To reduce the risks outlined by the Taskforce Assessment [1] regarding privileged access of teaching assistants, add automatic revocation of roles that are assigned to accounts are non-TUD-employee accounts, except for accounts that are also assigned manager at the course series level.

Accounts are considered a TUD employee account only if it meets all of the following criteria:

• uses TUD SSO for login
• has a TUD netid
• has an email address ending with @tudelft.nl (i.e. no @student.tudelft.nl)
• has no student number

On a daily basis, WebLab will scan for course editions older than 12 months after started (or when “started” is not set, 16 months after creation). For matching course editions, it revokes all roles assigned to non-employee accounts (both at the edition-level and assignment-level).

The UI for managing roles will be extended with an indicator about the automatic revocation of roles for the relevant accounts.

[1]

The following are risks that we see in the current situation:

• After stopping working as TA, TA’s continue to have access to the courses in which they were TA with their student account, including access to questions and/or exam results.
• TAs can receive too many rights from instructor and can do ‘too much’ in the application, for example change grades/change exam policies (even if on accident).
• Ease of adding TAs causes instructors to give access to more TAs than necessary.

Submitted by Elmer van Chastelet on 16 June 2022 at 09:37