9.3.1. Configuring Roles
The recommended way to configure roles and permissions is as follows:
-
Create a
Default
role, which revokes all system rights. The simplest way to do it is to create a role of the Denying type. Select the Default role checkbox to automatically assign this role to all new users. -
Create a set of roles for granting specific rights to different user categories. There are two strategies for creating such roles:
-
Coarse-grained roles – each role has a permission set for the full range of user responsibilities in the system. For example,
Sales Manager
,Accountant
. Only one role is assigned to each user when using this strategy, excluding theDefault
role. -
Fine-grained roles – each role has a small permission set to execute specific functions within the system. For example,
Task Creator
,References Editor
. Each user will then be assigned numerous roles according to their range of responsibilities.
The strategies can also be combined. Create a set of roles for granting specific rights to different user categories. There are two strategies for creating such roles:
-
-
It is possible to leave the system administrator without any assigned roles, in which case, they will have all the rights to all the system objects. Alternatively, a Super type role, overriding any restriction imposed by other roles, can be assigned.