The first level of the security system provided by SocrateCloud is made up of Roles. When a user logs into SocrateCloud, he must select a specific role. A user can have multiple roles available, but can only log in with one. There are 4 types of generic roles:
System Administrator
Superuser
Tenant Administrator
Tenant User
The System Administrator role only gives access to system level records, such as units of measure and document types. The System Administrator role can not be modified. You can add other System Administrator roles, but the one created for configuring system-wide definitions cannot be changed.
The Superuser role encompasses all of the roles defined in the system. This role is for emergency situations only, when it is necessary to login with a user that has access to every data item of every organization. No more than a few key users should have access to this role.
Tenant Administrator and Tenant User are intended for users responsible with carrying out transactions. The Tenant Administrator configures various settings and carries out transactions. The Tenant User can only add documents.
When logging into SocrateCloud, the menu is automatically arranged according to the entities the Role allows access to. The User does not see the elements of the menu that he is not allowed to see. Roles also define the actions that a user can perform with the entities that he can access. These include: Viewing of Accounting Information, Reports, Exports, Blocking and the Viewing of Blocked Records. Roles also define what the user can access: Organizations, Windows, Processes, Forms, Workflows, and Tasks.
You can create or modify a role in the Role window, located in the System Admin -> General Rules -> Security menu. Starting 16.04 the window is replaced by the Roles Maintenance windows which offers the additional functionality of tree based role management. The following fields are available:
Role Type - predefined classification method for roles, used to concentrate all tenant's roles to a standard (template) role;
User Level - determines the level at which data can be entered or accessed by the role. A role that offers it's users an inferior level will not allow access to windows, processes or records with a superior level! Example: a role with Organization level will not allow it's users to access windows defined at "System + Tenant" level, regardless of the access defined in the Window Access tab. The available options are:
"Tenant" - grants access to non transactional data;
"Organization" - grants access to transactional data only;
"Tenant and Organization" - grants access to both reference data (Business Partners, Payment Conditions, etc.) and transactional data (Orders, Payments, etc.);
"System" - grants access to reference data, but not transactional data;
Manual - indicates whether the access to new windows, processes, flows and tasks will be defined automatically or not after migrating to a new version:
if checked, the role access will not be updated automatically;
if not checked, role access will be defined automatically for any new window, process, workflow and task will appear after migrating to a new version;
Administrator - select if this is an administrator role. An administrator can update passwords of users with other roles;
The Workflow section contains settings applicable to document workflows. Details in Workflows.
Approval Amount - is used for document approvals. Users having this role can approve documents, provided that the total document amount is not greater than the value entered in this field;
Currency - the currency used for the approval amount;
Approve own Documents - if checked users with this role are allowed to approve the documents they create. If not checked, the documents can only be approved by another user;
Supervisor - user used for escalation and approval;
Acces section:
Preference Level - this determines whether users having this role can configure user-level or value-level settings. Details in User Interface;
"None" - indicates that users having this role do not have the permission to configure user-level, nor value-level settings;
"User" - user-level settings will be configurable and the values can only be set at user level;
"Organization" - option allows for configuring settings both at user-level and at value-level, throughout the Organization;
"Tenant" - allows settings to be configured at Tenant level .
The selected preference level directly influences the visibility from the data modifications audit point of view:
None, User, or Organization - only the data regarding who has created and who has last updated the document will be displayed in the Record Info window;
Tenant - all the data regarding the audited document modifications will be displayed in the Record Info window.
Customization level - the level at which window customizations made by the role are applied;
Display - display rule for the Tenant and Organization columns in SocrateCloud windows;
Menu Tree - here you can select the main menu available for this role. Details in Main Menu;
if no menu tree is selected, the default menu will be used. The menu trees are available in the Tree window;
starting with v16.04 a role will not be able to acces windows, reports and processes which are not part of the menu tree. The roles maintenance tree is generated based on the selected menu tree;
Access all Orgs - if checked the role will have access to all organizations and all the records defined in the Organization Access tab will be ignored. If the tenant has a large number of organizations, the record loading speed may increase;
Organization Tree - this determines what subordinate organizations can be accessed if, when defining organization access, an organization consolidation level is selected;
if no organization tree is selected the default tree will be used.The organization trees are available in the Tree window;
the organization tree will be used to determine the role acces to organization data, when acces is defined using parent organizations;
Use User Organization Access - if selected, organization access will be defined at user level instead of role level. If selected you can define a single role for which the access to organizations will be defined at user level;
organizations to which the user-role will have acces are defined in the User window, Org Access tab;
Accounting - select if the role should allow access to:
Accounting Information tab in windows - You need to select Show Accounting Tabs in User Preferences (found in the Tools menu). If the "Accounting" checkbox is not checked, the "Show Accounting Tabs" checkbox will be deactivated;
Posted / Not Posted button in documents;
Account window in the Info menu;
Can Report - if selected this role will be able to generate reports;
Can Export - if selected this role will be able to export data. The role needs to have the ability to create reports in order to export them.
Personal Lock - is selected, this role will be able to block records so that other roles can't access them
Personal Access - if selected this will be able to access all blocked records, regardless of the role that blocked them;
Overwrite Price Limit - if selected users with this role will be allowed to enter prices, outside the defined price limit. This option should be reserved for supervisor roles. Details in Prices;
Override Return Policy - if selected this role will be allowed to generate RMA-type documents outside the interval indicated by the corresponding return policies;
Use BP Restriction - select if this role is used to define customer access to the Web Store. Details in WebStore Extension;
Secure Info Product - if selected this role will not be allowed to see acquisition prices in the Price History area of the Product Info window;
Access Full API's - if selected this role will have access to all API methods;
Change Log - select if you want SocrateCloud to keep audit logs of all updates done by users having this role. Only Tenant-level users can view this log. This setting may cause an unnecessary log increase and may also negatively impact server performance. Only useful for troubleshooting.
