Table of Contents


Configuring Security Role Permissions

When Security Roles are created, they have no permissions for entities, tabs, apps, or Active Pages. Administrators must configure these permissions to make roles functional. Permission options vary significantly based on the Security Role type and how entities relate to Account and Contact records.

Understanding Permission Structure

Permission Levels by Entity Type

The available permission options depend on how entities relate to Account and Contact records:

Account/Contact Connected Entities

  • Entities connected to Account and Contact records typically show "Private" and "Controlled By Parent" options
  • "All" permissions are generally not available since data filtering is handled by Account/Contact associations

Non-Connected Entities

  • Entities not connected to Account/Contact records show "All" permissions
  • Used for system-wide data that isn't filtered by Account associations

Master/Detail Relationships

  • Child entities in Master/Detail relationships show "Controlled By Parent" option
  • Permissions inherit from the parent entity's settings

Requirements

To configure Security Role permissions, you must have:

  • Administrator System Role permissions

Permission Configuration Workflow

Accessing Permission Configuration

  1. Navigate to the Setup Home page
  2. Click Security > Security Roles
  3. Click the Security Role you want to configure
  4. Click Edit

Entity Permissions Configuration

Understanding Permission Options

The following options are available based on entity type and Security Role type:

Basic Permission Levels

  • None/No: Users have no permissions for this action
  • All: Users have permissions for all records (available for non-connected entities)
  • Private: Users only have permissions for records they personally created or own

Hierarchical Permission Levels(Employee Security Roles Only)

  • User and Direct Subordinates: Personal records plus records of users one level below in hierarchy
  • User and All Subordinates: Personal records plus records of all users below in hierarchy
  • Team: Personal records plus manager's records and equal-level users
  • Team and Direct Subordinates: Team access plus one level below
  • Team and All Subordinates: Team access plus all levels below
  • All Employees: Access to all internal employee user records

Relationship-Based Permissions

  • Controlled By Parent: Permissions determined by parent entity (Master/Detail relationships)
  • Use Hierarchy: Enable hierarchical permission calculations

Permission Strategy by Role Type

Employee Security Roles

  • Full range of hierarchical permission options available
  • "Private" permissions check against the owner field and user account (not Contact records)
  • "Controlled by Parent" permissions are not available (Employee roles don't use Account-based filtering)
  • Consider using "Team" or "All Employees" for collaboration needs
  • Use "Private" for sensitive personal data owned by specific employees

Partner & Customer Security Roles

  • Permissions automatically filtered by Account/Contact associations
  • "Private" permissions check against the owner field, which is a lookup to Contact field
  • "Controlled by Parent" available for entities with Account-based relationships
  • Account hierarchy settings affect cross-account access
  • Entity-level configuration determines which Contact/Account lookups are used for security (see Entity Security Configuration below)

Guest Security Roles

  • Typically limited to "None" or "All" for public access
  • Use "All" only for content intended for public consumption
  • Consider security implications carefully for any granted permissions

Entity Security Configuration

Important: The following configurations are set at the entity level and affect how security works across all Security Roles, not configured within individual roles.

Multiple Contact Lookup Configuration When an entity has multiple lookup fields to Contact records, administrators must designate which lookup field serves as the "owner field" at the entity level. This determines:

  • How "Private" permissions are evaluated for Partner and Customer users across all roles
  • Which Contact record is used for ownership validation
  • This configuration affects all Security Roles that interact with this entity

Multiple Account Lookup Configuration When an entity has multiple lookup fields to Account records, administrators must choose which lookup field will be used for account-based security filtering at the entity level. This determines:

  • How Partner and Customer users access records based on their Account associations
  • Which Account relationship controls data visibility across all roles
  • How account hierarchy access works for this entity

Single Lookup Scenarios When entities have only one Contact lookup or one Account lookup, no additional configuration is needed - the system automatically uses the single available relationship for security filtering.

Configuring Entity Permissions

  1. Select the All Entities tab
  2. For each entity, set Read, Create, Edit, and Delete permissions:
    • Choose appropriate permission level based on role purpose and entity type
    • Consider data sensitivity and business requirements
    • Test permission combinations to ensure proper access

Tab and App Configuration

Tab Settings

  1. Select the Tab Settings tab
  2. Configure tab visibility for each tab:
    • On: Tab is accessible and appears in Apps
    • Off: Tab is accessible but appears only in "More Tabs" menu
    • Hidden: Tab is completely inaccessible

App Settings

  1. Select the App Settings tab
  2. Configure app access and defaults:
    • Visible: Users can access the App
    • Default: App is selected by default on user login (only one per role)

Active Pages and Classes Configuration

Active Pages/Classes Access

  1. Select the Active Pages/Classes tab
  2. Choose accessible components:
    • Active Pages: Custom interface components (similar to those used in self-registration)
    • Active Classes: Custom C# .NET Framework 4.8 controllers and code-behind components

Note: Active Classes are primarily relevant for custom development and will be covered extensively in the Developer Guide.

