Role Management
Exploring
Where it fits in?
This program lets you maintain operator roles and configure settings for each role.
Role management enables system administrators to easily pre-configure and control a number of settings within SYSPRO.
Operators are assigned to one or more roles using the Operator Maintenance program which are then applied to the operator's profile.
Starting
Prerequisites
- When you initially implement SYSPRO, you should define your global role settings, before adding any roles.
- If you are currently using SYSPRO, you should only set the global role settings after you have defined all the required roles and have assigned your existing operators to these roles.
Groups
You can restrict operator access to programs by assigning them to groups and applying access control against the group (configured using the Operator Groups program).
By default, access to this program is disabled for all operator groups other than the ADMIN group.
Solving
FAQs
How are UI role design changes saved in a client-server environment?
While in Role Design on a client or the server, the changes are stored in Role_### (memory) on both the server and the client. After exiting the design mode, the changes are saved to a Role folder (e.g. Role_001) on the server and the Role_### folder is deleted from the client.
If you are designing a new role, then the next time the operator who is linked to the newly-created role logs in, the new role folder self-heals to the client.
If you are changing an existing role, then the Role folder is updated immediately if the operator designing the role is linked to the same role, otherwise self-healing takes place on the next session the user linked to the role logs in.
The server checks the date-time stamp on the version.txt file, and if the file does not exist or the date-time stamp is different, then the folder self-heals to the client.
Do system-wide UI changes take preference over roles?
No, role design always takes precedence over system-wide design.
When adding a system-wide VBScript, will this also apply to roles, or must it be added in role design?
The VBScript must also be applied at role level.
Which permissions are required on the server and the client for self-healing to work effectively?
For the server, a system account can be used, or a user account that is defined against the Communication Service and has all permissions except the following:
- Full Control
- Delete
- Change permissions
- Take ownership
For the client, a user account defined against the SYSPRO Client Service that has all permissions except the following:
- Full Control
- Delete
- Change permissions
- Take ownership
Where should changes to roles be made - client or server?
A role can be designed on the server or the client, but changes are always saved on the server and self-healed to the client.
If a user moves to a different machine, how does the server determine if the role folder exists for the user on the new machine?
The server checks the date time-stamp on the version.txt file. If the file does not exist, or the date time-stamp is different, then the folder self-heals to the client.
How do I restore a deleted role?
Role information is stored in the ADMRLP.DAT file in the \Work folder.
If you inadvertently deleted a role, you can restore this file from a backup to restore the role.
Where are role customization settings stored?
To provide operators within defined roles with the same customization experience across any machine (and in the event of a pod loss in a SYSPRO Cloud ERP environment) the customized role settings are stored in the \Base\Settings folder of the file system, as well as the following tables within the system-wide database in SQL:
-
Role customization files (e.g. \Settings\Role_xxx):
Stored within the SysRoles table.
-
Role menu files:
Stored within the SysMenu table.
When operators within a defined role log into SYSPRO, the system checks the SysRoles and SysMenu tables for any customized role settings or menus defined and returns these if found. If these settings are not found during the start-up process, the system checks the file system (\Base\Settings) and, if found, copies these to the respective SQL database tables and returns the saved settings to the SYSPRO instance.
Using
Tasks
Global configuration
The Global Configuration settings allow you to insist that the following are always configured by role and that the previous operator and group settings do not take effect:
- eSignatures
- Program access
- Activities and fields
- Access control
- Workflows
This enables you to ensure that older settings are not used and that only the new role-based settings are applied whenever a new operator is added or an existing operator is linked to a role.
Considerations
- If you indicate that any of your global role configurations are always by role, then all operators must belong to a role.
- Global settings to always configure a security setting by role takes precedence over any individual role settings you have defined. For example: If you enable the Program access always by role global configuration option, then regardless of whether program access for a specific role is defined as not configured by role, the program access will always have to be configured by role (i.e. the settings against the individual roles are ignored).
Copying roles
Using the Copy function from the Edit menu, you can create a new role with the same settings as the role currently displayed, however once copied, you need to make at least one change to the new role to be able to save it.
You can copy the individual security settings between existing roles using the following programs:
- Program access (Role Program Access Maintenance)
- Activities and fields (Role Activities and Fields Maintenance)
- Access control (Role Access Control Maintenance)
- Workflow (Role Workflow Security Maintenance)
Role configuration
When you select the Configure by role option for any of the role configurations, you use the corresponding Browse icon to access the relevant program to define the role settings.
When you access the individual programs to configure role settings, your selections are saved within each of the programs:
- Role Activities and Fields Maintenance
- Role Program Access Maintenance
- Role Access Control Maintenance
- Customization Management
- eSignature Setup
Therefore, canceling out of the Role Management program does not undo your selections in those programs.
Configuration considerations
- To perform web views design by role, the operator should belong to a role and the User interface for the role must be set to Configured by role.
-
You use the Customization Management program to manage the design layouts applied to operator roles once they have been defined.
The Role Management program enables you to manage the actual roles (e.g. adding, deleting, copying, exporting and importing).
Hints and Tips
- When defining roles per company, the role configuration for the operator's default company is in effect until they log into a specific company in SYSPRO.
