Skip to main content

Roles and rights

docs image

Roles and rights

Configure what a role can and cannot do

The Roles and rights chapter in Admin Suite provides an overview of all currently configured roles, allows you to assign functionalities (permissions) to a role, and to edit existing or create new roles.

Authorization

You need the Roles and Functionalities permission to access this chapter. Permissions are managed from the Roles and rights chapter's functionalities card of a user's role.

Click an existing role or the '+' icon to open up the respective create/update card, or make use of the right sidebar filters to fine-tune the displayed roles in your overview.

Aside from the Functionality and Deactivate after filter, these are straightforward. As for the former, it allows you to select multiple specific Functionalities, after which the overview will only display those roles which contain your selection.


General details

Whether you create a new role, or open up an existing one, you start off with the following fields:

  • Name - whatever you think suits the role (does not have to be unique)
  • Code - a concise code representing the role (does not have to be unique)
  • User type - more on User types can be found here
    • Employee
    • Customer
    • Anonymous
    • Debtor
    • API
  • Deactivate after - enter a number of days here
    • This field is available only to non-system generated roles;
    • The field is mandatory and will allow for a value > 0, and a maximum value of 999;
    • EVA will track the number of days since the user with this role's last login and will automatically deactivate this role for the user if the number of days is met;
    • The user will be informed of this by means of a popup when logging in again.

Functionalities

Functionalities (also known as permissions) allow you to limit what users can do within each part of EVA.

Currently, there are over 300 different functionalities, providing extensive control and fine-tuning of each user's permissible activities within EVA. Adding another layer to this control, most functionalities are split into what we call Scopes, allowing for further refinement of what a user can do within a single functionality.

See below Scopes and examples for more on this concept:

Scopes and examples

Scopes

  • Manage: by selecting this, the role will be able to manage the functionality in its entirety (every scope will be ticked)
  • Create: the role is allowed to create (the general ledger account for example)
  • Edit: the role is allowed to edit
  • View: the role is allowed to view
  • Delete: the role is allowed to delete
  • Settings: the role is allowed to interact with settings which have this functionality attached
  • Scripting: the role is allowed to perform scripting tied to this functionality
The "Manage" Scope

Some functionalities only have the "Manage" scope. This means that it is an all-or-nothing scope. Whenever you come across such a functionality, rest assured that we've done so for a reason. We use this on functionalities when it wouldn't make sense to have any of the standalone scopes (edit, view, delete, etc.). Take the ReleasePaidPickupOrders funcitonality as an example, it's a functionality that allows users to release pickup orders without verifying a customer's QR code. The use of scopes (create, edit, view, delete, etc.) would not make sense here hence, it's just the manage scope that can be ticked.

Examples

  • A user is not able to edit accounts for general ledgers without a role containing the Edit scope on the Accounts functionality
  • A user is not able to receive purchase order shipments without a role containing the Manage scope on the ReceivePurchaseOrderShipment functionality - mind that this is one of those functionalities where it's a all-or-nothing single scope (see "The Manage scope" note above).

The Functionalities card displays all available permissions, along with a corresponding description of what that functionality entails.

Refine the functionalities list using the Search

You can refine the list of functionalities using the search field by typing in the functionalities name or the category it falls under (the latter is a work-in-progress). If a functionality is greyed out, that means your role does not have the necessary permission to modify it.


Settings scope

By clicking the 'i' icon in the Actions column, you can get an overview of which setting(s) are linked to that permission. That means any user not having the settings scope on that functionality will not be able to change the setting(s) mentioned either.

This is however a work-in-progress: the last Core drop before a new App Drop (see our Drop calendar) will bring a new batch of settings to Test and Acceptance. This setup means that the Core drop after the App Drop will bring the new batch of settings to Production environments.

The following tables show lists of all settings which have been released in Core drops.

