming that I’m on the right track @Adam Ballhaussen !

I do indeed train all our people in power, however humans are human do do make mistakes and I believe tha technology should help mitigate those mistakes.

This is especially true in a platform that can do things like Docebo can - offer multi domain and thus third party integration and potential access to content.

 


@Maz this is a really interesting concept. Do you have ideas about how Docebo could help further prevent/mitigate mistakes like these? What do you imagine this might look like in the platform?


I would imagine that a course in a catalog that a learner does not have permission to view, does not allow enrolment to that learner, under any circumstances - be that admin or otherwise.

This could be turned on/off ona per platform basis via an advanced setting. Sometihng like “enforce catalog accessibility permissions”.

At the moment catalogs only seem to do half a job.


just chiming in...you can also look to use the Auto-enrollment app coupled with Groups...if you have a field on your contractor profiles that identifies them as such, you could automate the whole process and not ever have those course placed in any catalogues (or create one that only super admins have access to view to keep these courses bundled)


Hi @Adam Ballhaussen 

We have catalogues set up and we have an additional field called ‘Line manager’ people in this field have access to a line manager catalogue. They are NOT power users but can enrol a direct report onto these courses. Is there any way to lock down a catalogue to prevent this?


HI @Lucy.blake only direct way I know of to prevent a manager, who is not a PU, to assign courses is to put them for sale...Ugh, not great cause it would cause everyone else to have to buy a course even if you make it $0.01...interesting hurdle.

Maybe if you deliberately remove the managers from there groups that manage catalogue access that could limit their ability to assign…??


Maybe if you deliberately remove the managers from there groups that manage catalogue access that could limit their ability to assign…??

The ‘Line manager’ group doesn’t manage catalogue access it just has access to the catalogue. The manager enrols the direct report using ‘My team’ functionality. 


This is a very interesting situation. I am not sure if this is the right approach, but here is what I would do:

  • Create a “category” for the confidential courses and put all confidential courses under that category. 
  • Make sure your power users are assigned to all categories except the confidential courses category. 
  • Remove the course from the catalog. 
  • Create an enrollment rule to auto-enroll the users into that course. 
  • Set the course to “only those subscribed can view,” “subscriptions are closed,” and “only an admin can subscribe.”
  • Unfortunately, all superadmins will still be able to see and enroll people into the course. 

Hope this helps!

Jessica 


Maybe if you deliberately remove the managers from there groups that manage catalogue access that could limit their ability to assign…??

The ‘Line manager’ group doesn’t manage catalogue access it just has access to the catalogue. The manager enrols the direct report using ‘My team’ functionality. 

sorry meant to say that they could be removed the Group you use to manage who can access/view the catalogue (as per your earlier note)...did I misunderstand?


We should have the ability to select at the course level which branches or groups can view them, not just catalog level.


@Adam Ballhaussen

Do you have ideas about how Docebo could help further prevent/mitigate mistakes like these? What do you imagine this might look like in the platform?

Reading through this thread, I think it may implemented by an additional option like “restrict enrollments to users who have visibility into the course through any catalog”. I think that this option should be added on the course level (courses don’t need to be in catalogs, so having this as an option of a catalog would be more problematic).

This would mean, that only users who can see the course in the catalog already assigned to them would be allowed to get enrolled into the course by a manager or power user.


We have just worked through this exact issue.

The problem was that we initially wanted a busy, senionr manager to be able to assign training to contractors. Because she also has access to training for her internal teams, we deemed the risk too high.

 

As a result, the have to limit the people with the ability to access the external courses to 1 power user and super admin. We then set up the senior manager as a power user with View only access to the external courses. Testing starts next week (fingers crossed).

 

What I think it really needed is the ability to provide different levels of Power User access for different courses - i.e., I can view only courses in Category 1 and create courses in Category 2. The limits of the power users granularity is becoming an increasing obstacle as we move into higher compliance training.


@telias agree with you that PU permissions need a new level of granularity to allow 1 person to have different access to for certain groups or sets of courses, etc. 


Reply