Roles
A role is a collection of permissions that control what data and applications a user or application can access and what actions they can perform. A user can have multiple roles.
A user role-type determines the scope and entitlements of the role. The user role-types are: Access, Admin, and Personal. Once a role-type is selected, it cannot be changed.
In addition, application's may have role assignments, as described in Application roles.
Access role
The Access role, in combination with an application role, provides users with access to applications. For example, in the following illustration, role 1 grants access to app A, role 2 grants access to app B, and role 3 grants access to app C.
Before defining an access role, the application must be configured. See Apps for more information.
Admin role
The Admin role provides users with access to the platform and its associated users. Access to associated users is controlled through entitlements that define the scope (users) and actions that can be performed.
A user can have one or more admin roles. The Admin role gives you:
- Access to the delegation portal and the following capabilities:
- Settings: Manage portal customizations such as translations and styling.
- Jobs: Manage automated processes.
- Application management: Control the application lifecycle.
- Role management: Control the role lifecycle.
- Structure management: Control the structure lifecycle.
- User management: Control the user lifecycle.
- Entitlements to manage user: profiles, roles, and groups
Personal role
The Personal role:
-
Provides users with access to their self-service page and personal data.
-
Governs whether a user can request access to roles defined within the platform, download their personal or event-related data, or delete their account.
-
Defines whether a user can view, edit, add, or delete their attribute-related information.
-
Governs whether a user can view or download event-related information.
Manage user roles
A user can access the Roles menu only if they have an Admin role that grants them permission. In addition, a user can cannot manage their own role.
Add or edit a user role
-
Navigate to the add or edit role window.
-
Enter a code, name, and description in the fields provided.
A role's code cannot be edited.
-
Select the users to which the role can be assigned.
-
Select the menu item that is granted to a user having the associated role. These options can be edited later.
-
Select a scope-qualifier:
- Any group - Include all users in the scope.
- Ignore - Do not include any of the users from the structure.
- Common (and nested) groups - Restrict the scope to users that share the same group as the user having the role associated;
- Include only - Restrict the scope to the users belonging to the exact groups that are selected
- Include any group, but - Include all the groups from the selected structure except the groups that are selected.
-
(Optionally) Select one or more groups belonging to the structure
-
Select the action that the role can perform on users.
-
Select the roles a user with the current role can assign to the users in scope. As the roles that can be cascaded have to be already defined, it is advisable to define them before the role that will have the cascade capabilities.
Deactivate a user role
Deactivating a role will not affect current users and their relations with it, but will make the role unavailable for future use. If the role was used in a rule, the role will no longer apply.
Delete a user role
Deleting a role is irreversible. Deleted roles are removed from users' profiles by a job that runs periodically.
Application roles
Application roles are the capabilities users have within a specific application. For example, the ability to file a report using an insurance application if you have damaged your property. In this example, application roles might include:
- Applicant: a user who uses the application to read/write/delete content.
- Assessor: a user who uses the application to assess the applicant's changes.
- Admin: a user who administers the application.
Application roles are configured within the 3rd-party application and vary for a company or application. You can import your organization's application roles as-is and link third-party applications based on the SAML, OAuth, or OpenID protocols.
