Roles, Permissions & Access Control

Admin Hierarchies & Span of Control

Acorn PLMS enables you to build multi-level administrative structures that reflect your organisation's hierarchy while maintaining appropriate access controls and visibility boundaries. This approach allows you to delegate administrative responsibilities without granting full system access, ensuring that each admin role operates only within their defined scope of control.

Understanding Span of Control in Acorn

Span of control defines the reach and authority of an administrator within your system. Your organisation can implement administrator permissions with span of control to create layered governance structures. This means different administrators can manage different segments of your user base, content, or reporting functions, each with visibility restricted to their assigned scope.

By implementing structured span of control, you reduce administrative bottlenecks, enable faster decision-making at local levels, and maintain oversight across your entire learning ecosystem.

Multi-Level Admin Structures

Acorn PLMS supports several administrative levels that work together to provide comprehensive coverage:

Tenancy-Level Administration

Each tenancy in your Acorn instance can have its own Tenancy Administrator role. This role enables restricted administrative control scoped only to that specific tenancy. If your organisation operates multiple distinct business units, regions, or subsidiaries as separate tenancies, each can have a dedicated administrator managing their own environment independently.

Delegated Administration Roles

Beyond the primary system administrator, you can assign specific administrative tasks to designated users without granting them full system access. This delegated administration approach reduces risk and allows you to distribute workload efficiently:

Content Creator: Users with this role develop, manage, and publish learning materials. They focus on content curation and course creation without access to user management or reporting functions.

Reporting Officer: These administrators generate, analyse, and share reports with relevant stakeholders. You can assign restricted admin access for reporting officers, allowing them to work with reporting data while maintaining visibility boundaries. They can schedule reports for automated delivery and email results to other stakeholders.

User Manager: This role oversees user-related tasks such as account creation, profile updates, and user group assignments, without requiring full administrative privileges.

Supervisor: Supervisors monitor progress and performance of their team members. Their visibility is restricted to their assigned employees, preventing them from accessing information about other departments or teams.

Cohort-Level and Partner-Level Admin Access

Acorn PLMS provides specialised roles that allow administrators to manage specific segments of your user population:

Cohort Manager

The Cohort Manager role is particularly valuable when you need administrators to manage employees outside their direct span of control. While managers typically enroll and notify only their direct reports about relevant courses, a Cohort Manager can enroll employees within specific cohorts in learning activities. This role enables you to segment learning initiatives by department, location, skill level, or any other organisational grouping without requiring direct reporting relationships.

Cohort Managers operate with clear visibility boundaries—they can only see and manage users within their assigned cohorts, ensuring that sensitive employee data remains protected.

Manager Span of Control

Managers in Acorn have clear authority over their direct reports. They can: - Enroll direct reports in courses - Notify team members about learning opportunities - Suggest courses aligned with individual development needs - Link employees to resources that support their learning goals

This manager-level access complements your organisational hierarchy and promotes accountability at the team level.

Permission Management and Access Boundaries

Acorn's permission management system works seamlessly with your admin hierarchy. Within Live Learning events, you can segment sessions and activities to be restricted to various cohorts. This segmentation automatically enforces admin visibility rules—administrators only see information and access controls relevant to their assigned cohorts.

For example, if you segment a live learning event into different sessions for different departments, Cohort Managers assigned to those departments will only view and manage their respective sessions. Supervisors will only see progress data for their direct reports.

Reporting with Scoped Visibility

Your administrative hierarchy directly influences reporting capabilities. Acorn provides 20+ out-of-the-box reports with extensive filtering options including course, user group, location, department, and timeframe. You can:

Assign specific reporting officers to generate insights for their scope
Create customizable visual charts (column, area, pivot, legends) that display only data within their visibility boundaries
Schedule automated report delivery to relevant stakeholders
Export reports for further analysis

This ensures that reporting officers and other admins see only the data relevant to their role and responsibility area.

Implementing Your Admin Hierarchy

When designing your administrative structure, consider your organisational size, geographic distribution, and functional divisions. A typical implementation might include:

Primary Administrator: Full system access, responsible for overall governance
Tenancy Administrators: One per tenancy, if applicable
Functional Specialists: Content Creators, Reporting Officers, User Managers
Operational Leaders: Cohort Managers for departments or regions, Supervisors for teams

This layered approach distributes responsibility while maintaining clear oversight and preventing unauthorised access to sensitive areas.