Additional Settings Configuration

Core Settings

  1. Select the Additional Settings tab
  2. Configure role-specific settings:

Basic Configuration

  • Description: Internal documentation of the role's purpose and scope
  • Track Record Views: Monitor last 30 record views for compliance and analysis
  • Session Timeout: Control how long users remain logged in before automatic logout

Authentication and Security

  • Two-Factor Authentication: Require second authentication factor for enhanced security (recommended for sensitive roles)
  • Disable login with Magentrix credentials: Force Single Sign-On only access
    • Important: If later disabled, reset passwords for all users with this role
  • API Access Enabled: Grant access to Magentrix REST API (covered in Developer Guide)

Employee Role Specific Features

The following features are available only for Employee Security Role types and relate to various Magentrix modules:

Content and Document Management

  • Access Document Management: Enable folder sharing permissions and document audit reports
  • Access Static Assets: Enable access to cloud-based assets

Module-Specific Access(Features of various Magentrix modules)

  • Access Rewards Enabled: Configure reward programs and manage claims
  • Access Reward Redemption Enabled: Configure gift card redemption and cash payouts
  • Access Popup Alerts Enabled: Create and analyze popup alert campaigns
  • Access Carousels Enabled: Create and share content carousels
  • Access Translation Studio Enabled: Access translation management and configuration
  • Access Deal Management Enabled: Manage all deal management features
  • Access Service Management Enabled: Manage all service management features

Social Collaboration Settings

Social Features

  • Social Collaboration: Enable access to Social Collaboration module
  • Enable Direct Messages: Allow private messaging between users
    • Warning: This setting cannot be disabled once enabled
  • Feed/Comment Edit Permission: Control whether users can edit feed comments and time limits

User Management Features

  • New User Activation Reminders: Send reminder emails to users who haven't logged in
  • Reminder Email Template: Choose template for activation reminders
  • First/Second Reminder: Configure timing for reminder emails

Best Practices by Role Type

Employee Security Roles

  • Use Hierarchy: Leverage organizational hierarchy for appropriate access control
  • Module Features: Enable only necessary Employee-specific features to avoid interface complexity
  • API Access: Grant only when integration or development work is required
  • Two-Factor Authentication: Strongly recommended for roles with administrative capabilities

Partner & Customer Security Roles

  • Keep Simple: Focus on core permissions since Account/Contact filtering handles data scope
  • Social Features: Consider enabling Social Collaboration for community building
  • Direct Messages: Enable only if business processes require private user communication
  • Session Management: Set appropriate timeouts based on user patterns and security requirements

Guest Security Roles

  • Minimal Permissions: Grant only permissions necessary for public access
  • Security Review: Carefully review any "All" permissions for public consumption suitability
  • Documentation: Clearly document what public access is granted and why

Testing and Validation

Permission Testing Process

  1. Create Test Users: Use each role with sample user accounts
  2. Validate Entity Access: Confirm appropriate read/write access to entities
  3. Test Tab/App Access: Verify navigation and interface accessibility
  4. Module Integration: Test role permissions within relevant Magentrix modules
  5. Hierarchy Validation: For Employee roles, test hierarchical access patterns

Common Issues and Solutions

  • Over-Permissioning: Start with minimal permissions and expand as needed
  • Hierarchy Confusion: Test Employee hierarchy permissions with realistic organizational structures
  • Module Dependencies: Some features may require multiple permission settings to function properly
  • Account Filtering: Verify that Partner/Customer roles properly respect Account/Contact boundaries

Proper Security Role permission configuration ensures that users have appropriate access while maintaining security and supporting your organization's business processes across all Magentrix modules.

Tutorial video for configuring permissions

See more:

<< Creating and Cloning Security Roles | Configuring Field Security and List Views for Entities >>


Privacy & Security StatementTerms & Conditions
Copyright © 2025 by Magentrix Corporation - All rights reserved.
Powered by Magentrix