List of settings combined with functionalities in C726
SettingFunctionality
Addresses:Address1OptionalCountriesAddresses
Addresses:Address2VisibleCountriesAddresses
Addresses:AutoGeocodeAddresses
Addresses:CityOptionalCountriesAddresses
Addresses:HouseNumberRequiredCountriesAddresses
Addresses:HouseNumberVisibleCountriesAddresses
Addresses:SecondaryAddressLineCountriesAddresses
Addresses:StateLength2CountriesAddresses
Addresses:StateLength3CountriesAddresses
Addresses:StateVisibleCountriesAddresses
Addresses:StreetOptionalCountriesAddresses
Addresses:ZipCodeOptionalCountriesAddresses
AddressSuggester:FilterOnCountryAddresses
AddressSuggester:FilterAddressesOnlyAddresses
AdminModules:ProductionTemplatesModules
Adyen:BaseUrlPaymentMethods
Adyen:UsernamePaymentMethods
Adyen:PasswordPaymentMethods
Adyen:MerchantAccountPaymentMethods
Adyen:PaymentDataDeterminatorPaymentMethods
Adyen:CredentialsProviderPaymentMethods
Adyen:HmacKeysPaymentMethods
Adyen:EnableKlarnaLineInfoForRefundsPaymentMethods
Adyen:DisableStoreIDInDefaultPaymentDataPaymentMethods
Adyen:StoreCustomFieldPaymentMethods
Adyen:ApplicationInfoWhitelistedAppsPaymentMethods
Adyen:DebugLoggingPaymentMethods
Adyen:MerchantAccount:Override:EnabledPaymentMethods
Adyen:MerchantAccount:Override:MerchantAccountPaymentMethods
Adyen:MerchantAccount:Override:PaymentMethodsPaymentMethods
Adyen:HandleMultiplePspReferencesOnPaymentTransactionsPaymentMethods
Adyen:UseCheckoutAPIForRefundsAndCapturesPaymentMethods
Adyen:CheckoutAPI:BaseUrlPaymentMethods
Adyen:CheckoutAPI:AllowedPaymentMethodsPaymentMethods
Adyen:CheckoutAPI:BlockedPaymentMethodsPaymentMethods
Adyen:CheckoutAPI:ClientKeyPaymentMethods
Adyen:CheckoutAPI:PreferBillingAddressCountryIDPaymentMethods
Adyen:CheckoutAPI:IncludeDisountsPaymentMethods
Adyen:PosSdk:BaseUrlPaymentMethods
Adyen:PosSdk:ApiKeyPaymentMethods
Adyen:Giving:DonationAccountPaymentMethods
AdyenStoredValue:ApiUrlPaymentMethods
AdyenStoredValue:ActivateValueMinPaymentMethods
AdyenStoredValue:ActivateValueMaxPaymentMethods
Adyen:TerminalAPI:ApiKeyPaymentMethods
Adyen:TerminalAPI:SendMessageWhenUserIsMatchedPaymentMethods
Adyen:Checkout:SDK:BaseUrlPaymentMethods
Adyen:Checkout:SDK:OneClickPaymentMethods
Adyen:Checkout:SDK:ApiKeyPaymentMethods
Adyen:Checkout:SDK:PublicKeyForClientEncryptionPaymentMethods
Adyen:Checkout:SDK:AllowedPaymentMethodsPaymentMethods
Adyen:Checkout:SDK:BlockedPaymentMethodsPaymentMethods
Adyen:Management:ApiKeyPaymentMethods
Adyen:Management:IsTestPaymentMethods
Adyen:Username:OnlineForOfflineOrderPaymentMethods
Adyen:Password:OnlineForOfflineOrderPaymentMethods
AllowChangingExportedOrderLinesToDeliveryOrders
AllowEmployeesOnOrdersInSplitScenarioOrders
AllowExternalNegativeStockAutoCorrectAdjustStock
AllowModifyingQuantityAfterExportAdjustStock
AllowMultiCurrencyOnOrganizationUnitOrganizationUnitSettings
AllowMultiPackageShipmentsShipments
AllowNegativeStockAutoCorrectAdjustStock
APIGiftCard:BaseUrlGiftCardConfiguration
APIGiftCard:PasswordGiftCardConfiguration
APIGiftCard:TimeoutGiftCardConfiguration
APIGiftCard:UsernameGiftCardConfiguration
