Access privileges are the finest level of access control and restriction that you can place on a user. The privileges for each user can be assigned individually or inherited from a role.
Some privileges are automatically derived for example any user with a subject class in the current period will automatically have the SUBJECT TEACHER access privilege.
Privileges are either access grantors, access restrictions or override descriptors.
Access grantors allow users to access otherwise restricted system features. For example while everyone has the VIEW privilege on students only users with the FORM TEACHER or STUDENT EDITOR privilege can edit student information.
Access restrictions prevent users from accessing otherwise permitted system features. For example any one assigned as a subject supervisor can also ASSIGN non-composite classes. The user can be prevented from be able to do so by specifying the CANNOT ASSIGN TEACHER access restriction.
Override descriptors allow the user to bypass a system restriction. For example when a form is locked against editing a subject teacher cannot enter grades, to override this behaviour the OVERRIDE GRADE LOCK can be specified for a user.
Overrides are intended to be temporary and there is an option to set an expiry date and time. For example the system generally prevents edit records for periods which have passed. IF a single grade needs to be corrected then the override should be specified for that teacher only and should expire shortly after it is expected to be done.
Overrides may be permanently set in the user access settings but this is ill-advised.