Global and Group roles
In the TAO Portal, there are two types of roles: global roles and group roles. Understanding the permissions associated with these roles is important when creating or editing a user or group.
Global roles
Global roles give users access to functionality across the whole application. A global role is assigned when a user account is created or edited. Users assigned to these roles have rights across the TAO Portal within the group and organizational unit they are enrolled in. The user will have those same rights within any organizational unit below their own in the hierarchy.
The TAO Portal supports the following Account (global) roles:
Global admin [ADMIN]
Content developer [CONTENT_CREATOR]
Group creator [GROUP_CREATOR]
Public sessions manager [PUBLIC_SESSION_MANAGER]
Battery manager [BATTERY_MANAGER]
Support [SUPPORT]
Data Explorer viewer (DATA_EXPLORER)
The names in brackets, such as [ADMIN], represent how each role is assigned in a CSV import. For more information, see CSV imports.
Data Explorer viewer is only available when creating or updating a user via CSV import. A user with this role will have access to Data Explorer, for the whole organization or a particular group. For more information on how this role is used in a group, see the section below on group roles.
The table below summarizes the access and rights of each role:
Global Admin | Content Developer | Group Creator | Public sessions manager [PUBLIC_SESSION_MANAGER] | Battery Manager [BATTERY_MANAGER] | Support [SUPPORT] | System Manager [SYSTEM_MANAGER] | |
Account-wide settings | |||||||
Access to System Settings | Yes | Yes | |||||
Access to authoring (Content Bank) | Yes | Yes | |||||
Create groups | Yes | Yes. When a Group Creator creates a group, they are automatically assigned as Group Manager. | |||||
Create, read, update and deactivate users | Yes | ||||||
Group-level actions | |||||||
Read, update, and deactivate groups | Yes | ||||||
Add/remove users in a group | Yes | ||||||
Create, update, and delete Organizational units | Yes | ||||||
Assign users/groups to Organizational Units | Yes | ||||||
View deliveries | Yes | Yes | |||||
Create, update, and delete deliveries | Yes | Yes | |||||
Create, read, update and delete sessions | Yes | ||||||
Create, update, and delete public sessions | Yes | Yes | |||||
Create, update, and delete batteries | Yes | Yes | |||||
Monitor session | Yes | ||||||
Grade session | Yes | ||||||
View sessions list | Yes | ||||||
Enter session | Yes | ||||||
Exempt test taker from session | Yes | ||||||
Take session | |||||||
Review session | Yes | ||||||
View session scores | Yes | Yes | |||||
View session reports | Yes | ||||||
View individual reports | Yes | ||||||
Access Support Space | Yes | Yes |
Group-related roles
Group roles pertain to a given group only. These roles are assigned as part of the enrollment of a user to a specific group and provide the right to perform certain actions within the scope of the given group.
The TAO Portal supports the following Group-related roles:
Group manager [GROUP_MANAGER]
Scorer [GRADER]
Test-taker [TEST_TAKER]
Proctor [PROCTOR]
Score Reviewer [REVIEW_GRADER] ← for more information on this beta feature, see the section below the table
Booklet Publisher [BOOKLET_PUBLISHER]
Scan Uploader [SCAN_UPLOADER]
Group viewer [GROUP_VIEWER] ← for more information on this beta feature, see the section below the table
The names in brackets, such as [GRADER], represent how each role is assigned in a CSV import. For more information, see CSV imports.
The table below summarizes the access and rights of each role:
Group Manager [GROUP_MANAGER] | Scorer [GRADER] | Test-taker [TEST_TAKER] | Proctor [PROCTOR] | Score Reviewer [REVIEW_GRADER] | Booklet Publisher [BOOKLET_PUBLISHER] | Scan Uploader [SCAN_UPLOADER] | Group viewer [GROUP_VIEWER] | |
Group-level actions | ||||||||
Read, update, and deactivate groups | ||||||||
Add/Remove users in group | Yes | |||||||
View deliveries | Yes | |||||||
Create, Read, Update and Delete sessions | Yes | |||||||
Monitor session | Yes | Yes | ||||||
Grade session | Yes | Yes | Yes, if read-behind scoring is enabled | |||||
View sessions list | Yes | Yes | Yes | Yes | Yes (for groups they are assigned to) | |||
Enter session | Yes | Yes | Yes | Yes | Yes (for groups they are assigned to) | |||
Preview session | Yes | Yes | ||||||
Exempt test taker from session | Yes | Yes | ||||||
Take session | Yes | |||||||
Review session | Yes | Yes | Yes, if allowed by the session’s configuration. For more information, see Creating a session. | Yes | ||||
View session scores | Yes | Yes | Yes, if read-behind scoring is enabled. | |||||
View session reports | Yes | |||||||
View individual reports | Yes (for any test-takers) | Yes, if allowed by the session’s configuration. For more information, see Creating a session. | ||||||
Assign groups to Organizational Units | Yes | |||||||
View paper-based sessions | Yes | Yes, but not uploads tab | Yes | |||||
Generate session booklet | Yes | Yes | Yes | |||||
View and upload paper based responses | Yes | Yes | ||||||
View Data Explorer | Yes (for groups they are assigned to) |
Group roles and beta features
Read-behind scoring
The group role Score Reviewer pertains to sessions with read-behind scoring enabled. Read-behind scoring is currently a beta feature. For more information, see Reviewing scores (read-behind scoring).
Group viewer and Data Explorer
Use the Group Viewer role (in combination with the global role of Data Explorer viewer) to give users limited access to Data Explorer data for specific groups only.
To set this up:
Enroll the user in the group as a Group Viewer.
Assign the global Data Explorer Viewer (DATA_EXPLORER) role via CSV import.
The user must enable Beta Features → Data Explorer in their user settings to have access to Data Explorer. Without this enabled, the user will have read-only access to the sessions list for that group (not live monitoring).