Roles and rights
Roles and rights
Configure what a role can and cannot doThe Roles and rights chapter in Admin Suite provides an overview of all currently configured roles, allows you to assign functionalities (permissions) to a role, and to edit existing or create new roles.
You need the Roles and Functionalities permission to access this chapter. Permissions are managed from the Roles and rights chapter's functionalities card of a user's role.
Click an existing role or the '+' icon to open up the respective create/update card, or make use of the right sidebar filters to fine-tune the displayed roles in your overview.
Aside from the Functionality and Deactivate after filter, these are straightforward. As for the former, it allows you to select multiple specific Functionalities, after which the overview will only display those roles which contain your selection.
General details
Whether you create a new role, or open up an existing one, you start off with the following fields:
- Name - whatever you think suits the role (does not have to be unique)
- Code - a concise code representing the role (does not have to be unique)
- User type - more on User types can be found here
- Employee
- Customer
- Anonymous
- Debtor
- API
- Deactivate after - enter a number of days here
- This field is available only to non-system generated roles;
- The field is mandatory and will allow for a value > 0, and a maximum value of 999;
- EVA will track the number of days since the user with this role's last login and will automatically deactivate this role for the user if the number of days is met;
- The user will be informed of this by means of a popup when logging in again.
Functionalities
Functionalities (also known as permissions) allow you to limit what users can do within each part of EVA.
Currently, there are over 300 different functionalities, providing extensive control and fine-tuning of each user's permissible activities within EVA. Adding another layer to this control, most functionalities are split into what we call Scopes, allowing for further refinement of what a user can do within a single functionality.
See below Scopes and examples for more on this concept:
Scopes and examples
Scopes
- Manage: by selecting this, the role will be able to manage the functionality in its entirety (every scope will be ticked)
- Create: the role is allowed to create (the general ledger account for example)
- Edit: the role is allowed to edit
- View: the role is allowed to view
- Delete: the role is allowed to delete
- Settings: the role is allowed to interact with settings which have this functionality attached
- Scripting: the role is allowed to perform scripting tied to this functionality
Some functionalities only have the "Manage" scope. This means that it is an all-or-nothing scope. Whenever you come across such a functionality, rest assured that we've done so for a reason. We use this on functionalities when it wouldn't make sense to have any of the standalone scopes (edit, view, delete, etc.). Take the ReleasePaidPickupOrders funcitonality as an example, it's a functionality that allows users to release pickup orders without verifying a customer's QR code. The use of scopes (create, edit, view, delete, etc.) would not make sense here hence, it's just the manage scope that can be ticked.
Examples
- A user is not able to edit accounts for general ledgers without a role containing the Edit scope on the Accounts functionality
- A user is not able to receive purchase order shipments without a role containing the Manage scope on the ReceivePurchaseOrderShipment functionality - mind that this is one of those functionalities where it's a all-or-nothing single scope (see "The Manage scope" note above).
The Functionalities card displays all available permissions, along with a corresponding description of what that functionality entails.
You can refine the list of functionalities using the search field by typing in the functionalities name or the category it falls under (the latter is a work-in-progress). If a functionality is greyed out, that means your role does not have the necessary permission to modify it.
Settings scope
By clicking the 'i' icon in the Actions column, you can get an overview of which setting(s) are linked to that permission. That means any user not having the settings scope on that functionality will not be able to change the setting(s) mentioned either.
This is however a work-in-progress: the last Core drop before a new App Drop (see our Drop calendar) will bring a new batch of settings to Test and Acceptance. This setup means that the Core drop after the App Drop will bring the new batch of settings to Production environments.
The following tables show lists of all settings which have been released in Core drops.
