General information on roles and rights

Many rights exist in two forms: as reading right and as editing right (for example Customers: read and Customers: edit).

If a user has only a reading right but not the required editing right, he can only read the data records for the object the right pertains to, but he cannot edit them.

An editing right allows the user to edit the object the right pertains to.

An editing right does not include the corresponding reading right.

However, since the reading right is, for example, required for the relevant menu item to be displayed, a user should always be assigned the corresponding reading right in addition to the required editing right.

A basic distinction is made between the following roles and rights, while each role and each right can be assigned as action role/right or as allocation role/right:



Action roles and rights

Action rights allow the user to execute the required action on his own. Action rights include operative rights (such as SEPA cancellations: create and send file(s)) as well as administrative rights (such as Customers: edit).



Grant roles and rights

Grant rights allow a user to perform the following tasks:

	He can directly assign a right to another user as an action or grant right if he has the right to edit that user.
	He can assign a right to a role which is already in use and thereby implicitly allocate it if he has the right to edit that role.

Note:

A user can assign a role to another user if he has all the rights contained in the role as grant rights and if he has the right to edit that user. This means that it is not necessary for him to have the role itself as a grant role.

Validities of rights

Rights have validities. They are valid for certain hierarchy levels. Thus a right can be listed multiple times, because it is valid for different hierarchy levels (for example Protocol user bank accesses: edit for customer bank accesses (own) and Protocol user bank accesses: edit for customer bank accesses (customer)).

A distinction is made between the following validities:

	All If you have a right with this validity, you may edit all objects that are assigned to all branches but your own branch.
	Branch If you have a right with this validity, you may edit all objects that are assigned directly to your branch (for example, text key templates) and additionally objects that are assigned to all customers of your own branch except for your own customer.
	Customer If you have a right with this validity, you may edit all objects that are assigned directly to your customer (for example, ordering party accounts) and additionally objects that are assigned to all users of your own customer except for yourself.
	Own If you have a right with this validity, you may edit all objects that are assigned to yourself.
	-- This right is independent of hierarchy levels. It determines whether a certain function may be executed (for example AZV: create). Note: If a right is to be valid for all objects, the relevant user requires that right on all hierarchy levels.

→	The section Rights lists and explains all rights with their validities.

Roles

Roles can be valid globally for all branches or belong to a certain branch or customer. Different rights are required to create the respective role:

	Global roles: right Roles: edit global roles
	Branch roles: right Roles: edit branch roles
	Customer roles: right Roles: edit customer roles