Best Practices

Regularly review your admin role assignments to ensure they align with current organisational structure and individual responsibilities. Remove access promptly when roles change. Use delegated roles whenever possible rather than granting full administrative access. Document your span of control model so all stakeholders understand visibility boundaries and escalation paths.

Delegated & Temporary Access Delegated & Temporary Access

Delegating administrative tasks and granting temporary access are essential capabilities in Acorn PLMS, allowing your organisation to maintain operational flexibility while preserving security and data protection. This article explains how to effectively delegate tasks, manage time-limited access, and use impersonation features for troubleshooting.

Overview of Access Delegation

Your organisation can delegate specific administrative functions to team members without granting permanent elevated permissions. Delegated access allows you to distribute workload, support project-based initiatives, and ensure continuity when primary administrators are unavailable.

Acorn PLMS supports various security roles tailored to different administrative and operational needs. Before delegating access, you should understand your organisation's role structure and the specific permissions associated with each role.

How Delegated Access Works

When you delegate administrative tasks to another user, you are granting them temporary authority to perform specific actions within the system. Delegated access can be assigned for defined periods or until explicitly revoked. This approach ensures that:

Your organisation maintains the principle of least privilege—users receive only the permissions they need for their assigned tasks
Administrative responsibilities remain traceable and auditable
Access can be quickly removed when tasks are complete or roles change
Multiple administrators can share responsibilities without creating permanent structural changes

Delegating Specific Admin Tasks

To delegate specific administrative tasks:

Identify the task or responsibility you wish to delegate. Examples include user account provisioning, system configuration updates, or data access approvals.
Determine the appropriate security role that grants the minimum permissions needed to complete the task. Acorn PLMS provides role definitions that align with common administrative functions.
Assign the role to the user through your access control settings. Document the delegation, including the task scope, start date, and expected end date.
Communicate with the delegated user about their new responsibilities, limitations, and any approval workflows they must follow.

Delegated administrators operate within the same security framework as permanent admin users, including password requirements and access monitoring.

Temporary and Project-Based Access

Temporary access grants are ideal for project-based work, contractor engagement, or seasonal staffing needs. Temporary access differs from permanent role assignment in that it has a defined expiration date.

Setting Up Temporary Access

Define the access duration. Specify when temporary access begins and when it automatically expires. This prevents orphaned accounts and ensures access is only active when needed.

Assign minimal required permissions. Grant only the permissions necessary for the project or task. Avoid over-provisioning access even for temporary periods.

Document the justification. Record why temporary access is being granted, which teams or projects depend on it, and who approved the delegation. This documentation supports compliance and audit activities.

Set reminders for access review. Before the expiration date, review whether the access should be extended, modified, or removed.

Access Removal

Temporary access should be revoked on the scheduled expiration date. Your organisation should establish a process to:

Monitor access expiration dates
Notify system administrators before access expires
Revoke access promptly when the end date arrives
Archive access logs for compliance documentation

User Impersonation for Troubleshooting

User impersonation allows authorised administrators to temporarily assume another user's identity within Acorn PLMS for diagnostic and troubleshooting purposes. Impersonation is a controlled feature that enables support and system administration teams to investigate user-reported issues.

When to Use Impersonation

Impersonation is appropriate when:

A user reports a technical issue that is difficult to reproduce or diagnose from log files alone
You need to verify that a user's permissions are correctly configured
You must test workflow or data access scenarios within a user's security context
You need to investigate permission-related errors

Impersonation Security Controls

Acorn PLMS enforces strict controls around user impersonation to protect your organisation:

Only authorised administrators can impersonate users. Impersonation is restricted to users with designated administrative roles.

All impersonation activity is logged and monitored. Every instance of impersonation is recorded, including who performed it, which user was impersonated, when it occurred, and what actions were taken. These logs are retained for audit and compliance purposes.

Impersonation sessions are time-limited. Administrator impersonation does not provide permanent access; sessions are temporary and expire after a defined period.

Acorn Support never accesses your systems remotely. To be clear: Acorn Support does not remotely access customer machines via WebEx, Remote Desktop Support, Remote Control Options, GoToMyPC, or similar tools. Troubleshooting and support activities do not involve remote control of your infrastructure.

