# Role Configuration
The Core Engine uses a role management that allows configuring native permissions, feature permissions, and presets role-specific for each module and its records. This includes the visibility of a module as well as permissions to create, view, edit, assign, and delete its records (files or objects). These permissions are called native permissions.
For feature permissions and presets, please refer to our Permissions and presets documentation.
To configure a role's native permissions, go to admin snap-in General system configurations/User settings/Role configuration, tab Role-based module settings:
table with role permissions, highlighted: global permissions
Attention!
The role-based module-settings make no difference between user modules and technical (background) modules required for a working system. When changing default permissions, please consider the consequences when taking or assigning rights.
For example, setting the Contact's module access to "no" or "only friendlyname" will prevent this role's users from adding a receiver to an eTicket or download package.
Please note: Some technical modules are hidden in the role configurations, so their permission values cannot be customized via the frontend (list of modules).
# Hierarchy Model
The role management works hierarchically. It distinguishes global permissions that hand down their values down to all modules in the table like a cascade (first table row - highlighted above), and module-specific permissions that overwrite the global permissions for a module if set (all table rows below).
# Order of Permissions
Native permissions apply in a defined and descending order, where the system starts to check for custom, module-specific permission values:
If a specific module's native permission has a custom value, the values from table
ce_role_accsin the database apply (show_in_role_configmust be "true" or not set).
If not manually set, or set to "default", the system checks the following:
If the global module permission has a custom value, the values from table
ce_rolein the database apply (show_in_role_configmust be "true" or not set).
If not manually set, or set to "default", the system does the following:
The module-specific native permissions from file
modules/MODULE/setup.xmlin the filesystem apply (How to change the module's default).If set to "default", the system does the following:
The global native permission values from file
global/defaults/native_permissions.xmlin the filesystem apply.
Please note: If show_in_role_config is set to "false", both ce_role_accs and ce_role will not apply. With no values from the database, the XML values will apply.
- If a permission value is shown black, a value was entered manually. This custom value applies (if set to "default": see order above).
- If a permission value is shown greyed out, a predefined value applies (e.g. the global permission's or the product standard "Default").
# Permission Fallbacks
- If even the global native permissions are set to "default", a system fallback applies. Its values are set to "no rights".
- If for some reason a module's XML file cannot be read, the global permission's value apply.
# Example
In the following example, the global permission for deleting records was manually set to "All". This value is handed down to all other modules. Users of this role can delete any records of all modules to which the global permission applies.
The module-specific value for "Collections" was manually set to "Own". The global permission is overwritten by "Own" and users of this role can only delete collection they have created themselves.
# What is the Default?
Our two standard roles "Administrator" and "User" come with predefined values. Some of them are set to "default". Also, when you create a completely new role, all global and module-specific native permissions are set to "default":
The "default" can be seen as the product standard or delivery status of a permission. Its values are stored in the system's XML files. This default always applies if a value is not changed manually to another value.
The actual XML values behind "default" are as follows:
# Global Permissions
"Default" =
| Module name | Module access | Main menu entry | View | Delete | Edit | Assign | Create |
|---|---|---|---|---|---|---|---|
| all modules | yes | yes | public | public | public | public | yes |
Compare the XML values with the snap-in value names here.
# Core Engine Modules
Please note: If any other value than "default" is set for a permission, that other value applies.