ApiKeyExpirationInDaysApiKeys
ATrust:HostAudits
ATrust:PasswordAudits
ATrust:UserNameAudits
Auditing:ProviderAudits
Auditing:PublicKeyBlobIDAudits
Auditing:PrivateKeyBlobIDAudits
Auditing:VersionAudits
Auditing:SoftwareVersionAudits
Auditing:AllowRawInvoiceReprintsAudits
Auditing:EnforceTransactionValidationAudits
Auditing:DuplicatePrintAudits
Auditing:AllowMultipleDuplicatesAudits
Auditing:UseNopeCatAudits
Auditing:GenerateTerminalTotalsAudits
Auditing:UseInvoiceCloningAudits
Auditing:RequireBillingDetailsForInvoiceAudits
Auditing:IncludeWebShopForAuditsAudits
Auditing:DailyConsolidation:MailToAudits
Auditing:PreferReceiptPrintingAudits
Auditing:PreferPaperPrintingAudits
Auditing:PreferEmailAudits
Auditing:PreferElectronicReceiptAudits
Auditing:InvoiceDeliveryInStoreDirectlyAudits
Auditing:AuditGeneratorNameAudits
Auditing:AuditCreatorStrategyNameAudits
Auditing:AllowExchangeOrdersAudits
Auditing:EventLedgerLimitAudits
Auditing:VerboseAuditLoggingAudits
Auditing:UseCompanyBasedInvoiceSequenceNumberAudits
Auditing:ForeignDescriptionPropertyAudits
Auditing:CalculateEmployeeDiscountExTaxAudits
Auditing:EmployeeDisplayTypeAudits
Auditing:UseOrganizationUnitSequenceAudits
Auditing:PrintTerminalReportAudits
Auditing:NF525:IntegrityCheckAudits
Auditing:NF525:UseUnifiedMapperAudits
Auditing:NF525:MaxOfflinePeriodDurationInDaysAudits
Auditing:China:Baiwang:EnvironmentAudits
Auditing:China:Baiwang:AppKeyAudits
Auditing:China:Baiwang:AppSecretAudits
Auditing:China:Baiwang:AppSaltAudits
Auditing:China:Baiwang:UsernameAudits
Auditing:China:Baiwang:PasswordAudits
Auditing:China:Baiwang:TerminalAudits
Auditing:China:Baiwang:SerialPrefixAudits
Auditing:Austria:AESKeyAudits
Auditing:Austria:FailSigningAudits
Auditing:Austria:SignatureCreationUnitIDAudits
Auditing:Austria:FON:ParticipantIDAudits
Auditing:Austria:FON:UserIDAudits
Auditing:Austria:FON:UserPINAudits
Auditing:Austria:Fiskaly:ForceOfflineAudits
Auditing:FiskalyManagement:ApiKeyAudits
Auditing:FiskalyManagement:ApiSecretAudits
Auditing:FiskalyManagement:IdentifierAudits
Auditing:FiskalyManagement:OrganizationPrefixAudits
Auditing:FiskalyManagement:OrganizationIdentifierAudits
Auditing:FiskalyManagement:OrganizationApiKeyAudits
Auditing:FiskalyManagement:OrganizationApiSecretAudits
Auditing:FiskalyKassenSichV:HostAudits
Auditing:FiskalyKassenSichV:TssIDAudits
Auditing:FiskalyKassenSichV:TssPINAudits
Auditing:FiskalyKassenSichV:TssPUKAudits
Auditing:Italy:RtServer:UrlAudits
Auditing:Italy:RtServer:UsernameAudits
Auditing:Italy:RtServer:PasswordAudits
Auditing:Italy:RtServer:AsyncAudits
Auditing:Italy:Email:FiscalMemoryStatusReceiverEmailAudits
Auditing:Italy:Email:PrintRtServerWideZReportFailureReceiverEmailAudits
Auditing:Italy:UseSentinelAudits
Auditing:Italy:RtServer:UseNewLotterySystemAudits
Auditing:Italy:SDIService:UrlAudits
Auditing:Italy:SDIService:CertificateBlobIDAudits
Auditing:Italy:SDIService:CertificatePasswordAudits
Auditing:Italy:SDIService:TransmitterCountryCodeAudits
Auditing:Italy:SDIService:TransmitterVatCodeAudits
Auditing:Italy:SDIService:ErrorHandlerEmailAddressAudits
