Category and configuration for roles and permissions
I. Classification of application roles
Under the application, there are 3 types of permission roles for users.
Application Administrator
You can manage all the configuration and data of the application. Except for not being able to delete the whole application, you can modify the application at will.
Application Owner
In the application administrator, there is also an "application owner" identity, which is the creator of the application by default and can be handed over to others. Only the application owner can delete the whole application, other permissions are the same as the application administrator.
Other permissions are the same as those of the application administrator. The permissions of the application administrator are fixed and cannot be changed.
The following diagram shows that there are 3 application administrators, of which Eun Tao Lee is the application owner.
Custom Roles
Application administrators can create new roles and customize their permissions. Newly created applications are preconfigured with two custom roles: member and read-only. Administrators can reconfigure these permissions, modify role definitions, and add more roles.
Ⅱ. Create/modify roles
1. Create role
1) After clicking the Create Role button at 1, you can set the name and description of the role, and then configure the permissions of the role.
2) Click the Save button at the bottom to complete the configuration, or delete the Delete button to cancel the creation of a new role.
The user sees the role description at.
2. Edit role
After clicking on the target role, you can edit and modify it, such as changing the name, description and permission configuration.
Once you have made any adjustments, you can click the Save button below, and click Cancel to undo the changes.
III. Configuring permissions for roles
There are two modes of configuring permissions for roles.
Distribute all application items
That is, all pages, tables, and views are visible, and all tables have the same permission configuration.
Distribution of selective application items
You can specify viewing and editing permissions for parts of the content (pages, worksheets, views, fields). More fine-grained permission configurations can be implemented, with different tables, views, and records having different operation permissions.
Mode 1. Distribute all application items (simple mode)
This is the simple and quick way to configure, all custom pages, worksheets and views under the application are visible, no separate configuration is done, permissions are controlled in a uniform way, and field permissions cannot be controlled. It is more suitable for applications with fewer users and fewer roles.
View, edit and delete permissions
There are 4 types of configurations.
1) Can view, edit, and delete all records
View records All record data for all tables under the application can be viewed, edited, and deleted with relatively large permissions.
All data under the application can be managed except that the application cannot be configured.
2) All records can be viewed, but you can only edit and delete records that you own
View records All record contents can be seen, i.e. all data under the view can be seen.
Edit and delete records Only records you own can be edited and deleted, compared to the first one, the range of records that can be edited and deleted is a bit narrower.
If you don't understand which records you can own, please refer to the introduction of three types of status of records
3) You can view the joined ones, and can only edit and delete the records you own
View records
Only records that you have joined can be seen. The data under the view does not necessarily show all of them, only the records that you have joined will be shown to see. Compared to the 2nd one, it further narrows the range of records that can be viewed.
Edit, delete records
Only records that you own can be edited and deleted.
4) View-only access to all records
All pages, tables, views, and records are visible, but none can be edited or deleted.
For both ways 2 and 3, records owned by subordinates can be included. If checked, records owned by subordinates can also be edited and deleted. The subordinates here are the subordinates of reporting relationship.
Other operation permissions
In addition to the view, edit and delete permissions, other common operation permissions can be further configured. Such as: add, import, export, print and other operations.
Mode 2. Distribute selective application items (advanced)
Compared to the simple mode way monotonous and uniform, the advanced mode is more flexible and fine-grained, and can customize the operation permissions under different tables and views through 4 hierarchical ranges.
Level 1. Configure the visible pages
That is, which worksheets, views, and custom pages are visible. To manipulate data, the page where the data is located (view, custom page) must be visible.
1) Configure visible worksheets/custom pages
Worksheet Visible: We know that users manage table data through views, so to make a table visible, at least one view must be visible. According to the actual scenario, determine a visible view, as long as there is a view visible, then the table is visible.
Custom page visible: Custom page has only view permission, check it. No edit, delete and add permissions are configured.
2) Configure visible views
Select the view that the role needs to view, just check it. The unchecked view will not be displayed when users are viewing it.
Hide in navigation
Some worksheets / custom pages have permission to view, edit or add, but generally through other tables data associated with the view, such as orders associated with the order details, we generally view the order to view the corresponding detail data, and will not go directly to the detail table to see. Therefore, we can hide this table in the menu bar to keep the page menu simple, while ensuring that its data-related permissions.
