RICS Enterprise has a complex permissions system to allow fine-grained control of what functions users and organizations are allowed to access. The various things that users can do are defined by Actions in the system. For example, each screen in Enterprise has its own Action, and only users entitled to that Action are allowed to access the screen. (In fact, if they do not have permission to a given screen, it will not even appear in the user’s navigation menu!)
Some Actions grant permission to do certain things beyond merely navigating to a screen. For example, the “User : Basic - Inventory Inquiry : View Costs” permission allows a user to see the cost of products on the Inventory Inquiry screen (and in various other places in the system).
There are three components required for a user to be able to perform an Action.
The User must have permission to the Action
This is accomplished by assigning the user a Role that grants access to the Action. Roles are set up on the Manage Roles page, and then assigned to users via the Manage Users page.
The Organization must have permission to the Action
This is accomplished by assigning the Organization a Role that grants access to the Action. This is done only by the RICS team. The role is created via the Manage Roles screen, and then assigned to an Organization via the Manage Organization screen.
The User must have permission to the Organization
This is the piece that often confuses people. The User must have permission to the Organization in order to perform any actions there. In order to do this, a Role must be created on the Manage Roles screen that grants access to the Organization, and then that Role must be assigned to the User via the Manage Users screen. Note that a User always has permission to the Organization where it was created (even if it does not have any Roles that give it access to that Organization).
Some things that our permission system cannot do
There are a few things that our permission system is not set up to accomplish. The main one is allowing a user access to different Actions at different stores. For example, there is no way to set up a user so that he can View Costs at Store 1 but not at Store 2. If a user has permission to a given Action, they can perform that Action at all the stores to which they have permission.
Another limitation is that users cannot create or assign Roles that have more permissions than the user has. This makes sense when you think about it: a user should not be able to grant access to functions that the user isn’t allowed to perform himself. If you see a situation where a Role is not showing up on the Manage Users screen, check to make sure that the logged in user has permission to all of the Actions in that role.