Compliance Risk: Bulk Update Permissions Can Bypass Assessment Deletion Controls

Completed
Follow
Pip Austin

I’ve recently identified a significant gap in aXcelerate’s permission settings that poses a serious compliance risk for RTOs.

Currently, if a staff member has permission to bulk update assessments, they are also able to delete assessments, even when they do not have explicit permission to delete assessments in the system. This effectively bypasses intended access controls.

The recommended workaround is to remove bulk update permissions entirely. However, this creates a major operational issue, as it also removes the ability for staff to:

  • Bulk enrol students

  • Bulk update dates, trainers, attempts, and other legitimate assessment details

Deleting assessments is irreversible — once deleted, assessments cannot be recovered. From a compliance and audit perspective, this is a high-risk action that should be tightly controlled and explicitly permissioned.

I strongly suggest that aXcelerate:

  • Introduce a clear, standalone permission specifically for deleting assessments

  • Ensure bulk update permissions cannot be used to bypass deletion controls

  • Simplify and clarify permission settings so RTOs can confidently manage access and reduce compliance risk

This is a critical issue that affects data integrity, auditability, and compliance, and I believe it should be addressed as a priority.

1

Comments

2 comments

Sort by Date Votes
  • Official comment
    Julian Tetsworth

    Hey Pip, thanks for bringing this to our attention. We completely understand your concern with the way the current permission scheme works with the delete action on the bulk update assessments screen and the compliance implications. We will work on updating this page to ensure the delete option is only available to those with the Delete Assessment Submissions permission and keep you updated of the status here. Thanks again.

     

     

    Comment actions Permalink
  • Julian Tetsworth

    Hey Pip, we've made a permission adjustment to the Bulk Update Assessment Details screen so you now need the Assessment Submissions - Delete permission to be able to select the delete action. This will be in the next release on the 4th of Feb. Check out the release notes for more information on our upcoming changes.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post