Managing roles and access restrictions

You can use roles to apply sets of restrictions to users according to their group memberships. This structure enables users to interact with the system at their level of authority but restricts them from interactions that fall outside of their authority. Users can belong to more than one group. 

Roles are associated with LDAP and Microsoft Active Directory (MSAD) groups. You apply roles to a group, whose users are then subject to the roles. When creating roles, remember that they are "positively additive." That is, if a user is associated with one role that has the authority to perform an interaction but also is associated with another role that prohibits the interaction, the role granting the authority takes precedence over the role prohibiting the authority.

You can also assign optional roles to the existing users. If users enable the optional role by turning it on, they gain access to the authority granted by that optional role.

To add a new role

  1. On the System tab, from the left menu, click Roles.
  2. Click New Role.
  3. Enter an appropriate name for the role.
  4. Select the groups to which the role will apply.
  5. Select the access restrictions that will apply to the role.
  6. Click Create.

To assign a role to the user

  1. Open the role you want to assign to the user:
    1. On the System tab, from the left menu, click Roles.
    2. Click the role name to open the role for editing.
      The Summary tab opens automatically.
  2. In the Groups field, enter the user name that should have this role assigned, and then click Update.
  3. Log in as the specified user.

To add an optional role

  1. On the System tab, from the left menu, click Roles.
  2. Click New Role.
  3. Enter the name of the existing role that you want to make optional for the selected users.
  4. In the Groups field, specify the users to which the optional role will apply.
    Enter each user in a new line, preceding with the minus "-" sign.
  5. Click Create.

To enable an optional role

  1. Log in under the user for whom you assigned an optional role.
  2. Click the Profile link at the top-right side of your screen.
  3. Click the Optional Roles tab.
  4. Enable the optional role by changing the Off status to the On status.

When you are done with performing the activities under the optional role, turn the optional role off to resume your default role. To do this, under the Optional Roles tab, change the status of the role back to Off.

To modify access restrictions for a role

The access restrictions associated with a role identify which interactions the role cannot perform.

  1. On the System tab, from the left menu, click Roles.
  2. Click the role to modify, and then click the Access Restrictions tab.
  3. To specify the restrictions that you want for this role, select or clear check boxes as necessary.
    The changes are automatically saved.

After roles are fully defined, you can manage roles for individual users within their LDAP or MSAD group memberships.

Related topic

Types of access restrictions

Was this page helpful? Yes No Submitting... Thank you