Using roles and permissions

Roles can be created for different sets of users in your company's Heropa instance.

Permissions are used to specify what the role is able to do.

When to use roles

Admins: Your Heropa instance will come with a default Admin role, which gives full permissions across the platform. This role can not be deleted, and its permissions of this role can not be modified.

Should you require more granular role-based access, create new roles and select the required permissions as per the guidelines below. 

Heropa Admin: Your Heropa instance will come with a Heropa Admin role. This is used by Heropa to provide support. Please do not delete this role.

End users: All users are provided a level of base permissions that gives them the ability to take courses, and participate in events. Roles and permissions are not required to provide users with access to a course. See: Providing users access to a course.

End users do not need to be assigned a role with permissions. 

Roles should be used to create different levels of access within internal teams, partners, etc.

Adding a role

1. From the left navigation menu, select Administration, then select Roles. This will display a list of current roles in your company's Heropa instance. 
2. Select Add from the top navigation to add a new role.
3. Name the role, and select Create. 

Setting permissions

Once the role is created, permissions should be set to ensure any users assigned the role have the correct permissions. Permissions are managed in the Permissions tab of the role.

To set permissions, select the role from the list of roles.

Some guidance on setting permissions in the Permissions tab

When setting permissions, all categories should be reviewed. For each category:

• Determine whether the role requires permission to that category. If a category is left blank, the role will have no permissions within that category.
• The 'Left nav' permission is what determines whether the category is visible in the left navigation menu in the platform. This can be used to control what screens users with different roles see. Note that there may be scenarios where permissions might need to be granted to categories even if seeing the screens in the category is not required for the role.

For example: You might want to give a role left nav visibility of courses, which will require 'View' access of Environments, Templates, VM images, etc, so that these can be visible when viewing a course. However that same role may not need to see Environments, Templates or VM images in the left nav.

• If a permission is required for the category, select the required level of permission. Some definitions:
  • View: Can view own items in the category
  • Edit: Can edit own items in the category
  • Create: Can create new items in the category
  • Delete: Can delete own items in the category
  • View Others: Can view items created by others in the category
  • Edit Others: Can edit items created by others in the category
  • Delete Others: Can delete items created by others in the category  

• Note that in some cases, where categories are related, selecting a permission will automatically select a permission in another category. This is because the functions are dependent on each other. Without having visibility of / access to a related category, the category permission will not work on its own.

For example: Selecting a 'View' permission for Environments will automatically select 'View' on Templates, Policies, VM images, etc. 

• For Reports, select which reports the role should have access to.
• For Users, some additional permissions are available: 
  • Login as User: Can login as a different user
  • Change Password: Can change a different user's password
  • Change Permissions: Can change a different user's permissions 

Adding users to a role

Once a role has been created and permissions set, users can be assigned with the role. If a user is added to a role, they will have access to all functions specified in the role permissions. Users can assigned a role when they are created, or at a later time.

This can be set:

From within Administration / Roles (good for assigning multiple users to a role):

1. Locate the role, and on the Users tab, select Add User. 
2. In the Users column on the left, locate the user to be added to the role.
3. Select the user and use the right arrow to move them to the Added users column on the right.
4. Remove a user from the role by using the left arrow to return them to the Users column on the left.
5. Select OK

From within Administration / Users: 

1. Locate the user, and on the Details tab, select the role in the Role field.