List of settings combined with functionalities in C726
Setting | Functionality |
---|---|
Addresses:Address1OptionalCountries | Addresses |
Addresses:Address2VisibleCountries | Addresses |
Addresses:AutoGeocode | Addresses |
Addresses:CityOptionalCountries | Addresses |
Addresses:HouseNumberRequiredCountries | Addresses |
Addresses:HouseNumberVisibleCountries | Addresses |
Addresses:SecondaryAddressLineCountries | Addresses |
Addresses:StateLength2Countries | Addresses |
Addresses:StateLength3Countries | Addresses |
Addresses:StateVisibleCountries | Addresses |
Addresses:StreetOptionalCountries | Addresses |
Addresses:ZipCodeOptionalCountries | Addresses |
AddressSuggester:FilterOnCountry | Addresses |
AddressSuggester:FilterAddressesOnly | Addresses |
AdminModules:ProductionTemplates | Modules |
Adyen:BaseUrl | PaymentMethods |
Adyen:Username | PaymentMethods |
Adyen:Password | PaymentMethods |
Adyen:MerchantAccount | PaymentMethods |
Adyen:PaymentDataDeterminator | PaymentMethods |
Adyen:CredentialsProvider | PaymentMethods |
Adyen:HmacKeys | PaymentMethods |
Adyen:EnableKlarnaLineInfoForRefunds | PaymentMethods |
Adyen:DisableStoreIDInDefaultPaymentData | PaymentMethods |
Adyen:StoreCustomField | PaymentMethods |
Adyen:ApplicationInfoWhitelistedApps | PaymentMethods |
Adyen:DebugLogging | PaymentMethods |
Adyen:MerchantAccount:Override:Enabled | PaymentMethods |
Adyen:MerchantAccount:Override:MerchantAccount | PaymentMethods |
Adyen:MerchantAccount:Override:PaymentMethods | PaymentMethods |
Adyen:HandleMultiplePspReferencesOnPaymentTransactions | PaymentMethods |
Adyen:UseCheckoutAPIForRefundsAndCaptures | PaymentMethods |
Adyen:CheckoutAPI:BaseUrl | PaymentMethods |
Adyen:CheckoutAPI:AllowedPaymentMethods | PaymentMethods |
Adyen:CheckoutAPI:BlockedPaymentMethods | PaymentMethods |
Adyen:CheckoutAPI:ClientKey | PaymentMethods |
Adyen:CheckoutAPI:PreferBillingAddressCountryID | PaymentMethods |
Adyen:CheckoutAPI:IncludeDisounts | PaymentMethods |
Adyen:PosSdk:BaseUrl | PaymentMethods |
Adyen:PosSdk:ApiKey | PaymentMethods |
Adyen:Giving:DonationAccount | PaymentMethods |
AdyenStoredValue:ApiUrl | PaymentMethods |
AdyenStoredValue:ActivateValueMin | PaymentMethods |
AdyenStoredValue:ActivateValueMax | PaymentMethods |
Adyen:TerminalAPI:ApiKey | PaymentMethods |
Adyen:TerminalAPI:SendMessageWhenUserIsMatched | PaymentMethods |
Adyen:Checkout:SDK:BaseUrl | PaymentMethods |
Adyen:Checkout:SDK:OneClick | PaymentMethods |
Adyen:Checkout:SDK:ApiKey | PaymentMethods |
Adyen:Checkout:SDK:PublicKeyForClientEncryption | PaymentMethods |
Adyen:Checkout:SDK:AllowedPaymentMethods | PaymentMethods |
Adyen:Checkout:SDK:BlockedPaymentMethods | PaymentMethods |
Adyen:Management:ApiKey | PaymentMethods |
Adyen:Management:IsTest | PaymentMethods |
Adyen:Username:OnlineForOfflineOrder | PaymentMethods |
Adyen:Password:OnlineForOfflineOrder | PaymentMethods |
AllowChangingExportedOrderLinesToDelivery | Orders |
AllowEmployeesOnOrdersInSplitScenario | Orders |
AllowExternalNegativeStockAutoCorrect | AdjustStock |
AllowModifyingQuantityAfterExport | AdjustStock |
AllowMultiCurrencyOnOrganizationUnit | OrganizationUnitSettings |
AllowMultiPackageShipments | Shipments |
AllowNegativeStockAutoCorrect | AdjustStock |
APIGiftCard:BaseUrl | GiftCardConfiguration |