Access Review and Ongoing Management

Your organisation's access controls are only effective when actively maintained. Acorn PLMS supports ongoing access management through regular review and monitoring:

Quarterly access reviews. Acorn PLMS conducts and supports system access review and recertification at least quarterly. During these reviews, you should verify that all delegated and temporary access is still appropriate and that no orphaned access remains in the system.

Continuous monitoring. Acorn employs AWS GuardDuty, AWS CloudTrail, Datadog, and UpGuard monitoring to detect unusual access patterns, security risks, and potential misuse. System owners review these reports regularly to identify threats and control gaps.

Automated reminders. Governance, Risk, and Compliance (GRC) software tracks access assignments and sends reminders when reviews are due or when temporary access is approaching expiration.

Best Practices for Delegated Access

Keep delegation periods as short as practical. Temporary access should have defined end dates; permanent delegations should be reviewed annually.
Document all delegations. Maintain clear records of who delegated access to whom, for what purpose, and for how long.
Revoke access promptly. Do not leave access in place after the delegation period ends or when the delegated user leaves the organisation.
Use role-based access control. Assign roles that match job functions rather than granting individual permissions.
Test access before delegating. Verify that the delegated role provides exactly the permissions needed—no more, no less.
Communicate role expectations. Ensure delegated users understand what they can and cannot do, and remind them of security and compliance obligations.

Related Security Features

Delegated access works in concert with other Acorn PLMS security capabilities:

Password protection. All system access requires authentication via password.
Data encryption. Your data is encrypted at rest using AWS Key Management Service (KMS) and in transit using Transport Layer Security (TLS), regardless of who accesses it.
Access control enforcement. Access controls ensure that only authorised services and users can read or write to data partitions.

Troubleshooting Delegated Access Issues

If delegated access is not working as expected, verify that:

The delegated user's account is active and not locked
The correct role has been assigned to the user
The delegation has not expired
The delegated user's permissions align with the role definition
Network and firewall rules permit the user's access

Contact your system administrator or Acorn Support if access issues persist.

Manager & Instructor Permissions Manager & Instructor Permissions

Acorn PLMS provides role-based permissions that empower managers and instructors to support learner development effectively. By understanding what capabilities are available to each role, you can configure your organization's permissions structure to align with your training delivery model and governance requirements.

Manager Capabilities

Approval and Assignment Management

Managers have the authority to review and approve training assignments within your organization. You can use the Facilitator role to manage these approvals, enabling managers to maintain oversight of learner progress and ensure training compliance.

Managers can also modify prerequisite requirements for learners on an individual basis. If a learner needs a waived status or if a prerequisite is marked as not applicable, managers with the appropriate permissions can bypass prerequisites and mark them as complete. This flexibility allows you to adapt learning paths to individual circumstances without requiring administrative intervention.

Learner Support and Engagement Tools

Acorn provides managers with a comprehensive suite of tools to support learners both before and after training delivery:

Pre- and Post-Training Notifications You can trigger multiple notification types to keep learners informed and engaged: - Email notifications - External calendar attachments - SMS messages - In-platform notifications

These channels ensure your learners receive timely reminders and updates regardless of their preferred communication method.

Follow-Up Activities and Coaching Beyond notifications, you can create structured follow-up activities that reinforce training outcomes: - Feedback forms to gather learner insights - Internal discussion forums for peer collaboration and knowledge sharing - Observation checklists to monitor on-the-job application

These tools enable you to guide performance improvement after formal training concludes, helping learners apply new skills in their roles.

Feedback and Coaching with Momentum

Using Acorn's Momentum builder, managers can build custom feedback forms and send feedback requests to selected users. This capability allows you to: - Design feedback forms tailored to specific training outcomes - Distribute requests to targeted individuals or groups - Collect structured responses to measure training effectiveness - Provide personalized coaching based on learner needs

This feature is particularly valuable for reinforcing behavioral change and supporting continuous learning after formal training concludes.

