User roles are a fundamental component of Norce's access control system, allowing you to define and manage permissions for different types of users within your organization. Roles determine what users can see, edit, and access throughout the system.
User roles serve multiple purposes in Norce:
- Access control: Define what users can view and modify
- Permission management: Control authorization levels for different system components
- User organization: Group users with similar responsibilities and access needs
- Security: Ensure users only have access to appropriate system areas
The User Roles page displays:
- A complete list of all active roles
- Role names and descriptions
- Designation of the default role
- Quick access to edit or deactivate roles
To create a new role:
- Click the create button on the roles list page
- Enter a descriptive name for the role
- Add a clear description explaining the role's purpose
- Configure authorization settings as needed
- Save your changes
When editing a role, you can modify:
- Name: The display name of the role
- Description: Detailed explanation of the role's purpose and scope
- Default status: Whether this role is automatically assigned to new users
- Permissions: Detailed authorization settings for system components
- Only one role can be designated as the default role at a time
- The default role is automatically assigned to new users when no specific role is selected
- This ensures all users have appropriate base-level access
Consider your organization's needs when setting the default role:
- Choose a role with minimal necessary permissions for security
- Ensure new users can perform basic functions immediately
- Plan for easy role upgrades as users' responsibilities grow
Roles inherit authorization settings from the client component level, providing a hierarchical permission structure:
- Client level: Base permissions set at the highest level
- Component level: Specific feature and module permissions
- Field level: Granular control over individual data fields
To modify role permissions:
- Navigate to the authorization section below the role details
- Review the list of available authorizations
- Uncheck the inheritance arrow to override client-level settings
- Adjust permissions at component and field levels as needed
- Remove only: You can only remove authorizations, not add beyond what's configured at the client level
- Read-only option: Convert read-write permissions to read-only for stakeholders who need visibility without editing rights
- Hierarchical control: Changes can be made at component level and cascade down to applicable field levels
When you deactivate a role:
- Click the "X" button next to the role in the list
- Confirm the deactivation
- The role is soft deleted (hidden but not permanently removed)
- Easy reactivation is possible if needed
- Safety: Prevents accidental permanent loss of role configurations
- Flexibility: Allows temporary role deactivation
- History preservation: Maintains audit trails and user assignment history
- Admin users: Minimal restrictions, full system access
- Manager roles: Broad access with some sensitive area restrictions
- Supervisor roles: Department-specific permissions with limited admin functions
- Standard users: Basic operational permissions with limited editing rights
- Read-only roles: View-only access for stakeholders and reviewers
- Specialist roles: Narrow but deep permissions for specific functions
- Principle of least privilege: Start with minimal permissions and add as needed
- Role-based thinking: Group permissions by job function rather than individual preferences
- Scalability: Design roles that can accommodate team growth and organizational changes