Is MSTR Group - if selected, this role will have access to and will be synchronised with SocrateBI groups. Only available if an active SocrateBI subscription exists;
Connection Profile - field currently not in use;
Confirm Query Records - is used to limit the number of records displayed automatically hen opening a window;
if "0" is entered, the default limit will be used, which is 500;
Max Query Records - is used to limit the number of records displayed within a window;
if "0" is entered, no restrictions will be applied;
e.g. if you set the value 100 and the user opens the Items window, even if more than 100 records exist, only the first 100 will be displayed. To display the other products search filters can be used;
Max no. lines/ report - is used to limit the number of rows that can be displayed on a report (protection mechanism against the generation of reports with a large number of lines, which would, otherwise, lead to the system being blocked);
Max Upload Attach Size (MB) - maximum size allowed for attachments for any entity or document within the system. The size is indicated in Megabytes;
You can use the tabs in the Role window to set the appropriate role rights and control organization access, user assignments, window access, form access, process access, workflow and task access.
The Org Access tab defines the organizations which a user can access when logged in with a certain role.
if acces is defined to a parent organization (Summary Level = checked), the role will acces all the subordinate organizations, according to the organization tree used;
if Access All Orgs is checked at role level, the records in the Org Acces tab will be ignored;
by using the Read Only option you can give a role either read only or read/write rights to organization data;
check "Read Only" if you wish to grant a users rights to view the organization data without the possibility of adding o editing records;
The organizations available in the Login window is determined by the organization acces settings defined at role level:
only organizations for which Read/Write acces was defined will be available;
if no Read/Write acces is defined, only the * organization will be available;
all roles have acces to the * organization, regardless of organization access settings;
if Acces All Orgs was selected at role level , all the organizations defined at tenant level will be available, regardless of organization access settings.
Note: if Use User Organization Access was selected at role level, acces to organizations will have to be defined for each user, in the User window, Org Access tab.
To modify or view the Users with this Role select the User Assignment tab. To assign a User to this Role, introduce or select the desired User. You can also assign a User to a Role in the User window.
Starting with v15.10 the "Role Maintenance" functionality is available through which application administrators can easily define roles and role access to SocrateCloud windows, processes and reports.
The Role Maintenance window, located in the Initial Setup menu, contains the following:
tree type menu - can be used to define access for a role to SocrateCloud menu items (windows, processes, reports) and their corresponding secondary elements (processes displayed as buttons within the window, secondary windows)
the role definition window, role access lines - similar functionality as the Role window, described above;
starting v16.04, the Role window will no longer be available, and is replaced by the Roles Maintenance window;
Tree menu use:
check the menu elements and corresponding secondary elements for which role access needs to be defined using the checkboxes on the left of each element;
note: when checking/clearing a menu element, the corresponding secondary elements will also be checked/cleared;
to view the secondary elements, press the + button next to the parent element;
the checkboxes on the right of each element, on the RW column, are used to indicate whether the role access is "Read Only" (can only view records) or "Read/Write" (can view and edit records);
checked = read/write access;
cleared = read only access;
after defining the access according to step 1 and 2 press the button to save the settings within the system;
saving will generate role access records for the selected menu elements.
The remaining tabs display all Windows, Processes, Forms, Workflows and Tasks that are available in SocrateCloud. The functionality, from the security point of view, is the same for each of the tabs.
In the Window Access tab a list of all windows in SocrateCloud will be displayed (e.g. a window of the Cash Journal). Select or deselect a window, form or process depending on the access rights you wish to grant those users that are assigned to this role. If the Roles were defined manually, it will be necessary to grant access to each desired window and then select the Active checkbox. You can also restrict the access to Read Only level by deselecting the Read/Write checkbox.
Note: If the Manual checkbox is not selected in the role description, then all the new windows, processes, forms, workflows and tasks added after a SocrateCloud update will be automatically added to the Roles. If the Manual checkbox is selected, then these have to be manually added.
The role details can be used to customize restricitons and acces to:
Window Access - the rights of the role, both of editing and viewing, to windows in the SocrateCloud menu
Process Access - the rights to processes in the SocrateCloud menu
Form Access - the rights, both of edit and of viewing, to the form-type windows
Info Window Access - the right to view Info-type windows
Workflow Access
Task Access
Doc Action Restriction - this tab allows the limitation of the Role with regards to the available actions on a document.
The following fields are filled in:
Document Action - you pick out the action for which the restriction is being established
Table - you can choose a table to make the restriction effective for all the documents related to the table;
Document Type - you can choose the document type for which the restriction will work.
Save the record
Repeat these steps for each action you wish to restrict.
Through the API Access Tab recordings, the user can add the API methods that this role can access. This option is used when full access is not wanted (in which case the "access all APIs" checkbox is used in the role definition) but method by method.
IP Access
Starting with v17.11, in the Roles Maintenance and Tenant windows a new tab called IP Access was added. Through this tab, a set of IP addresses can be defined at the tenant and/or role level to allow access to the account (from the login form and the API). This functionality has been introduced as an additional security measure, with tenants being able to restrict access from different locations, so the risk of unauthorized access to the account being greatly reduced.