I'm having an issue with the unenroll call in Valence API for the users with roles that are hidden. I can unenroll the users with visible roles though.
My organization's wiki says that "If users are missing from the Classlist, their role in the course may be hidden". Is there any way to unenroll such a user? Am I missing some permissions to unenroll these users with hidden roles?
In order to delete a user enrollment using DELETE /d2l/api/lp/(version)/enrollments/orgUnits/(orgUnitId)/users/(userId) (or the action that removes the enrollment by specifying user ID first and then org unit ID), the calling user context must have permission to:
See user enrollments in the first place (Users>View User Enrollments), at the organization level
Search for the user role type(Users>Search for RoleType), at the organization level
Enroll the user role type (Users>Enroll RoleType), at the organization level
Since the various enrollments actions are considered administrator-type actions, they use the "Users" role permissions at the organization level.
D2L has not currently provided classlist level API actions to unenroll users (so user contexts that would be able to un-enroll users from the classlist tool, within the web UI, often cannot do so using the Learning Framework API, unless the calling user's role has the organization-level permissions required to unenroll users).
Related
I'm testing LMS API using https://apitesttool.desire2learnvalence.com/
I have:
App ID
App Key
User ID
User Key
I can get users from my LMS API https://lms.freedomhighschool.ca/d2l/api/lp/1.30/users/
This is private route and i have access to it.
But when i'm trying to create new user i got "Message": "Not Authorized"
This is admin user and i can login via LMS and to do everything i want(create, delete, update) users.
So, what's the problem? Why can't i create new user via https://apitesttool.desire2learnvalence.com/ ?
https://i.stack.imgur.com/gE98j.png
https://i.stack.imgur.com/BmOiC.png
It looks like you have RoleId = 0. In order to create a Brightspace User, you need to provide a Role Id value.
The user account you are using in the Test Tool will also need to have the appropriate permissions to Enroll users. For example, if you are wanting to enroll a "Student" then your user account needs to have the permission "Users - Enroll 'Student'" turned ON.
Having upgraded to Plastic SCM version 8.0.16.3533, one user who can assign code reviews, another can't.
The users each have two domain accounts using the same user ID, i.e. domain1\userID and domain2\userID. I've ensured the users old domain account have been deactivated. They both have active licences and are in a group assigned to the repository permissions.
No code
All users are able to assign code reviews.
Scenario: Native app with user (user role) present including a user profile page allowing the user to update his profile.
Azure AD v2.0 endpoint used & app registration done accordingly. App is used by many tenants, therefore we have admin consent flow included in the apps sign-up flow.
Account Types: Work & School Account
Admin consented scopes (delegated permission per tenant on registered app):
User.ReadWrite
Directory.AccessAsUser.All (Admin Only)
Directory.ReadWrite.All (Admin Only)
User.ReadWrite.All (Admin Only)
From the documentation:
User permission
User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:
aboutMe
birthday
hireDate
interests
mobilePhone
mySite
pastProjects
photo
preferredName
responsibilities
schools
skills
Question 1: Did we understood the terms and documentation correctly?
Question 2: What about other user fields not in this list? Is there no Graph Scenario at all to change them? The documentation is a bit unclear in terms of if possible with user delegated rights or just application delegated right or not possible at all.
Concrete:
Job Title? Can a user with delegated permission ever updated this field or do we need application permission to do so?
User Profile Photo? Can a user with delegated permission update his/her own profile picture or do we need application permission to do so?
The next sentence after that list you referenced from the documentation explains this:
With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.
So yes, you can only update the full set of user properties using Application permissions (aka the Client_Credentials flow).
My app is built with Devise and sometimes some users report a problem, so I would like to be able so log in with their accounts and see the dashboard (the website in general) as they do (as a regular member).
How to do that with Devise? Is there any feature for this?
Use a field role to define user access. In case of other users just assign as guest. Make a admin role for your user entry. Now instead to logging into others account, create a custom option in dashboard which can be accessed only by admin, provide a option to change users which helps in viewing different dashboards depending on users.
Our institution has site-wide services that integrate with the D2L Learning Environment. Occasionally a user with an account on one of our other services attempts to visit the Learning Environment before that user has a provisioned user record in the LE, and this results in an authorization error. Does the Valence Learning Framework API provide a way for me to verify that a user record exists in the LE before we redirect a user's session on another service to the LE's login path?
You can use the standard user query route to look for a user record in the D2L LE; using one of the orgDefinedId or userName query parameters, you can look for a user by their organization-defined ID (for example, a student number), or by their LMS user name (that they'd use to log in). For the second to work, naturally you'd need to have the practice of provisioning D2L LE users with the same user name they'd have for your institution's other services.
Notice that the "user" making the call to this route will need sufficient privileges to find the user record (and see the fields they're looking for).