Using roles and permissions

Roles can be used to create different levels of access for sets of users within internal teams, as well as with external companies, including customers and partners.

Role types

There are 3 types of roles in Heropa: 

1. End users: All users are provided a level of base permissions that gives them the ability to take courses, and participate in events. Roles and permissions are not required to provide users with access to a course. See: Providing users access to a course.

End users do not need to be assigned a role with permissions. 

2. Global: Use this role type to create roles that have visibility of all Companies and all objects / resources. Permissions can be used to restrict users with a global role type to perform certain functions across Companies.

Global role types are typically used for internal users. For example, a Helpdesk role with restricted permissions to support users can be created as a global role type so users across all Companies can be supported.

3. Company: Use this role type to create roles that have visibility of a single Company. This will include visibility of resources shared with that Company. 

Company role types are typically used to provide users with limited access to perform functions for their own company.

If you use Companies to segregate departments, a company role type could be created to allow users within a department to manage their own users and resources. 

For example, a Company Training Administrator with certain permissions can be created as a company role type to manage users and course enrollments for their own company.

Admins role: Your Heropa instance will come with a default Admins role, a global role type which gives full permissions across the platform. This role can not be deleted, and its permissions can not be modified. Within this role exists a 'Heropa Admin' user, used by Heropa to provide support. Please do not delete this user.

Should you require granular role-based access, create new global or company roles, and configure the required permissions as per the guidelines below. 

Adding a role

1. From the left navigation menu, select Administration, then select Roles. This will display a list of current roles in your company's Heropa instance. 
2. Select Add from the top navigation.
3. Select the role type:  
   • Use Global if the role requires visibility across Companies
   • Use Company if the role requires visibility of a single Company 
4. Name the role, and select Create. 

Setting permissions

Permissions are used to specify what the role is able to do.

Once a role is created, permissions should be set to ensure any users assigned the role have the correct permissions. Permissions are managed in the Permissions tab of the role.

To set permissions, select the role from the list of roles.

Some guidance on setting permissions in the Permissions tab

When setting permissions, all categories should be reviewed. For each category:

• Determine whether the role requires permission to that category. If a category is left blank, the role will have no permissions within that category.
• The 'Left nav' permission is what determines whether the category is visible in the left navigation menu in the platform. This can be used to control what screens users with different roles see. Note that there may be scenarios where permissions might need to be granted to categories even if seeing the screens in the category is not required for the role.

For example: You might want to give a role left nav visibility of courses, which will require 'View' access of Environments, Templates, VM images, etc, so that these can be visible when viewing a course. However that same role may not need to see Environments, Templates or VM images in the left nav.

• If a permission is required for the category, select the required level of permission. Some definitions:
  • View: Can view own items in the category
  • Edit: Can edit own items in the category
  • Create: Can create new items in the category
  • Delete: Can delete own items in the category
  • View Others: Can view items created by others in the category
  • Edit Others: Can edit items created by others in the category
  • Delete Others: Can delete items created by others in the category  

• Note that in some cases, where categories are related, selecting a permission will automatically select a permission in another category. This is because the functions are dependent on each other. Without having visibility of / access to a related category, the category permission will not work on its own.

For example: Selecting a 'View' permission for Environments will automatically select 'View' on Templates, Policies, VM images, etc. 

• For Reports, select which reports the role should have access to.
• For Users, some additional permissions are available: 
  • Login as User: Can login as a different user
  • Change Password: Can change a different user's password
  • Change Permissions: Can change a different user's permissions 
• For Roles, the 'Assign Users' permission should be used cautiously, as it allows a user with the role to add users to roles. 

Adding users to a role

Once a role has been created and permissions set, users can be assigned with the role. If a user is added to a role, they will have access to all functions specified in the role permissions. Users can assigned a role when they are created, or at a later time.

This can be set:

From within Administration / Roles (good for assigning multiple users to a role):

1. Locate the role, and on the Users tab, select Add User. 
2. In the Users column on the left, locate the user to be added to the role.
3. Select the user and use the right arrow to move them to the Added users column on the right.
4. Remove a user from the role by using the left arrow to return them to the Users column on the left.
5. Select OK

From within Administration / Users: 

1. Locate the user, and on the Details tab, select the role in the Role field.