Auditing:Italy:SDIService:DebugLoggingEnabledAudits
Auditing:Poland:LogoBlobIDAudits
Auditing:Poland:WelcomeMessageAudits
Auditing:Poland:FailAutoPrintAudits
Auditing:Poland:LongMonthlyReportEnabledAudits
Auditing:Poland:FailJpkSavingAudits
Auditing:Poland:DebugPrintingAudits
Auditing:Poland:DebugErrorsOnlyAudits
Auditing:Poland:FailPrintingAudits
Auditing:Poland:KSeF:EnableAudits
Auditing:Poland:KSeF:EnableDetailedDebugLoggingAudits
Auditing:Poland:KSeF:EndpointAudits
Auditing:Poland:KSeF:SellerCompanyNIPAudits
Auditing:Poland:KSeF:PublicKeyAudits
Auditing:Poland:KSeF:ApiTokenAudits
Auditing:Poland:KSeF:REGONAudits
Auditing:Romania:UseSentinelAudits
Auditing:Romania:Upos:PasswordAudits
Auditing:Romania:Upos:UsernameAudits
Auditing:Romania:Upos:UseSslAudits
Auditing:Romania:Upos:CreatorAudits
Auditing:Romania:SkipCertificateAudits
Auditing:Romania:ConnectionTimeoutInSecondsAudits
Auditing:SAFT:Series:SigningCertificateBlobIDAudits
Auditing:SAFT:Series:ClientCertificateBlobIDAudits
Auditing:SAFT:Series:ClientCertificatePasswordAudits
Auditing:SAFT:Series:UsernameAudits
Auditing:SAFT:Series:PasswordAudits
Auditing:SAFT:Series:EndpointAudits
Auditing:SAFT:Series:EnablingProfilingAudits
Auditing:SAFT:Series:NewSequenceMonthAudits
Auditing:Sweden:InfrasecApiCertificate:UrlAudits
Auditing:Sweden:InfrasecEnrollmentCertPfx:BlobGuidAudits
Auditing:Sweden:InfrasecEnrollmentCertPfx:KeyAudits
Auditing:Sweden:InfrasecEnrollmentCertServerTrustPem:BlobGuidAudits
Auditing:Sweden:InfrasecReceiptApiCertificate:UrlAudits
Auditing:Sweden:InfrasecReceiptCertPfx:BlobGuidAudits
Auditing:Sweden:InfrasecReceiptCertPfx:KeyAudits
Auditing:Sweden:InfrasecReceiptCertServerTrustPem:BlobGuidAudits
Auditing:Sweden:InfrasecApi:PosAuthorityCodeAudits
Auditing:Sweden:Tenant:CodeAudits
Auditing:Sweden:Tenant:NameAudits
AutoCancelNonShippedLinesOrders
AutoCancelNonShippedLinesOnFinalShipmentOrders
AutoCancelShippingCostsWhenOrderIsFullyCancelledOrders
AutomaticOrderCancellationTimeInDaysOrders
AutoOpenCloseFinancialPeriodFinancialPeriods
AutoReceiveSupplierPurchaseOrderPurchaseOrders
AutoSendInvoiceAudit
AutoShipOrderLinesOnCreationShipmentSettings
AutoShipRemainingLinesAfterCancellationShipmentSettings
AvaTax:CompanyCodeTaxRates
AvaTax:InvoiceActionTaxRates
AvaTax:PasswordTaxRates
AvaTax:ProductionTaxRates
AvaTax:ShippingCostsTaxCodeTaxRates
AvaTax:UsernameTaxRates
List of settings combined with functionalities in C730
SettingFunctionality
CheckDuplicateFiscalIDAudits
CheckDuplicateVatNumberAudits
ClickAndCollect:Payment:LimitPaymentMethods
CloneOrderLineToDeliveryLineOrders
Consignor:ActorShippingMethods
Consignor:BaseUrlShippingMethods
Consignor:FallbackProductWeightShippingMethods
Consignor:IsDeliveryReceiptShippingMethods
Consignor:KeyShippingMethods
Consignor:PackageWeightShippingMethods
Consignor:ProductWeightPropertyShippingMethods
CreateEmployee:AllowGeneratingPasswordEmployee
CreateEmployee:AllowSettingPasswordEmployee
CreateEmployee:AllowUserUpdateEmployee
CreateEmployee:AllowUserUpgradeEmployee
B2b:CommitAfterSigningOrders
B2b:RequireOrderVerificationOrders