Referencing
Menu and Toolbar
| Field | Description |
|---|---|
|
Edit |
|
|
Add |
Create a new role. |
|
Delete |
Delete the current role. |
|
Copy |
Create a new role with the same settings as the role currently displayed. Once copied, you need to make at least one change to the new role to be able to save it. |
|
Options |
|
|
Global Configuration |
Indicate the set of parameters to apply globally to all roles created in SYSPRO. You should define these parameters before adding any roles.
|
|
Import |
|
|
Import Standard Roles |
Import the standard roles shipped with the SYSPRO product. This adds the standard roles and does not delete or overwrite any roles you may have defined. |
|
Export Roles |
Use the Operator Role Export program to export all (or selective) role settings to a text file. Once exported, the file can be imported at another SYSPRO site using the Operator Role Import program. This enables you to transfer role settings to multiple sites without having to manually recreate the settings for each role on each new site. |
|
Import Roles |
Use the Operator Role Import program to import role settings from a text file that was output using the Operator Role Export program. This enables you to transfer the role settings from another site to the current site without having to manually recreate the settings for each role at the current site. |
|
New |
Create a new role. |
|
Delete |
Delete the current role. |
|
Save |
Save your settings. If you enable eSignatures or Program access settings by role, but no configuration is defined for the role, then the system displays a warning message to that effect and allows you to configure the role details at that point. You will be unable to save your settings until this done. In addition, the default configurations will apply until you have configured the roles. |
|
Role |
Indicate the role you wish to maintain. |
|
Organogram |
Select this to use the Role Organogram Maintenance program to view the role organogram. |
Global Configuration
| Field | Description |
|---|---|
|
Global role settings |
|
|
All operators must be assigned to a role |
Ensure that when a new operator is added or an existing one is maintained, that the operator is assigned to at least one role. A warning message is displayed if any existing operators are not currently assigned to a role. You cannot save changes to those operators (using the Operator Maintenance program) until you assign them to a role. |
|
Global role configuration |
|
|
eSignatures always by role |
Indicate that you always want to define Electronic Signature settings by role. Alternatively, eSignature settings can be configured by:
|
|
Program access always by role |
Indicate that you always want to define program access by role. Alternatively, program access is configured by operator group. |
|
Activities and fields always by role |
Indicate that you always want to define access to activities and fields by role. Alternatively, access to activities and fields are configured by operator. |
|
Access control always by role |
Indicate that you always want to define access control to key fields (e.g. bank, AP branch, AR branch, warehouse, etc.) by role. Alternatively, access control is configured by operator. |
|
Workflow always by role |
Indicate that you always want to define access to workflows and operations within workflows by role. Access to workflows and workflow operations can also be applied from within the Workflow Services Menu. |
|
Separate role settings by company |
These options enable you to define individual role settings per SYSPRO company. This means that the same role can be configured differently in your different companies. For example: In Company A you can allow operators (belonging to the Salespersons role) to maintain Sales Orders. In Company B you can deny access to that function for the same operators in the Salespersons role. |
|
eSignatures by company within role |
Define eSignatures by company by role. |
|
Program access by company within role |
Define program access by company by role. |
|
Activities/fields by company within role |
Define activities and fields by company by role. |
|
Access control by company within role |
Define access control by company by role. |
Role Information
| Field | Description |
|---|---|
|
Role configuration |
When you select the Configure by role option for any of these configurations, you use the corresponding Browse icon to access the relevant program to define the role settings. |
|
Role |
Indicates the description for the role you are currently maintaining. |
|
User interface |
Indicate whether you want to configure the user interface for operators belonging to this role according to the role's settings. You can then use the Configure user interface settings hyperlink to define this within the Customization Management program. Elements of the user interface that you can customize range from docking panes and list views to display forms and entry forms. |
|
eSignatures |
Indicate whether you want to configure access to eSignatures for operators belonging to this role according to the role's settings. You can then use the Configure eSignature settings hyperlink to define the eSignature configuration within the Electronic Signature Configuration Setup program. |
|
Program access |
Indicate whether you want to configure program access for operators belonging to this role according to the role's settings. You can then use the Configure program access settings hyperlink to define this access within the Role Program Access Maintenance program. |
|
Activities and fields |
Indicate whether you want to configure access to activities and fields for operators belonging to this role according to the role's settings. You can then use the Configure activities and fields settings hyperlink to define these within the Role Activities and Fields Maintenance program. |
|
Access control |
Indicate whether you want to configure access control to key fields (e.g. banks, AP branches, AR branches, warehouses, etc.) for operators belonging to this role according to the role's settings. You can then use the Configure access control settings hyperlink to define these within the Role Access Control Maintenance program. |
|
Workflow |
Indicate whether you want to configure access to workflows (and operations within workflows) for operators belonging to this role according to the role's settings. |
Role Usage
This pane displays a tree view of the roles to which operators are currently assigned, together with the operators assigned to them.
Operators Linked to Role
This pane displays the list of operators defined for the current company and the roles to which they are linked.
Copyright © 2022 SYSPRO PTY Ltd.