Best practices
We will present here a list of recommendations and suggestions to help you improve your security.
Avoid assigning the roles on the system level unless really necessary. Any permission change on the system level affects the entire system and therefore can increase security and maintenance risk. Try to apply roles to the specific part of Moodle where you would like to operate. This is especially important for students and teachers.
Avoid giving more than one role to a user in the same context. A minimalistic approach is the best whenever possible. You should try to fit all your user needs into one role. If you detect a type of user that does not fit completely in any of the existing roles it is most likely time to start creating a new role.
It is better not to change standard roles. In case you wish to introduce a change make a new role based on the standard role and apply your changes to it.
Risky capabilities
All capabilities are marked by risk level value. Moodle defines four...
