Note: If you are new to the concept of roles, it will be beneficial to read An Introduction to Permissions, Roles, and Access Groups.
The primary concept of a "Role" is a pre-configured set of permissions that control the way someone can interact with your system. You can create as many roles as you need to effectively control each user's access, for both your clients and staff.
It is best practice to create roles that match the different job titles your employees have, as this makes it easy to configure default permissions based on their job functions. As a general rule of thumb, user roles should adhere to the Least Privilege Principal, meaning that a user should only have the permissions he or she needs to perform their job duties.
Creating a New Role
To create a new role, click the Settings tab, click the User Roles link, and then the New Role button in the top right.
The first screen that will appear gives you the opportunity to "clone" an existing role. If the new role you are creating only slightly differs from an existing role in the system, it will save time to clone that role instead of creating a new role all together. By cloning a role, the system will automatically configure the new role form to match the selected role. Once the role is cloned, you can make any changes you wish before saving it. If you wish to start from scratch click No thanks.
- Name - The name of the role. Choose something that is easily distinguishable from other roles.
- Require Multi-Factor Authentication (MFA) - When enabled, users assigned to this role will be required to configure MFA before being allowed access to the system. It is best practice to require MFA on your user roles once most of your staff have voluntarily set up MFA on their account. Use the Security Checkup report (Reports tab) to verify compliance.
- Rank Below - Roles have a hierarchy of responsibility that should closely match the chain of command in your own company. Choose the role that this new role most closely follows. A user in this role cannot edit or make changes to a user of a higher rank (rank 1 is the highest).
- Available For - Each role can only be available for one "type" of user. Choose what type of user this role will be available for.
Note: Not all permissions are available for all user types. Depending on which type is selected, some permissions may not be configurable. - Access Groups - Determine which access groups should this role should have access to. You can secure things like case updates and file uploads by access group. This means that a user's role must be a part of the access group to gain access to the content that is protected by it.
- Default Group - In order for a user to choose which access group they want their case updates to be a part of, they must have the permission to Modify Case Update Access Group (only available for employees).
Customizing Permissions For a Role
- Checked - If the permission is checked, any user(s) assigned to this role will have this permission.
- Unchecked - If the permission is unchecked, the any user(s) assigned to this role not have this permission.
After configuring the permissions, save the role. You will now be able to assign this role to your new and/or existing users. Remember, only roles that match the type of user (Employee, Client Contact, or Vendor) you are creating or editing will be available.
Duplicating Permissions For a New User Role
When a user (or set of users) requires more or less permissions outside of their current user role (e.g. Junior Investigator vs Senior Investigator), it is best practice to clone their existing role (see creating a new role above) and make the necessary permission changes to the cloned role. Finally, assign the newly created role to the necessary users by editing their user profiles.