Roles in Cirrus control who can do what at three levels: across the whole site, on individual collections, and on individual assessments. This article explains the three role layers and how they combine.
The three role layers
| Layer | What it controls | Article |
|---|---|---|
| Site role | Which areas of the platform a user can open and which actions they can take across the tenant. | Site roles |
| Collection role | Which actions a user can take on a specific shared collection. | Collection roles |
| Assessment role | Which actions a user can take on a specific shared assessment. | Assessment roles |
Site roles are the broad bucket: System administrator, Admin, Author, Candidate, Marker, Invigilator, and any custom roles you create. Collection and assessment roles are finer-grained: they apply per shared item and override or add to site-role defaults for that item only.
If you remove Manage roles from the system administrator site role, no-one can edit roles afterwards. Raise a Service Desk ticket if this happens.
Collection roles in practice
A typical authoring workflow uses collection roles to enforce review:
- The owner creates a collection.
- The owner shares the collection with a colleague and assigns the Reviewer role.
- The owner creates an item and moves it from Draft to Ready for review.
- The reviewer is notified on their dashboard, opens the item, and adds comments.
- The owner reads the comments and moves the item to Approved or Not approved.
Revisions can be compared side by side, and authors and reviewers can comment on individual revisions. See Collection roles for the full role table.
Assessment roles in practice
Assessment roles mirror collection roles: a shared assessment can be given to colleagues with specific permissions for review, editing, or publishing. See Assessment roles for the table.
Login as
Admins and Coordinators can be granted Login as to sign in as another user. Configure it under Admin > Roles > Site > Login as. When enabled, open Admin > Users and select the eye icon next to a user to sign in as them.
The role hierarchy limits who can sign in as whom:
- System administrator can sign in as: System administrator, Admin, Author, Candidate.
- Admin can sign in as: Admin, Author, Candidate.
- Author can sign in as: Author, Candidate.
Every Login as event is audited and the impersonated user receives a notification. See Site roles for the audit detail.
Related articles
- Site roles for the full site-role matrix.
- Quick start: add a site role for creating a new role.
- Access levels for hierarchy-based access.