APIGiftCard:Password | GiftCardConfiguration |
APIGiftCard:Timeout | GiftCardConfiguration |
APIGiftCard:Username | GiftCardConfiguration |
ApiKeyExpirationInDays | ApiKeys |
ATrust:Host | Audits |
ATrust:Password | Audits |
ATrust:UserName | Audits |
Auditing:Provider | Audits |
Auditing:PublicKeyBlobID | Audits |
Auditing:PrivateKeyBlobID | Audits |
Auditing:Version | Audits |
Auditing:SoftwareVersion | Audits |
Auditing:AllowRawInvoiceReprints | Audits |
Auditing:EnforceTransactionValidation | Audits |
Auditing:DuplicatePrint | Audits |
Auditing:AllowMultipleDuplicates | Audits |
Auditing:UseNopeCat | Audits |
Auditing:GenerateTerminalTotals | Audits |
Auditing:UseInvoiceCloning | Audits |
Auditing:RequireBillingDetailsForInvoice | Audits |
Auditing:IncludeWebShopForAudits | Audits |
Auditing:DailyConsolidation:MailTo | Audits |
Auditing:PreferReceiptPrinting | Audits |
Auditing:PreferPaperPrinting | Audits |
Auditing:PreferEmail | Audits |
Auditing:PreferElectronicReceipt | Audits |
Auditing:InvoiceDeliveryInStoreDirectly | Audits |
Auditing:AuditGeneratorName | Audits |
Auditing:AuditCreatorStrategyName | Audits |
Auditing:AllowExchangeOrders | Audits |
Auditing:EventLedgerLimit | Audits |
Auditing:VerboseAuditLogging | Audits |
Auditing:UseCompanyBasedInvoiceSequenceNumber | Audits |
Auditing:ForeignDescriptionProperty | Audits |
Auditing:CalculateEmployeeDiscountExTax | Audits |
Auditing:EmployeeDisplayType | Audits |
Auditing:UseOrganizationUnitSequence | Audits |
Auditing:PrintTerminalReport | Audits |
Auditing:NF525:IntegrityCheck | Audits |
Auditing:NF525:UseUnifiedMapper | Audits |
Auditing:NF525:MaxOfflinePeriodDurationInDays | Audits |
Auditing:China:Baiwang:Environment | Audits |
Auditing:China:Baiwang:AppKey | Audits |
Auditing:China:Baiwang:AppSecret | Audits |
Auditing:China:Baiwang:AppSalt | Audits |
Auditing:China:Baiwang:Username | Audits |
Auditing:China:Baiwang:Password | Audits |
Auditing:China:Baiwang:Terminal | Audits |
Auditing:China:Baiwang:SerialPrefix | Audits |
Auditing:Austria:AESKey | Audits |
Auditing:Austria:FailSigning | Audits |
Auditing:Austria:SignatureCreationUnitID | Audits |
Auditing:Austria:FON:ParticipantID | Audits |
Auditing:Austria:FON:UserID | Audits |
Auditing:Austria:FON:UserPIN | Audits |
Auditing:Austria:Fiskaly:ForceOffline | Audits |
Auditing:FiskalyManagement:ApiKey | Audits |
Auditing:FiskalyManagement:ApiSecret | Audits |
Auditing:FiskalyManagement:Identifier | Audits |
Auditing:FiskalyManagement:OrganizationPrefix | Audits |
Auditing:FiskalyManagement:OrganizationIdentifier | Audits |
Auditing:FiskalyManagement:OrganizationApiKey | Audits |
Auditing:FiskalyManagement:OrganizationApiSecret | Audits |
Auditing:FiskalyKassenSichV:Host | Audits |
Auditing:FiskalyKassenSichV:TssID | Audits |
Auditing:FiskalyKassenSichV:TssPIN | Audits |
Auditing:FiskalyKassenSichV:TssPUK | Audits |
Auditing:Italy:RtServer:Url | Audits |
Auditing:Italy:RtServer:Username | Audits |
Auditing:Italy:RtServer:Password | Audits |
Auditing:Italy:RtServer:Async | Audits |
Auditing:Italy:Email:FiscalMemoryStatusReceiverEmail | Audits |
Auditing:Italy:Email:PrintRtServerWideZReportFailureReceiverEmail | Audits |
Auditing:Italy:UseSentinel | Audits |
Auditing:Italy:RtServer:UseNewLotterySystem | Audits |
Auditing:Italy:SDIService:Url | Audits |