On-the-Job Training Management

Managers can update and mark on-the-job training (OJT) as complete when they hold the appropriate Facilitator role on a course. This capability allows you to: - Track learner progress in real-world job settings - Document completion of informal or experiential learning activities - Maintain accurate training records across both formal and informal learning modalities

Instructor Capabilities

Content Management and Upload

Instructors can upload training content directly into Acorn PLMS when assigned the Facilitator role. This permission enables your instructors to: - Add course materials, documents, and resources - Update content as needed to reflect current practices - Maintain course libraries without administrative overhead

Attendance and Roster Management

Instructors have the ability to manage course rosters and track attendance. You can assign the Facilitator role to instructors to: - Mark learners as attended or completed for instructor-led training (ILT) - Maintain accurate attendance records for compliance and reporting - Manage roster changes as needed

This capability is essential for tracking participation in live training events and maintaining detailed learning records.

Real-Time Assessment and Feedback

During active class sessions, instructors can push surveys and assessments to learners immediately. Instructors can access feedback forms and quizzes at any point during a course to: - Gauge real-time learner comprehension - Adjust instruction based on immediate feedback - Document learning outcomes as training occurs - Support formative assessment during the learning experience

Configuring Permissions

To enable these capabilities in your organization:

Assign Appropriate Roles: Use the Facilitator role to grant managers and instructors the permissions they need. This role provides access to approval, content management, and tracking functions.
Define Your Delivery Model: Consider whether you use instructor-led training, on-the-job training, or blended approaches. Align permissions with your training delivery structure.
Leverage Momentum for Enhanced Feedback: When you need advanced feedback collection and coaching capabilities, enable Momentum for manager access to custom feedback form building.
Document Your Permission Structure: Create clear documentation of which roles have which capabilities so all stakeholders understand their responsibilities and access levels.

Best Practices

Principle of Least Privilege: Grant only the permissions necessary for each role to perform their responsibilities.
Regular Review: Audit permission assignments periodically to ensure they remain appropriate as your organization evolves.
Clear Communication: Inform managers and instructors of the specific capabilities available to their role so they can use them effectively.
Leverage Support Tools: Use the full suite of manager tools—notifications, feedback forms, discussion forums, and observation checklists—to create a comprehensive support ecosystem for learners.

By carefully configuring manager and instructor permissions, you create a structured yet flexible learning environment that supports both formal training delivery and ongoing performance development.

Predefined & Custom Roles Predefined & Custom Roles

Managing user access effectively is critical to maintaining security and usability across your learning platform. Acorn PLMS supports a comprehensive role-based access control system that balances flexibility with simplicity, enabling you to define exactly what users can view and manage within the system.

Predefined Role Types

Acorn provides 10 predefined role types designed to address the core access requirements of most organizations. These roles establish a clear hierarchy of permissions and responsibilities, allowing you to assign users according to their organizational function.

The main predefined roles include:

Admin: Full system access with authority over configuration, user management, content, and reporting
Manager: Administrative capabilities focused on team or departmental oversight
Instructor: Permission to create, deliver, and manage learning content and assessments
Learner: Access limited to assigned courses, learning paths, and personal progress tracking
Tenancy Manager: Administrative role for managing organizational settings and configurations
Facilitator: Authority to guide learners, manage discussions, and track engagement
Supervisor: Oversight capabilities for monitoring learner progress and compliance within assigned audiences
Cohort Manager: Specialized access for managing cohort-specific learner groups and progress

These predefined roles can be combined to create effective permission models that meet most organizational needs. Each role carries specific permissions that determine what users can view, create, edit, and manage within Acorn PLMS.

Understanding Role-Based Access Control

Acorn's role-based access control system ensures that users only access information relevant to their responsibilities. This precision-based approach enhances both security and usability across your learning environment. When you assign a role to a user, you're defining their operational scope—what they can accomplish, what they can see, and what remains restricted.

Administrative Hierarchy and Partner Access

Acorn supports multiple administrative roles that can be provisioned for partner access, enabling you to extend platform capabilities beyond your internal team. This administrative hierarchy includes specialized roles for:

Content creation and library management
User and account management
Cohort management and learner grouping
Reporting and analytics oversight

Supervisor Dashboard Access

Cohort managers and supervisors can be assigned access to the Supervisor Dashboard, which provides visibility into learner completion data, compliance status, and user-level insights for their assigned audiences. This capability allows partners and departmental leaders to monitor progress and outcomes without granting full system administration access, maintaining security while enabling necessary oversight.

Custom Role Creation

While Acorn's 10 predefined roles cover most organizational requirements, your organization may have unique permission models that fall outside standard configurations. In these cases, Acorn supports custom role creation through configuration engagement services.