"Default" =
| Module name | Module access | Main menu entry | View | Delete | Edit | Assign | Create |
|---|---|---|---|---|---|---|---|
| API Key * api_key | superadmin: yes, else: no | no | public | public | public | public | yes |
| CE module permissions * ce_role_accs | superadmin: yes, else: no | no | public | public | public | public | yes |
| Emails | no | no | none | none | none | none | no |
| History recent_obj | yes | no | own | own | none | none | yes |
| Log events logevents | superadmin: yes, else: no | no | public | public | default (global fallback = public) | default (global fallback = public) | no |
| Login attempts * login_attempt | superadmin: yes, else: no | no | public | public | none | none | no |
| Request management request_mngt | yes | no | public | own | own | own | yes |
| Roles ce_role | yes | no | public | superadmin: public else: none | superadmin: public, else: none | superadmin: public, else: none | superadmin: yes, else: no |
| Saved filters * saved_search | yes | no | own | own | own | own | yes |
| Sessions * session | superadmin: yes, else: no | no | public | public | none | none | no |
| Update management * update_mngt | superadmin: yes, else: no | no | public | public | public | public | yes |
| User user (details see below) | yes | yes (shown) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | yes |
| Versioning * version | yes | no | public | public | public | none | yes |
| Webhooks * webhook | superadmin: yes, else: no | no | public | public | public | public | yes |
| Webhook events * webhook_event | superadmin: yes, else: no | no | public | public | public | public | yes |
| Webhooks logevents * webhook_logevent | superadmin: yes, else: no | no | public | public | public | public | yes |
* module does not show in role configuration
Please note: The minimum requirement for User module is to set "Module access" to "Yes". This gives access to the module's records including the user's profile and object image, or the possibility to assign users to records (Reference Find), e.g. to invite them to a collection.
- Yes: access to this module's records, access to "user profile" menu, Reference Find, users' object images
- No: no access to this module's records, no access to "user profile" menu, no Reference Find, no users' object image
- Only friendlyname: only own username in header, access only to "friendly name" records, no Reference Find, no users' object image
# DAM Modules
"Default" =
| Module name | Module access | Main menu entry | View | Delete | Edit | Assign | Create |
|---|---|---|---|---|---|---|---|
| Approval objects review_item | yes | no | own | own | own | own | yes |
| Approvals review | yes | yes (shown) | own | own | own | own | yes |
| Collections f_collection | yes | yes (shown) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | yes |
| eTickets et | yes | no | own | own | own | none | yes |
| eTicket assets * et_asst | yes | no | public | public | public | public | yes |
| eTicket asset derivative * et_asst_derv | yes | no | public | public | public | public | yes |
| File access * fileaccess | yes | no | public | public | public | public | yes |
| File access items * fileacc_item | yes | no | public | public | public | public | yes |
| File transfer objects * filetran_obj | yes | no | own | own | own | own | yes |
| File transfer process status * filetran_obj_proc_status | yes | no | own | own | own | own | yes |
| File transfer filetransfer | yes | no | own | own | own | own | yes |
| Files file | yes | yes (shown) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | yes |
| Folders folder | yes | no | public | none | none | none | no |
| Markup component (Text) * idnt_mkp_txt | yes | no | own | own | own | own | yes |
| Object recognition markup * *idnt_mkp_object | yes | no | public | none | none | none | no |
| Markup comments file_markup_comment | yes | no | public | own | own | own | yes |
| Markups file_markup (details see below) | yes | no | public | own | own | own | yes |
| Object markings file_markup_item | yes | no | public | own | own | own | yes |
| Usage history usa_his_ass | yes | yes (shown) | default (global fallback = public) | none | none | default (global fallback = public) | no |
* module does not show in role configuration
Please note: The rights for module Markups (file_markup) also have an effect on the linked files subpanel for InDesign files. If a role's view rights are set to only "own", linked files will not be displayed. If required, make sure to keep the system's default "public".
