Index: lams_central/conf/xdoclet/web-security.xml
===================================================================
RCS file: /usr/local/cvsroot/lams_central/conf/xdoclet/web-security.xml,v
diff -u -r1.30 -r1.31
--- lams_central/conf/xdoclet/web-security.xml	22 Sep 2016 11:22:33 -0000	1.30
+++ lams_central/conf/xdoclet/web-security.xml	30 Sep 2016 15:25:44 -0000	1.31
@@ -61,8 +61,6 @@
     		</web-resource-collection>
     	<auth-constraint>
     		<role-name>AUTHOR</role-name>
-    		<!-- For live edit -->
-    		<role-name>MONITOR</role-name>
     		<role-name>SYSADMIN</role-name>
     	</auth-constraint>
     </security-constraint>
Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringAction.java
===================================================================
RCS file: /usr/local/cvsroot/lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringAction.java,v
diff -u -r1.159 -r1.160
--- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringAction.java	15 Sep 2016 09:01:25 -0000	1.159
+++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringAction.java	30 Sep 2016 15:22:25 -0000	1.160
@@ -25,6 +25,7 @@
 
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.security.InvalidParameterException;
 import java.text.DateFormat;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
@@ -1049,7 +1050,9 @@
 	Organisation organisation = (Organisation) userManagementService.findById(Organisation.class,
 		lessonDTO.getOrganisationID());
 	request.setAttribute("notificationsAvailable", organisation.getEnableCourseNotifications());
-	request.setAttribute("enableLiveEdit", organisation.getEnableLiveEdit());
+	boolean enableLiveEdit = organisation.getEnableLiveEdit() && getUserManagementService()
+		.isUserInRole(user.getUserID(), organisation.getOrganisationId(), Role.AUTHOR);
+	request.setAttribute("enableLiveEdit", enableLiveEdit);
 	request.setAttribute("enableExportPortfolio", organisation.getEnableExportPortfolio());
 	request.setAttribute("lesson", lessonDTO);
 
@@ -1459,7 +1462,21 @@
     public ActionForward startLiveEdit(ActionMapping mapping, ActionForm form, HttpServletRequest request,
 	    HttpServletResponse response) throws LearningDesignException, UserException, IOException {
 	long learningDesignId = WebUtil.readLongParam(request, CentralConstants.PARAM_LEARNING_DESIGN_ID);
+
+	LearningDesign learningDesign = (LearningDesign) getUserManagementService().findById(LearningDesign.class,
+		learningDesignId);
+	if (learningDesign.getLessons().isEmpty()) {
+	    throw new InvalidParameterException(
+		    "There are no lessons associated with learning design: " + learningDesignId);
+	}
+	Integer organisationID = ((Lesson) learningDesign.getLessons().iterator().next()).getOrganisation()
+		.getOrganisationId();
 	Integer userID = getUserId();
+	if (!getSecurityService().hasOrgRole(organisationID, userID, new String[] { Role.AUTHOR }, "start live edit",
+		false)) {
+	    response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not an author in the organisation");
+	    return null;
+	}
 
 	IAuthoringService authoringService = MonitoringServiceProxy
 		.getAuthoringService(getServlet().getServletContext());