If you require:

Specialized permission combinations not available in predefined roles
Role-specific capabilities aligned with non-standard organizational structures
Granular access controls for unique business processes

You can work with Acorn's configuration team to design and scope custom roles that precisely match your requirements. This ensures your organization's access control model remains secure and aligned with your operational workflows.

Managing Roles and Permissions

As an administrator, you have the ability to assign and manage user roles with precision. The role management process involves:

Role Assignment: Select appropriate predefined roles or custom-configured roles for individual users or groups
Permission Enforcement: The system automatically enforces the access controls associated with each role
Oversight: Monitor role assignments and adjust as organizational needs evolve
Capability Alignment: Ensure assigned roles match each user's responsibilities and learning objectives

Acorn allows you to designate an admin hierarchy, enabling delegation of administrative tasks across your organization. This hierarchical approach means you can distribute administrative responsibilities while maintaining centralized security controls.

Role-Specific Capabilities

Different roles enable different management and oversight functions:

Administrators can assess learners by tracking progress, reviewing assessment results, and generating detailed performance reports. They manage the library by organizing and uploading resources such as videos and documents, while setting access permissions and keeping content updated. Administrators also oversee system configuration, manage user roles, monitor system performance, ensure data security, and handle integrations.

Instructors and Facilitators can create and manage learning content, deliver courses, monitor learner engagement, and provide feedback on assessments and assignments.

Managers and Supervisors can track learner progress within their assigned audiences, access compliance and performance data, generate reports for their teams or cohorts, and intervene when learners need support.

Learners can access assigned courses and learning paths, complete lessons and assessments, view their progress, and access resources relevant to their development.

Custom Capability Frameworks

Beyond role-based access control, Acorn allows you to create custom capability libraries that enable your organization to define role-specific skill sets aligned with your strategic goals and development needs. This capability framework approach complements your role structure by clarifying the competencies and knowledge areas associated with each role.

Integration with Reporting and Dashboards

Your role determines not only what you can manage operationally but also what reporting and dashboard access you receive. Acorn provides customizable dashboards and reports that can be tailored by role, location, cohort, or business unit. This means:

Administrators access comprehensive system-wide reports and custom dashboards
Managers and Supervisors view filtered reports and dashboards specific to their assigned teams or locations
Learners access personal progress dashboards and performance summaries

Reporting tools support filtering by user attributes such as location, role, organization, cohorts, and teams, giving each role-holder visibility over the data relevant to their responsibilities.

Best Practices for Role Assignment

When assigning roles in Acorn PLMS:

Start with predefined roles to ensure you're leveraging proven permission structures
Review role requirements regularly as your organization evolves
Use the principle of least privilege—assign only the access necessary for each user's responsibilities
Leverage role combinations to address complex permission requirements before considering custom roles
Document your role assignments to maintain security auditing and compliance

For a comprehensive list of admin roles and their specific permissions, including detailed capability breakdowns, consult the system documentation or contact your Acorn configuration specialist.

Getting Help

Your organization's role configuration should align with your operational structure, security requirements, and learning objectives. If you need assistance reviewing your role structure, creating custom roles, or optimizing your permission model, reach out to your Acorn support team or configuration specialist.

Role-Based Views & Content Visibility Understanding Role-Based Access Control in Acorn PLMS

Acorn PLMS implements comprehensive role-based access control (RBAC) to ensure that users only see and interact with content, dashboards, and data relevant to their position and responsibilities. This capability is fundamental to maintaining security, compliance, and operational efficiency across your organisation.

Role-based access control allows you to assign permissions based on defined user roles, ensuring that each user group has appropriate visibility into courses, reports, and performance data without exposing sensitive information or irrelevant content.