Hide only for a role
After configuring the view and edit permissions for this role, mouse over the table name line and a hide button will appear, click to hide: !
Hide for all non-administrators
This hiding method works for all non-administrators (custom pages are the same method)
Administrators can always see all worksheets and custom pages, even if the settings are hidden in the navigation.
Level 2. Determine the data actionable actions under the view
Actions such as view, edit, add
Users have 4 types of permissions on the record pairs under the view: View Record, Edit Record, Delete Record, and Add Record.
View record is the basic permission, if you can't view it, you can't edit or delete it.
There are views under which you can edit data, and there are views under which you cannot edit. For example, the data in submitted for approval cannot be edited, so don't check Edit in this view; the data in draft status can be edited, just check Edit in the corresponding view. Delete the same.
The following configuration: the order form, "draft" view, you can view, edit, delete records, while the "submitted", "reviewed" under the record can only view, all records can not be edited and deleted. All records can not be edited and deleted.
The Add Record Permission is table-based, not view-based. That is, if you have the add record permission, you can add a record under whichever view you are operating under.
Export, import, print, share, and other actions
In addition to data addition, deletion, import, export, print, etc., you can define the permissions for worksheets/views, records and custom buttons respectively through "Settings".
The Settings allows you to define the permissions for worksheets/views, records and custom buttons.
In the following figure, you can also control the related operations in the function switches of the worksheet. But the worksheet can be controlled to whether it is available under the specified view, while the setting in the role is valid for all views.
The final privileges of the user depend on the two settings minimum privileges.
Level 3. Set the range of records that can be manipulated
The previous step gives the user the permission to operate on the data under the view or not (view, edit, delete), and then you need to further specify which records under the view have operation permissions.
For example, under [My Team's Leads] view, all the lead records of your own team are displayed. However, if you edit and delete, you can only do so for the leads you own, and the leads that other team members are responsible for can only be viewed. This means that not all the records that are visible under the view have operation rights.
Click the [Settings] button on the right to configure the range of data that members of this role can manipulate on this table
There are 3 main types of record ranges: "All", "Joined", "Owned"
Which records can be viewed
All: All records are viewable under the visible view.
Accessioned: Under the visible view, only those records that are accessioned are displayed.
Subordinate joined: Under the visible view, you can see the records joined by yourself or your subordinates
If you are not sure what joined records, please refer to the three identities of the record introduction
Which records can be modified
All: All records are editable under visible view.
Owned: Only records that are owned can be edited and modified. Records that are joined have no permission to edit.
Owned by subordinates: The range of editable records is owned by you and owned by your subordinates.
Which records can be deleted
All: All records can be deleted under the visible view.
Owned: Under the visible view, only owned records can be deleted. Joined records cannot be deleted.
Owned by subordinates: Under the visible view, the range of records that can be deleted are those owned by yourself and those owned by your subordinates.
[Tips] This setting is configured for all views under the worksheet. If you need different views to have different data manipulation scope, you can set different roles and just add each other to multiple roles.
Level 4. Operation scope of fields
A record is viewable, not necessarily all fields are visible; a record is editable, not necessarily all fields need to be edited. This is where you need to control the field-level operations.
This step allows you to configure which fields are visible or hidden, which fields are editable, or to hide some fields when adding a new record.
When fields are editable, they must be viewable.
Through the above configuration steps, you can basically achieve arbitrary permissions for users.
IV. Adding role members
After the application role is created, add the people who have this role, switch to the [User] option, click the role name, and then click "Add User" in the upper right corner.
1. By adding people
For special users to add individually, you can choose colleagues, friends and other collaborative relationships.
2. Add by department/organization role/position
All the people under the department have the permission of this role. New users who join this department are automatically given the permission of this role. The same applies to organization roles/positions.
What is the difference between showing as only the current department tag?
Display as department name only
means that when selecting a department, this department and all sub-departments below it are selected and sub-departments are no longer listed separately. If a new subdepartment is subsequently created, the new subdepartment automatically has permissions for this role.
Show only the current department
Indicates that subdepartments were not selected when the department was selected, or that only individual subdepartments were selected.
Have questions about this article? Send us feedback