User Roles
A user role is a collection of user rights, each of which grants users the ability to perform a certain task or view certain data elements within the account. Each user is assigned one or more user roles on the Service Users page, and a user can only perform those tasks listed in his or her user.
To restrict user access to an account, user roles work in tandem with the menus of that account. If an account menu contains a link to a page that a user lacks the permission to access, that link will not be rendered on the menu; conversely, if a user has the permission to access a page, but no menu has a link to that page, the user will be unable to navigate to that page. In this way, user roles help to categorize users by their levels of access; the absolute highest level of account users are given the default "Account Supervisor" role, given them full access to the account, whereas the lowest level of user may be given a custom "End User" role, allowing them to only view a select few reports.
The User Roles Page
User Roles can be created and managed on the Admin > User Roles page, shown below.
On this page, an account supervisor can change the name and description fields of an existing user role, as well as which user permissions the selected user role contains. The Operations section contains a list of all possible user permissions rendered as checkboxes, and those included within the selected role appear as checked. An account supervisor can check and uncheck permissions to add and remove them from the selected role, respectively; as always, no changes are committed unless the "Update" button is pressed, and the "Reset" button clears all changes since the last time the user role was updated. The process of adding a new user role is identical to editing an existing one: after pressing the "Add" button on the left filter, the user can enter a name, description, and permissions, and then create the new role.
Aggregate Rights
Some user rights are groups of permissions in and of themselves. A good example is the "View Resources" permission, which is a collection of the rights to access each individual resource or resource type defined in the account. When this permission is checked, its text becomes a link (often of a different color), and the user can click on this link (not the checkbox) to bring up the following panel:
This panel allows the account supervisor to pick and choose which resource types and resources to which the permission grants users access. If some are excluded, the number of selected resource types is shown in parenthesis next to the link in the Operations section of the page, otherwise "(all)" will be shown instead. On the right side of the page, the Permissions section provides a summary of all operations selected for the selected user role. For the aggregate user rights, this section will display "(all)" next to the name of the permission if all constituent elements are selected; if not, this section will explicitly enumerate the selected elements.