Managing roles and permissions

Roles and permissions provide different levels of access to users based on their job duties.

Examples of roles include user, admin, and audit. Using roles allows you to easily define permissions for an entire group of users. Only access managers can create new roles and assign users to that role. As part of role creation, access managers can also customize the navigation menu and permissions for that role.

Creating customized roles involves several processes:

  • Creating a new role
  • Managing permissions for the role to limit what users can access
  • Optionally customizing the navigation menu for the role to further limit what users can see
  • Adding users to the role

There are two ways to limit access to specific applications:

Limit access from the application

Limit access from the application by deselecting the All Roles check box on the Role Permissions > Edit Application Role Permissions screen. Next, select the individual roles that should have access to the application.

The process is the same if you find that the All Roles check box is already deselected: simply select or deselect the individual roles to grant or revoke access to the application.

When All Roles is selected for a particular application, every currently-defined role will have access to that application.

Limit access from the role

Limit access from the role by navigating to the Role Browser > Manage Permissions screen and move individual applications from the Accessible applications list to the Inaccessible applications list.

When managing permissions or customizing the navigation menu for a new role, the defaults shown in the Accessible applications list reflects any application with the All Roles check box selected on the Role Permissions > Edit Application Role Permissions screen.

When working with roles and permissions, removing permissions for an application also changes the default permissions for new roles. That is, removing permissions for an application means that any subsequent roles you create will also lack permissions for that application. If you want a new role to have permissions for an application that no longer appears in the Accessible applications list by default, you will need to move the desired application from the Inaccessible applications list to the Accessible applications list for the new role.

It is also possible to restrict access to specific tools by hiding menu items using the Role Browser > Customize Navigation Menu tool. This approach limits access without altering the default application permissions, but it may be less secure than a permissions-based approach.

Best Practices:
  • After editing permissions for a role, review the navigation layout for that role as shown on theRole Browser > Customize Navigation Menu screen. Add or remove items from the Navigation Menu list as needed to create a layout appropriate for the role.
  • Copy and edit predefined roles to establish the desired permissions and navigation menu. This approach allows you to revert to the original role if needed.
  • Be aware that when copying existing roles, whether predefined or customized, all permissions from the existing role are copied to the new role.