# Essentials Modules
"Default" =
| Module name | Module access | Main menu entry | View | Delete | Edit | Assign | Create |
|---|---|---|---|---|---|---|---|
| Companies account | yes | yes (shown) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | yes |
| Contacts contact | yes | yes (shown) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | yes |
| Favorites * favorite_obj | yes | no | own | own | own | own | yes |
| Shares share | yes | no | own | own | own | none | yes |
| Tasks task | yes | yes (shown) | own | own | own | own | yes |
* module does not show in role configuration
# AI Tagging Modules
"Default" =
| Module name | Module access | Main menu entry | View | Delete | Edit | Assign | Create |
|---|---|---|---|---|---|---|---|
| Face detection markups idt_mkp_face | yes | no | public | none | none | none | no |
| Objects (AI) ai_object | yes | yes (shown) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | default (global fallback = public) | yes |
# PIM Modules
"Default" =
| Module name | Module access | Main menu entry | View | Delete | Edit | Assign | Create |
|---|---|---|---|---|---|---|---|
| Product categories product_cat | no | no | none | none | none | none | no |
| Product technologies product_tech | yes | no | none | none | none | none | no |
| Product variants product_var | no | no | none | none | none | none | no |
| Products product | no | yes (shown) | none | none | none | none | no |
# User Registration Module
"Default" =
| Module name | Module access | Main menu entry | View | Delete | Edit | Assign | Create |
|---|---|---|---|---|---|---|---|
| User registration user_registr | no | no | none | none | none | none | no |
# Permission Values
Please refer here for information about the storage of native and custom permissions in your filesystem/database.
# Explanation of Permission Values
This table explains all possible permissions that can be granted to users of the chosen role and module:
| Permission (XML Value) | Snap-in Value (XML Value) | Description |
|---|---|---|
| Module access mod_access | Default (default) | permission according to default permissions |
| Yes (yes) | Users get access to this module. | |
| Only friendlyname (friendlyname) | Users can only read this module's friendlyname, but has no further properties of this module, e.g. read, write ... permissions. (Make friendlyname settings in the Module Definition.) | |
| No (no) | Users get no access to this module. | |
| Main menu entry menu_entry | Default (default) | permission according to default permissions |
| Yes, shown (yes_default_shown) | Users can open this module via the mega menu because the module icon is displayed. | |
| Yes, hidden (yes_default_hidden) | Users can only open this module via URL parameter because the module icon is not displayed. | |
| No (no) | Users cannot open this module via the mega menu because the module icon is hidden. | |
| View read | Default (default) | permission according to default permissions |
| None (none) | Users cannot view this module's records. | |
| Own (own) | Users can view only the module's records they have created themselves. | |
| Role (role) | Users can view only the module's records they or another user of the same role have created. | |
| Role and down (role_down) | Users can view only the module's records they or another user of the same role or its child roles have created. | |
| All (public) | Users can view all records in this module unrestricted. | |
| Delete delete | Default (default) | permission according to default permissions |
| None (none) | Users cannot delete records in this module. | |
| Own (own) | Users can delete only the module's records they have created themselves. | |
| Role (role) | Users can delete only the module's records they or another user of the same role have created. | |
| Role and down (role_down) | Users can delete only the module's records they or another user of the same role or its child roles have created. | |
| All (public) | Users can delete all records in this module unrestricted. | |
| Edit edit | Default (default) | permission according to default permissions |
| None (none) | Users cannot edit this module's records. | |
| Own (own) | Users can edit only the module's records they have created themselves. | |
| Role (role) | Users can edit only the module's records they or another user of the same role have created. | |
| Role and down (role_down) | Users can edit only the module's records they or another user of the same role or its child roles have created. | |
| All (public) | Users can edit all records in this module unrestricted. | |
| Assign assign | Default (default) | permission according to default permissions |
| None (none) | Users cannot change field owner_user of this module's records. | |
| Own (own) | Users can change field owner_user of this module's records only if they have created them themselves. | |
| Role (role) | Users can change field owner_user of this module's records only if they or another user of the same role have created them themselves. | |
| Role and down (role_down) | Users can change field owner_user of this module's records only if they or another user of the same role or its child roles have created them themselves. | |
| All (public) | Users can change field owner_user of this module's records unrestricted. | |
| Create create | Default (default) | permission according to default permissions |
| Yes (yes) | Users can create records in this module. | |
| No (no) | Users cannot create records in this module. |
# Role-specific Layouts
Next to role-specific permissions, you can also assign a role a specific layout, e.g. to remove a subpanel or add a button for certain roles. For this, you need to map a layout to a role in the Layouts section:
For all details on how to create role-specific layouts, refer our layouts documentation.
# Test Your Role Configurations
If you want to see the effect of your role configurations from a user of that role's point of view, you have the option to use feature Impersonation.