Permissions are the settings that you grant for specific capabilities.
For example, one capability is "Start new discussions" (in forums).
In each role, you can choose to set the permission for such a capability to one of four values:
- NOT SET
- This is the default setting, generally. It's a neutral setting that means "use whatever setting the user already had". If a role gets assigned to someone (eg in a course) that has this permission for a capability, then the actual permission they'll have will just be the same as they already had at higher-level contexts (eg categories or system level). Ultimately, if permission is never allowed at any level, then the user will have no permission for that capability.
- By choosing this you are granting permission for this capability to people who are assigned this role. This permission applies for the context that this role gets assigned plus all "lower" contexts. For example, if this role is a student role assigned to a course, then students will be able to "start new discussions" in all forums in that course, UNLESS some forum contains an override or a new assignment with a Prevent or Prohibit value for this capability.
- By choosing this you are removing permission for this capability, even if the users with this role were allowed that permission in a higher context.
- This is rarely needed, but occasionally you might want to completely deny permissions to a role in a way that can NOT be overridden at any lower context. A good example of when you might need this is when an admin wants to prohibit one person from starting new discussions in any forum on the whole system. In this case they can create a role with that capability set to "Prohibit" and then assign it to that user in the system context.
Conflict resolution of permissions
Permissions at a "lower" context will generally override anything at a "higher" context (this applies to overrides and assigned roles). The exception is PROHIBIT which can not be overridden at lower levels.
If two roles are assigned to a person in the same context, one with ALLOW and one with PREVENT, which one wins? In this case, Moodle will look up the context tree for a "decider".
For example, a student has two roles in a course, one that allows them to start new discussions, one that prevents them. In this case, we check the categories and the system contexts, looking for another defined permission to help us decide. If we don't find one, then permission is PREVENT by default (because the two settings cancelled each other out, and thus you have no permission).
Note that the guest user account will generally be prevented from posting content (eg forums, calendar entries, blogs) even if it is given the capability to do so.