Core User Roles and Their Capabilities

Administrator Role

Administrators have comprehensive access to manage the entire system. With administrative privileges, you can:

Manage all users and assign roles
Configure system settings and platform parameters
Create, edit, and publish courses
Oversee cohorts and user groupings
Generate comprehensive reports across the entire organisation
Integrate third-party tools and manage system integrations
Audit user activities and access logs

Tenancy Manager Role

Tenancy Managers operate at a departmental or organisational unit level with scoped permissions. Your responsibilities and access include:

Managing users within your assigned tenancy or domain
Overseeing content creation and deployment
Monitoring learner progress and performance
Generating reports specific to your tenancy
Configuring workflows and approval processes
Supporting compliance and audit requirements within your scope

Manager/Supervisor Role

Managers receive a customized supervisor dashboard upon login that displays a filtered view of their direct reports' participation and progress. You can:

View a list of team members assigned to your supervision
Review each team member's training history and completion status
Access competency assessments and performance evaluations
Monitor time spent within courses and learning milestones
Generate in-depth, role-specific reports for performance analysis
Customize the manager view to display only direct reports using cohorts

Learner Role

Learners have restricted access focused on their learning journey. Your access includes:

Viewing assigned courses and learning paths
Accessing course content and completing training modules
Tracking personal progress and achievement milestones
Downloading certificates upon completion
Accessing resources relevant to your role and assignments

Using Cohorts for Content Visibility Control

Cohorts are a powerful feature that extends role-based access control by grouping users at the Department, Team, Role, or custom organisational level. Using cohorts, you can:

Targeting Training to Specific User Groups

Cohorts allow you to tailor the training experience and ensure that only those who should be taking specific training can see the material. For example, you can create separate cohorts for salaried and hourly employees, then assign different course versions or content restrictions to each group, even within the same course.

Restricting Content Access Within Courses

Within a single course, different cohorts can be granted varying levels of access. This is particularly useful when you need to enrol multiple workforce segments but restrict access to certain materials. For instance, hourly employees can be restricted from viewing content that is required for salaried employees, while both groups complete the same course.

Segregating Library Catalogues

The system allows catalogue segregation through cohort assignment. By assigning users to specific cohorts based on domain hierarchy, you can restrict which users see particular items in the learning catalogue. This streamlines visibility and improves the user experience by showing learners only relevant content.

Customizing Manager Views

Cohorts enable you to limit manager dashboards to display only direct reports. This ensures managers see appropriate employee data while maintaining data security and reducing information overload.

Decentralised Administration Model

Acorn PLMS supports a decentralised administration model that provides flexibility in how you manage roles and permissions across your organisation:

Department-level Super Users: Delegate administrative responsibilities to department heads or team leads who can manage users and content within their domain
Hierarchical Permissions: Establish permission structures that respect your organisational hierarchy
Delegated Administration: Distribute administrative tasks while maintaining security and control
Custom Permission Sets: Define tailored roles and permissions beyond standard role definitions to match your specific operational requirements

This approach allows large organisations to scale platform governance securely without centralizing all administrative burden.

Dynamic Content Visibility Based on Prerequisites

Acorn PLMS supports dynamic content visibility that adjusts based on user progress. Content visibility can be automatically controlled through course prerequisites, ensuring users can access materials only after meeting required progress criteria. This maintains learning path integrity and ensures learners progress through content in a logical sequence.

Self-Serve Enrollment Options

You can configure flexible self-serve enrollment options that complement your role-based visibility strategy:

Make specific courses available for self-enrollment while keeping others restricted to assigned access
Tailor access based on audience, program requirements, or internal approval processes
Ensure the right learners access the right content at the right time through a combination of assigned and self-serve options

Reporting and Data Access

Role-based access control extends to reporting and data visibility. Acorn offers 20+ prebuilt reports with filters, scheduling, and role-based access controls, including compliance reports. Reporting access is role-dependent:

Administrators access organisation-wide reports and analytics
Tenancy Managers view reports specific to their domain
Managers access team-specific performance reports with customisable detail levels
Learners access personal progress reports and certificates

This ensures sensitive performance data remains visible only to appropriate roles while maintaining audit trails for compliance.

Implementing Role-Based Views in Your Organisation

When establishing role-based views and content visibility in Acorn PLMS:

Map your organisational roles to Acorn role definitions or create custom roles
Identify data and content that should be restricted by role
Design cohorts that align with your user grouping strategy (by department, location, employment type, etc.)
Assign users to appropriate roles and cohorts
Configure course and content visibility rules for each cohort
Test access from different user accounts to verify visibility controls
Monitor access logs and audit reports to ensure compliance
Review and adjust permissions periodically as roles and responsibilities change

Role-based views and content visibility ensure your learning management system operates securely and efficiently, with each user accessing only information and content relevant to their role and responsibilities.