BICharts:Customer:BaseUrlDashboardData
BICharts:Customer:BasicAuthPasswordDashboardData
BICharts:Customer:BasicAuthUsernameDashboardData
AX:ShopIDFinancialEvents
AX:CustAccountFinancialEvents
AX:StoreIDFinancialEvents
AX:ReceiptConfirmationFolderSuffixFinancialEvents
AX:SaleOrderProducerFinancialEvents
AX:SaleOrderOutputFinancialEvents
AX:EnableOriginatingOrganizationUnitFinancialEvents
AX:EnableReturnWithoutRetakeFinancialEvents
AX:ReturnWithoutRetakeProductBarcodeFinancialEvents
AX:ReturnWithoutRetakeProductItemIDFinancialEvents
AX:ExportFinancialPeriodEventsFinancialEvents
AX:ExportBundleProductsFinancialEvents
AX:BundleProductBarcodeFinancialEvents
AX:BundleProductItemIDFinancialEvents
AX:DiscountOfferIdProviderFinancialEvents
AX:HybridModeFinancialEvents
AX:UseOriginStoreIDFinancialEvents
AX:FinancialPeriodExport:UseShippingCountryFinancialEvents
AX:Ftp:HostFinancialEvents
AX:Ftp:UserNameFinancialEvents
AX:Ftp:PasswordFinancialEvents
AX:FTP:EnableOriginFinancialEvents
AX:HSO:EndPointFinancialEvents
AX:HSO:CredentialsFinancialEvents
AX:HSO:CompanyIDFinancialEvents
AX:HSO:IgnoreCompanyIDFinancialEvents
AX:HSO:ReceiptConfirmation:CustomFieldBackendIDsFinancialEvents
AX:HSO:EnablePalletIDFinancialEvents
AX:HSO:EnableOriginFinancialEvents
AX:Warehouse:ForceWebserviceConfirmationsFinancialEvents
AX:Warehouse:Location:SellableFinancialEvents
AX:Warehouse:Location:TransitFinancialEvents
AX:Warehouse:Location:CharityFinancialEvents
AX:Warehouse:Location:BlockedFinancialEvents
AX:Warehouse:Code:NDDCFinancialEvents
AX:Warehouse:Code:RODCFinancialEvents
AX:Warehouse:Code:UKDCFinancialEvents
AX:Warehouse:Code:USAVFinancialEvents
AX:Warehouse:Code:ONHKFinancialEvents
AX:Warehouse:Code:ESDCFinancialEvents
AX:Warehouse:Code:DEDCFinancialEvents
AX:Shipping:BarcodeFinancialEvents
AX:Wrapping:BarcodeFinancialEvents
AX:StockMutations:WarehouseIDFinancialEvents
AX:Stock:Import:FolderNameFinancialEvents
AX:StockDifference:Import:FolderNameFinancialEvents
AX:StoreCode:USFinancialEvents
AX:BrandName:BeautyAndWellnessFinancialEvents
AX:BrandName:BeautyAndParfumFinancialEvents
AX:BrandName:VVVCardFinancialEvents
AX:BrandName:WonderboxNLFinancialEvents
AX:BrandName:FashionChequeFinancialEvents
AX:BrandName:Love2ShopFinancialEvents
AX:BrandName:IllicadoFinancialEvents
AX:BrandName:IGiveFinancialEvents
AX:BrandName:XponFinancialEvents
AX:BrandName:SparebankFinancialEvents
AX:BrandName:OberthurFinancialEvents
AX:BrandName:ProsodieIllicadoFinancialEvents
AX:BrandName:NetscardFinancialEvents
AX:BrandName:XponCardFinancialEvents
AX:BrandName:CashComGiftcardFinancialEvents
AX:BrandName:ResursBankFinancialEvents
AX:BrandName:BreuningerFinancialEvents
AX:BrandName:UniversalGiftcardFinancialEvents
AX:BrandName:MappingFinancialEvents
AX:ReturnToSupplier:EmailAddressFinancialEvents
AX:ReturnToSupplier:OnlyExportApprovedAndCompletedFinancialEvents
AX:TaxMapper:NonDomCountriesFinancialEvents
AX:TaxMapper:NonDomCountries:InStoreFinancialEvents
AX:TaxMapper:InStoreTaxGroupFinancialEvents
AX:TaxMapper:InStoreTaxCodeFinancialEvents
AX:TaxMapper:InStoreTaxItemGroupFinancialEvents