Auditing:Italy:SDIService:CertificateBlobID | Audits |
Auditing:Italy:SDIService:CertificatePassword | Audits |
Auditing:Italy:SDIService:TransmitterCountryCode | Audits |
Auditing:Italy:SDIService:TransmitterVatCode | Audits |
Auditing:Italy:SDIService:ErrorHandlerEmailAddress | Audits |
Auditing:Italy:SDIService:DebugLoggingEnabled | Audits |
Auditing:Poland:LogoBlobID | Audits |
Auditing:Poland:WelcomeMessage | Audits |
Auditing:Poland:FailAutoPrint | Audits |
Auditing:Poland:LongMonthlyReportEnabled | Audits |
Auditing:Poland:FailJpkSaving | Audits |
Auditing:Poland:DebugPrinting | Audits |
Auditing:Poland:DebugErrorsOnly | Audits |
Auditing:Poland:FailPrinting | Audits |
Auditing:Poland:KSeF:Enable | Audits |
Auditing:Poland:KSeF:EnableDetailedDebugLogging | Audits |
Auditing:Poland:KSeF:Endpoint | Audits |
Auditing:Poland:KSeF:SellerCompanyNIP | Audits |
Auditing:Poland:KSeF:PublicKey | Audits |
Auditing:Poland:KSeF:ApiToken | Audits |
Auditing:Poland:KSeF:REGON | Audits |
Auditing:Romania:UseSentinel | Audits |
Auditing:Romania:Upos:Password | Audits |
Auditing:Romania:Upos:Username | Audits |
Auditing:Romania:Upos:UseSsl | Audits |
Auditing:Romania:Upos:Creator | Audits |
Auditing:Romania:SkipCertificate | Audits |
Auditing:Romania:ConnectionTimeoutInSeconds | Audits |
Auditing:SAFT:Series:SigningCertificateBlobID | Audits |
Auditing:SAFT:Series:ClientCertificateBlobID | Audits |
Auditing:SAFT:Series:ClientCertificatePassword | Audits |
Auditing:SAFT:Series:Username | Audits |
Auditing:SAFT:Series:Password | Audits |
Auditing:SAFT:Series:Endpoint | Audits |
Auditing:SAFT:Series:EnablingProfiling | Audits |
Auditing:SAFT:Series:NewSequenceMonth | Audits |
Auditing:Sweden:InfrasecApiCertificate:Url | Audits |
Auditing:Sweden:InfrasecEnrollmentCertPfx:BlobGuid | Audits |
Auditing:Sweden:InfrasecEnrollmentCertPfx:Key | Audits |
Auditing:Sweden:InfrasecEnrollmentCertServerTrustPem:BlobGuid | Audits |
Auditing:Sweden:InfrasecReceiptApiCertificate:Url | Audits |
Auditing:Sweden:InfrasecReceiptCertPfx:BlobGuid | Audits |
Auditing:Sweden:InfrasecReceiptCertPfx:Key | Audits |
Auditing:Sweden:InfrasecReceiptCertServerTrustPem:BlobGuid | Audits |
Auditing:Sweden:InfrasecApi:PosAuthorityCode | Audits |
Auditing:Sweden:Tenant:Code | Audits |
Auditing:Sweden:Tenant:Name | Audits |
AutoCancelNonShippedLines | Orders |
AutoCancelNonShippedLinesOnFinalShipment | Orders |
AutoCancelShippingCostsWhenOrderIsFullyCancelled | Orders |
AutomaticOrderCancellationTimeInDays | Orders |
AutoOpenCloseFinancialPeriod | FinancialPeriods |
AutoReceiveSupplierPurchaseOrder | PurchaseOrders |
AutoSendInvoice | Audit |
AutoShipOrderLinesOnCreation | ShipmentSettings |
AutoShipRemainingLinesAfterCancellation | ShipmentSettings |
AvaTax:CompanyCode | TaxRates |
AvaTax:InvoiceAction | TaxRates |
AvaTax:Password | TaxRates |
AvaTax:Production | TaxRates |
AvaTax:ShippingCostsTaxCode | TaxRates |
AvaTax:Username | TaxRates |
List of settings combined with functionalities in C730
Setting | Functionality |
---|---|
CheckDuplicateFiscalID | Audits |
CheckDuplicateVatNumber | Audits |
ClickAndCollect:Payment:Limit | PaymentMethods |
CloneOrderLineToDeliveryLine | Orders |
Consignor:Actor | ShippingMethods |
Consignor:BaseUrl | ShippingMethods |
Consignor:FallbackProductWeight | ShippingMethods |
