Roles and permissions important concepts
Important concepts explaining how roles and permissions are applied in the platform.
User roles and users
A user role defines the permissions for users assigned to this role.
A user has exactly one role. It is not possible to assign multiple roles to the same user.
Navigation menu permissions versus data permissions
Within a role, there are two kinds individual permissions:
- Navigation menu permissions (left column): These control the visibility of the navigation menu items. For each screen in the navigation menu, a corresponding permission exists. This enables granular control of which screens are available to a user. These permissions are also called UI permissions, since the control the access to the user interface (UI).
- Data permissions (right column): The permissions protect access the data access on the API level. They do not control the appearance of the navigation menu, but users need to have data permission to see content in lists, on maps, etc.
From a security perspective, data permissions are a true security barrier, since they operate a API level. UI permissions only control visibility of screens and menus.
Which roles can be edited?
Creation of custom user roles is a feature only accessible for organisations with the Enterprise security add-on.
Additionally, a number of default roles are available. These cannot be edited, as they are managed by Sensolus.
Role type | Name | Description |
---|---|---|
Organization (NORMAL) | organisation_admin | This is the super user who has all the permissions. She can do everything. |
user_editor | This user can see everything. She can also edit everything which is not related to users and security. | |
user_viewer | This user can see everything but change nothing (except you her profile) | |
partner | partner_admin | This user can manage organisations as a partner, however she cannot see the actual tracker data. |
partner_full_data_access_admin | This user can do all the partner management but can also see and manipulate all the data of her child organisations. | |
partner_full_data_access_viewer | This user can see all data of child organisations but not change anything. |
Roles managed on a parent level
It is possible that you encounter custom roles that are owned (created and managed) at the level of your partner and that are made available to your organisation. The above-mentioned default user roles are an example of this (they are managed by Sensolus at system level). You can assign these roles to users in your organisation, but you cannot customize these roles.
You can recognize such roles by inspecting the Owned by property of a role: if it is different than your organisation, then the role will be read-only to you.
Role types
The role type determines in which type of organisations the role can be assigned to users:
- NORMAL role types can be assigned to user accounts in a regular end-user organisation.
- PARTNER roles types can be assigned to partner user accounts. This is available only to partners.
Important when managing custom roles as a partner user
As a partner creating custom roles, pay attention to the role type and owning organisation of a role.
- If you want to create or edit roles for your (partner) colleagues: create roles of the type PARTNER. Create these roles while your partner organisation is selected. The Owned by field will contain you partner organisation name.
- If you want to create or edit a role for all your child organisation: create roles of the type NORMAL inside your partner organisation. Important: when creating and edit such NORMAL roles owned by your partner organisation, they are automatically available to all child organisations.
- To create or edit roles for a specific end-user (NORMAL) organisation, ensure that you are in the context of a single organisation and then create or edit the role (this requires organisation has the security add-on).