Filtering service results based on permissions

While the results of service calls are normally filtered on the context of your login/OU, you can instead filter on the user's permissions. Although this is intended to become the default throughout EVA, you can already enable it by enabling certain settings.

  • Set Security:UseContextIndependentFunctionalityChecksAndFiltering to true
  • Set LimitOrganizationUnitVisibility to true (this will filter organizations by the ones you have a requested functionality for)
  • Set EnablePriceViewingFunctionalities to true (this will enable viewing functionalities for everything related to prices)

The benefits are twofold:

  • Your user will be able to see (for example) financial period results across all the OUs the user has permissions for, without having to switch OUs;
  • Your user will no longer see sensitive information it shouldn't have access to.

The services affected by this setting are listed in the following section.

List of services
  • PriceLists
  • ReturnReasons
  • Discounts
  • FullStockCount
  • Invoices
  • GeneralLedgers

Elevation

In addition to permissions, EVA allows for elevated permissions. The fundamental essence of elevation is that you can give specific users permissions to conduct a task partially, but then require validation/authorization from another user with a role that has a complete permission to perform it.

For example: you can allow a role to participate in counting a full stock count, while not allowing that same user to complete the FSC.

You can enable this elevation per permission by double-clicking the Manage column or any other column you want to apply elevation to. An Orange sign signals that the permission requires elevation. Click Done after this to save your changes.


Elevation codes

Elevation can be done by means of PIN or QR code. More on creating elevation codes can be found here.

Workspaces

Authorization

You need the SharedWorkspaces permission and corresponding scope to be able to use workspaces.

The Workspaces card provides an overview of any Workspaces that are shared with that role. It also displays which chapter the workspace is available for, indicates if it is the default one applied for that chapter, and provides an option to delete.


Deleting a workspace

Deleting a shared workspace from this overview will only detach that workspace from the role and will not delete the workspace itself. Actual deletion can only be done from the Workspaces tab of the respective chapter where it was created.

Modules

AUTHORIZATION

You need to have the permission ModuleRoles in order to use this feature.

The Admin Suite modules are listed here, allowing you to control which modules a role can access. By default, all module access statuses are set to Inactive.