6.4.1. Configuring Roles

Below is a quick reference of permissions that should be allowed to provide access to the Administration functionality. For example, if you want to allow nothing but Entity log functionality, set the permissions mentioned in the corresponding section.

It is recommended to provide at least a read-only permissions for the sys$FileDescriptor entity as it is widely used by the platform: emailing, attachments, logging etc.


The User entity may be used as a reference attribute in your data model. To make it visible in lookup fields and drop-down lists, it will be enough to set the permission for the sec$User entity.

In case you want to create and edit the User entity, the following set of permissions is required:

  • Entities: sec$User, sec$Group; (optionally) sec$Role, sec$UserRole, sec$UserSubstitution.

Permission to read the sec$UserSubstitution entity is essential for functioning of the user substitution mechanism.

  • Screens: Users menu item, sec$User.edit, sec$Group.lookup; (optionally) sec$Group.edit, sec$Role.edit, sec$Role.lookup, sec$User.changePassword, sec$User.copySettings, sec$User.newPasswords, sec$User.resetPasswords, sec$UserSubstitution.edit.

Access Groups

Creating and managing the user access groups and security constraints.

  • Entities: sec$Group, sec$Constraint, sec$SessionAttribute, sec$LocalizedConstraintMessage.

  • Screens: Access Groups menu item, sec$Group.lookup, sec$Group.edit, sec$Constraint.edit, sec$SessionAttribute.edit, sec$LocalizedConstraintMessage.edit.

Dynamic Attributes

Access to additional non-persistent entity attributes.

  • Entities: sys$Category, sys$CategoryAttribute, and the required entities of your data model.

  • Screens: Dynamic Attributes menu item, sys$Category.edit, sys$CategoryAttribute.edit, dynamicAttributesConditionEditor, dynamicAttributesConditionFrame.

User Sessions

Viewing the user sessions data.

  • Entities: sec$User, sec$UserSessionEntity.

  • Screens: User Sessions menu item, sessionMessageWindow.


Setting up Pessimistic locking for the entities.

  • Entities: sys$LockInfo, sys$LockDescriptor, and the required entities of your data model.

  • Screens: Locks menu item, sys$LockDescriptor.edit.

External Files

Access to the application File storage.

  • Entities: sys$FileDescriptor.

  • Screens: External Files menu item; (optionally) sys$FileDescriptor.edit.

Scheduled Tasks

Creating and managing scheduled tasks.

  • Entities: sys$ScheduledTask, sys$ScheduledExecution.

  • Screens: Scheduled Tasks menu item, sys$ScheduledExecution.browse, sys$ScheduledTask.edit.

Entity Inspector

Working with any application objects from the screens dynamically generated by the entity inspector.

  • Entities: the required entities of your data model.

  • Screens: Entity Inspector menu item, entityInspector.edit, and the required entities of your data model.

Entity Log

Tracking changes in the entity instances.

  • Entities: sec$EntityLog, sec$User, sec$EntityLogAttr, sec$LoggedAttribute, sec$LoggedEntity, and the required entities of your data model.

  • Screens: Entity Log menu item.

User Session Log

Viewing the historical data on the users' login and logout, or user sessions.

  • Entities: sec$SessionLogEntry.

  • Screens: User Session Log menu item.

Email History

Viewing the emails sent from the application.

  • Entities: sys$SendingMessage, sys$SendingAttachment, sys$FileDescriptor (for attachments).

  • Screens: Email History menu item, sys$SendingMessage.attachments.

Server Log

Viewing and downloading the application log files.

  • Entities: sys$FileDescriptor.

  • Screens: Server Log menu item, serverLogDownloadOptionsDialog.

  • Specific: Download log files.


Running reports, see Report Generator add-on.

  • Entities: report$Report, report$ReportInputParameter, report$ReportGroup.

  • Screens: report$inputParameters, commonLookup, report$Report.run, report$showChart (if contains chart templates).