Auditors differentiate between around-the-system and through-the-system auditing. Around-the-system treats software as a black box. Auditors test inputs and outputs, but don't look inside the code. Through-the-system means that the software is open to internal inspection. For example, auditors can find the source code that implements privacy policies, and inspect it for themselves.
Drupal is general-purpose. It can be used for thousands of different tasks. Generality is achieved by abstraction. So, not only is the code complex, the relationship between code and data is difficult to understand without special training. Even finding the code that controls access to a field can be challenging.
What does mean? Through-the-system auditing is not practical for auditors without training in Drupal development.
Skilling is not general purpose. It helps build and run skills courses. That all it does.
Skilling's security code is not general. It is centralized, and specific to Skilling's architecture. Here is a code fragment controlling access to the notes field of lessons:
protected function isLessonFieldAccess($operation, $fieldName) {
// Deny access by default.
$allow = FALSE;
...
if ($operation === SkillingConstants::VIEW_OPERATION) {
switch ($fieldName) {
// Viewing a lesson.
...
case SkillingConstants::FIELD_NOTES:
// Admins, authors, reviewers, instructors, and graders
// can see notes of lessons.
$allow = $admin || $author || $reviewer || $instructor || $grader;
break;
Even if you can't program, you should be able to follow the code to some extent. Hint: || means "or."
This is not elegant code. It is, however, easy to understand, and easy to test. Auditors can run the code themselves. They can add breakpoints where they want, and see exactly how privacy policies are implemented.
Bottom line: Skilling privacy (and security) code is open to both around-the-system, and through-the-system auditing.
The downside of this approach is loss of flexibility. Administrators can't expose any data they want, without having the source code changed.
There are exceptions to this policy. Skilling allows data customization that could help courses be more effective, or better suit an institution's administrative preferences. For example, an administrator could add a field showing whether a student has a disability. Authors could test that field in lessons, perhaps showing extra content to those students. This would require no programming. In general, however, Skilling's privacy rules are hard-coded.
That isn't to say there is no flexibility. If the community has use cases needing different policies, that is open to discussion. As long as new policies are justified, implemented well, and documented well, they can be adopted.