You can grant permissions to access Creatio data and functionality for individual users and user groups (referred to as “roles”).
Users
You need to create and license a user account for each Creatio user. Each user record must be linked to a specific contact. Enterprise organizations with an extensive infrastructure of IT services can benefit from a number of features for centralized user management and authentication.
Synchronization with the LDAP catalog will automatically create Creatio users with all necessary details from your LDAP directory, such as name, job title, communication options, addresses, roles, etc. In addition, users will be able to use their domain credentials to log in to Creatio. You can learn more about how to set up LDAP synchronization in the “LDAP integration and user authentication in Creatio” article.
Single Sign-On (SSO) technology enables using a single user account to log in to multiple services. Once a user authenticates in one of the services, they become authenticated in all services that use single sign-on. Learn more about SSO features in the “Single Sign-On in Creatio” and “Single Sign-On setup” articles.
Roles
Configuring the structure of user roles (Fig. 1) is the important first step in Creatio permission management. After this, you can easily set access permissions by assigning new users to the needed roles.
Fig. 1 Example of the role structure
There are two types of user roles: organizational and functional. All users assigned to a role inherit the access permissions of that role. An actual access level of a Creatio user is a combination of access permissions of all of the user’s roles.
Organizational roles represent the structure of access levels. You assign access permissions to organizational roles. Examples of organizational roles are different company branches (e.g., the head office and a regional office), as well as company departments, e.g., “System administrators”, “Sales”, “Administrative department”.
Functional roles are designed to represent the structure of your actual job titles. You assign permissions to functional roles by linking them with organizational roles. Examples of functional roles are usually “Sales manager”, “Office manager”, “Secretary”. For example, if you need to grant the same permissions to secretaries of different offices, set up access permissions for the “Secretaries” functional role.
Note
The data of Creatio users, organizational and functional roles are stored in the “SysAdminUnit” database table.
Permission inheritance between organizational roles
Subordinate roles inherit all access permissions that have been set up for their parent role. As a result, in addition to any permissions that you assign individually for a user, the user will also obtain any permissions of their role, as well as any permissions inherited by that role from other roles.
For example, the “All employees” organizational role grants minimum access permissions necessary for any employee. If you add a user to any of its subordinate roles, e.g., “Sales department”, such user will inherit all permissions set up for both, the “Sales department” and “All employees” roles. Users with a role that is subordinate to the “Sales department” role will inherit the access permissions from that role, permissions from its parent “Sales department” role and permissions from the “All employees” role, which is a parent role for the “Sales department” role (Fig. 2).
Fig. 2 Example of inheriting parent roles by a user
As a result, in addition to any permissions that you assign individually for a user, the user will also obtain any permissions of their role, as well as any permissions inherited by that role from other roles.
For any organizational role, you can assign a manager role. A manager role automatically obtains all permissions from all of its subordinate employees. The main defining feature of the manager role (Fig. 3) is that it automatically obtains all the permissions of the corresponding organizational role and its subordinate roles. For example, the “All employees” organizational role includes a “Head office’ subordinate role, which in its turn includes a “Sales department” subordinate role. If you assign a manager role to the “Head office” role, the managers of the head office will obtain all permissions granted to the “Head office” and “Sales department” roles.
Fig. 3 Example of a manager role for the “Sales department’ organizational role
Each Creatio configuration has a “System administrators” organizational role. By default, this role has maximum possible permissions and can create, read, update and delete any data.
A user can have several roles. For example, you can assign an employee the “Sales managers” and “Account managers” roles. Permissions for each of these roles may conflict with each other. In this case, you need to set up the permission priority. Read more about permission priorities in the “How to configure access to operations in section objects” article.
Types of access permissions
In Creatio, you can grant access to business data (e.g., to the [Accounts] section records or dashboards), as well as to the Creatio functions, such as the ability to export records to Excel, design business processes, configure sections, etc.
Access to business data grants permission to perform CRUD (creating, reading, updating and deleting) operations with data. To provide access to business data, you need to configure access permissions to corresponding Creatio objects. Creatio objects are roughly equivalent to database tables and correspond to sections, details, lookups, etc.
You can manage access to business data on several levels:
-
Ability to perform CRUD operations with any data in an object. Learn more about setting up access to object data in the “Managing object operation permissions” article.
-
Ability to view, edit or delete separate records. Learn more about record permissions in the “Managing record permissions” article.
-
Ability to view, edit or delete values in separate object columns. Learn more about column permissions in the “Managing column permissions” article.
Access to functions can be granted through system operations. System operation permissions (access to Creatio functions) should not be confused with object operation permissions (which imply access to CRUD operations in objects). System operations enable you to manage access to a broad list of Creatio functions, including user registration, configuring workplaces, managing lookups, system configuration, etc.
Note
A user (as a rule, it is the system administrator) who has access to the “View any data”, “Add any data”, “Edit any data” and “Delete any data” system operations, can create, read, update or delete data in any object, regardless of settings in the [Object permissions] section.
Learn more about system operations in the “System operation permissions” article.
User activity logging and audit
Native tools for logging user activities in Creatio include Audit log and Change log.
Audit log automatically registers all events related to a modification of user roles, distribution of access permissions, changes in the values of system settings and users' authorization in the system. You can learn more about using the audit log in the “Audit log” article.
Change log enables tracking the history of changes in the database tables of Creatio. You can set up a list of objects that will be used for tracking changes in the change log. Learn more about using the log in the “Change log” article.
See also
•Managing object operation permissions
•Selecting an object to set up access permissions