Consignor:IsDeliveryReceipt | ShippingMethods |
Consignor:Key | ShippingMethods |
Consignor:PackageWeight | ShippingMethods |
Consignor:ProductWeightProperty | ShippingMethods |
CreateEmployee:AllowGeneratingPassword | Employee |
CreateEmployee:AllowSettingPassword | Employee |
CreateEmployee:AllowUserUpdate | Employee |
CreateEmployee:AllowUserUpgrade | Employee |
B2b:CommitAfterSigning | Orders |
B2b:RequireOrderVerification | Orders |
BICharts:Customer:BaseUrl | DashboardData |
BICharts:Customer:BasicAuthPassword | DashboardData |
BICharts:Customer:BasicAuthUsername | DashboardData |
AX:ShopID | FinancialEvents |
AX:CustAccount | FinancialEvents |
AX:StoreID | FinancialEvents |
AX:ReceiptConfirmationFolderSuffix | FinancialEvents |
AX:SaleOrderProducer | FinancialEvents |
AX:SaleOrderOutput | FinancialEvents |
AX:EnableOriginatingOrganizationUnit | FinancialEvents |
AX:EnableReturnWithoutRetake | FinancialEvents |
AX:ReturnWithoutRetakeProductBarcode | FinancialEvents |
AX:ReturnWithoutRetakeProductItemID | FinancialEvents |
AX:ExportFinancialPeriodEvents | FinancialEvents |
AX:ExportBundleProducts | FinancialEvents |
AX:BundleProductBarcode | FinancialEvents |
AX:BundleProductItemID | FinancialEvents |
AX:DiscountOfferIdProvider | FinancialEvents |
AX:HybridMode | FinancialEvents |
AX:UseOriginStoreID | FinancialEvents |
AX:FinancialPeriodExport:UseShippingCountry | FinancialEvents |
AX:Ftp:Host | FinancialEvents |
AX:Ftp:UserName | FinancialEvents |
AX:Ftp:Password | FinancialEvents |
AX:FTP:EnableOrigin | FinancialEvents |
AX:HSO:EndPoint | FinancialEvents |
AX:HSO:Credentials | FinancialEvents |
AX:HSO:CompanyID | FinancialEvents |
AX:HSO:IgnoreCompanyID | FinancialEvents |
AX:HSO:ReceiptConfirmation:CustomFieldBackendIDs | FinancialEvents |
AX:HSO:EnablePalletID | FinancialEvents |
AX:HSO:EnableOrigin | FinancialEvents |
AX:Warehouse:ForceWebserviceConfirmations | FinancialEvents |
AX:Warehouse:Location:Sellable | FinancialEvents |
AX:Warehouse:Location:Transit | FinancialEvents |
AX:Warehouse:Location:Charity | FinancialEvents |
AX:Warehouse:Location:Blocked | FinancialEvents |
AX:Warehouse:Code:NDDC | FinancialEvents |
AX:Warehouse:Code:RODC | FinancialEvents |
AX:Warehouse:Code:UKDC | FinancialEvents |
AX:Warehouse:Code:USAV | FinancialEvents |
AX:Warehouse:Code:ONHK | FinancialEvents |
AX:Warehouse:Code:ESDC | FinancialEvents |
AX:Warehouse:Code:DEDC | FinancialEvents |
AX:Shipping:Barcode | FinancialEvents |
AX:Wrapping:Barcode | FinancialEvents |
AX:StockMutations:WarehouseID | FinancialEvents |
AX:Stock:Import:FolderName | FinancialEvents |
AX:StockDifference:Import:FolderName | FinancialEvents |
AX:StoreCode:US | FinancialEvents |
AX:BrandName:BeautyAndWellness | FinancialEvents |
AX:BrandName:BeautyAndParfum | FinancialEvents |
AX:BrandName:VVVCard | FinancialEvents |
AX:BrandName:WonderboxNL | FinancialEvents |
AX:BrandName:FashionCheque | FinancialEvents |
AX:BrandName:Love2Shop | FinancialEvents |
AX:BrandName:Illicado | FinancialEvents |
AX:BrandName:IGive | FinancialEvents |
AX:BrandName:Xpon | FinancialEvents |
AX:BrandName:Sparebank | FinancialEvents |
AX:BrandName:Oberthur | FinancialEvents |
AX:BrandName:ProsodieIllicado | FinancialEvents |
AX:BrandName:Netscard | FinancialEvents |
AX:BrandName:XponCard | FinancialEvents |
