11 June 2025, 8:55

Hi everyone,

We've received the question of whether Mahara core could be extended to support that site administrators have direct access to any person's account on a Mahara site to help troubleshoot issues. Currently, this is not possible for privacy reasons. 

A portfolio space is essentially like your laptop and admins wanting access should ask you for your permission to do so rather than logging in directly. We do have the masquerading option where admins can get into accounts. They can decide to send a notification and also a reason to the account holder for more transparency to alert them to the fact that an admin logged in.

In Moodle where admins have full access to everything, learners generally only upload or share content that they know is going to be assessed or accessible to someone. In Mahara, portfolio authors can upload content but decide to never share it with anybody else, thus potentially having more private content in accounts.

In organisations, site admins can be colleagues of portfolio authors (think of staff portfolios) and people creating portfolios with potentially sensitive or confidential information should have the assurance that their content is suitably protected and only accessed in it really needs to be. Furthermore, some organisations have 20+ administrators, thus widening the field tremendously of who would have easy access to potentially quite personal content.

It is correct that a server administrator has full access to the database and thus can see all content, but that is only a small number of people and is more effort than clicking a button.

Benefit of giving site, institution, and institution support admins (or a subset of these roles) direct access: Masquerading is not needed and thus quicker access to content for troubleshooting issues.

Concern: Without transparency measures in place, it is too easy to access personal content quickly, which can expose private, confidential information.

I would like to know what your opinion is on the topic to inform what we should consider offering in Mahara core.

Thank you

Kristina

11 June 2025, 21:17

Hi Kristina,

I've seen privacy & security zealots take things too far where it actually renders functionality useless, but in this case I'd say an absolute adamantine hard NO.

I've no idea what the proposer has in mind other than "give me a backdoor to everyone's deepest secrets and set it so they'll never know I've looked". I can't imagine any institution signing up to that in good faith.

Convenient? Absolutely.

Ethical and Good Practice? Absolutely not.

12 June 2025, 3:28

We already have access to any account right? By using the masquerade option?

What am I overlooking here?

12 June 2025, 8:53

Hi everyone,

The query we had received came from a position of care and support and great respect for privacy and keeping student content private and secure. At the same time, they were looking for a way to more easily support learners when they have questions.

Yes, administrators already have full access to a person's account data via the masquerading option. So the 'backdoor' is already only a click away.

I would be interested to know if you have set 'Require reason for masquerading' and / or 'Notify people of masquerading' to 'Yes' in your site settings. That is a very useful option to transparently let learners know when an admin accesses their content.

Thank you

Kristina

12 June 2025, 11:57

I'm confused.

We've received the question of whether Mahara core could be extended to support that site administrators have direct access to any person's account on a Mahara site to help troubleshoot issues. Currently, this is not possible for privacy reasons. 

And

Yes, administrators already have full access to a person's account data via the masquerading option. So the 'backdoor' is already only a click away.

So the question was wrong? There's no need to extend Mahara core with functionality that's already there?

12 June 2025, 13:42

Hi Richard,

The question is whether to make it easier for administrators to view content without masquerading. For example, when a student reports an issue on one of their portfolio pages that the admin can click the link to the page directly and be taken to it without needing to impersonate the student.

If we were to simplify the access for admins, we should consider adding a step, similarly to the masquerading, where the student can be informed that an admin accessed their portfolio without the portfolio being shared with them so that they could follow up with the admin if needed.

Another example that I found that involved multiple steps is when groups are involved: I need to masquerade as a group administrator to fix group settings or add another group admin etc. Whereas if I as site admin had more permissions directly, I could have changed the group settings without masquerading as the group admin.

I would still advocate for a transparent approach to inform relevant people of the actions taken as admin rather than just silently taking them to respect privacy. It would also need to be functionality that a site admin can refuse to enable.

What I want to find out is if other admins find the masquerading process cumbersome and wished there was a better (still transparent) way of helping portfolio creators troubleshoot issues.

Thank you

Kristina

12 June 2025, 21:37

I find the masquerading option very cumbersome and think people should be aware that an admin is able to acces their work. Also understand that the admin is not there to assess or look at your work but doing it's job as admin to make sure problems are fixed. You should be able to trust that the admin will handle all data with confidentiality.

12 June 2025, 22:50

Probably no surprise, but I fully agree with Emelie. As administrators, it is our responsibility to resolve (technical) issues. We do this through email systems, network troubleshooting, file sharing, and so on.

A core part of our daily work involves having access to data that others do not. This is also covered by our professional employment contracts. In fact, there are instances where we are legally obliged to act against the employer’s interests if doing so is required by law. If the highest-ranking CEO demands something that violates legal regulations, we are required to disregard that request and act in accordance with legal guidelines.

I do understand the concern, as in smaller organizations the role of system administration might fall to someone for whom it is a secondary responsibility. However, that is not the case for us. We view the admin-data relationship much like the doctor-patient relationship: it is based on trust and confidentiality. At the same time, we must be able to perform our tasks efficiently. Therefore, I would strongly advocate for admin access to data without the need for masquerading. After all, we already have full access via the database, so this is not a matter of trust but of usability—and ultimately, that benefits the user as well.

13 June 2025, 3:48

Apologies Richard and Emelie,

I'm afraid I don't live in the perfect world that you describe where administrators will never do anything wrong. Once you create a secret backdoor in the name of making it less clunky you've fundamentally broken trust with the site users (and probably GDPR legislation). If you build that functionality other admins with less honourable intentions will use it, or a third party gaining access to the password of any support staff. To suggest otherwise would be naïve.

I'm comfortable site admins can masquerade as a user with tight restrictions on the protocol to follow and transparency to the user they are masquerading as in order to fix something and provide a responsive support service.

I'm not comfortable that anyone with an admin role (some institutions have a bank of support staff, not just a single site administrator) can login as another user without permission, look at personal information that hasn't been published (some users might draft personal blogs or diaries), then leave without the user ever being alerted that their information has been accessed (or even changed).

Perhaps a better starting point would be to look at the existing masquerade process and identify the barriers (even better propose changes that would make it less clunky while safeguarding users). In my own institution IT admins are highly professional and understand privacy, but I'd be very reluctant to share anything personal if I knew the tech team <could> see whatever I wrote without me knowing, and I think our unions would be up in arms at the risk presented as well. Eventually somebody is going to encounter a rotten apple with admin rights who will misuse the facility, it doesn't matter how perfect your own staff are.

14 June 2025, 4:53

Hi Gordon,

I completely understand your concerns. That said, I assume your organization also uses various other platforms—such as Google Classroom, Microsoft 365, Teams, email, or other learning management systems?

In all these systems, administrators typically have full access to user data. For instance, our Office 365 admins can access all files stored in SharePoint, all emails in Outlook, all content in Teams and its channels, as well as all data within Moodle.

In comparison, Mahara seems to be an exception. To my knowledge, it is currently the only system that does not permit data access through standard admin login. Personally, I find the masquerading functionality even more concerning. When I masquerade as a user, I can see their friend requests, personal messages, and other dashboard activity—information irrelevant to administrative troubleshooting.

From a security standpoint, this raises more red flags. For example, masquerading even allows me to send messages from the user's account, which could easily lead to confusion or misuse. While such actions may be logged and technically traceable, the recipient of the message has no indication that it was sent by an admin rather than the actual user.

In my view, this places Mahara at odds with the approach taken by most other platforms.

Just my two cents :)