AX:BrandName:CashComGiftcard | FinancialEvents |
AX:BrandName:ResursBank | FinancialEvents |
AX:BrandName:Breuninger | FinancialEvents |
AX:BrandName:UniversalGiftcard | FinancialEvents |
AX:BrandName:Mapping | FinancialEvents |
AX:ReturnToSupplier:EmailAddress | FinancialEvents |
AX:ReturnToSupplier:OnlyExportApprovedAndCompleted | FinancialEvents |
AX:TaxMapper:NonDomCountries | FinancialEvents |
AX:TaxMapper:NonDomCountries:InStore | FinancialEvents |
AX:TaxMapper:InStoreTaxGroup | FinancialEvents |
AX:TaxMapper:InStoreTaxCode | FinancialEvents |
AX:TaxMapper:InStoreTaxItemGroup | FinancialEvents |
Filtering service results based on permissions
While the results of service calls are normally filtered on the context of your login/OU, you can instead filter on the user's permissions. Although this is intended to become the default throughout EVA, you can already enable it by enabling certain settings.
- Set
Security:UseContextIndependentFunctionalityChecksAndFiltering
to true - Set
LimitOrganizationUnitVisibility
to true (this will filter organizations by the ones you have a requested functionality for) - Set
EnablePriceViewingFunctionalities
to true (this will enable viewing functionalities for everything related to prices)
The benefits are twofold:
- Your user will be able to see (for example) financial period results across all the OUs the user has permissions for, without having to switch OUs;
- Your user will no longer see sensitive information it shouldn't have access to.
The services affected by this setting are listed in the following section.
List of services
- PriceLists
- ReturnReasons
- Discounts
- FullStockCount
- Invoices
- GeneralLedgers
Elevation
In addition to permissions, EVA allows for elevated permissions. The fundamental essence of elevation is that you can give specific users permissions to conduct a task partially, but then require validation/authorization from another user with a role that has a complete permission to perform it.
For example: you can allow a role to participate in counting a full stock count, while not allowing that same user to complete the FSC.
You can enable this elevation per permission by double-clicking the Manage column or any other column you want to apply elevation to. An Orange sign signals that the permission requires elevation. Click Done after this to save your changes.
Elevation can be done by means of PIN or QR code. More on creating elevation codes can be found here.
Workspaces
You need the SharedWorkspaces permission and corresponding scope to be able to use workspaces.
The Workspaces card provides an overview of any Workspaces that are shared with that role. It also displays which chapter the workspace is available for, indicates if it is the default one applied for that chapter, and provides an option to delete.
Deleting a shared workspace from this overview will only detach that workspace from the role and will not delete the workspace itself. Actual deletion can only be done from the Workspaces tab of the respective chapter where it was created.
Modules
You need to have the permission ModuleRoles in order to use this feature.
The Admin Suite modules are listed here, allowing you to control which modules a role can access. By default, all module access statuses are set to Inactive.