Skip to main content
Version: Next

Managing Rights

Context

Access management is based on three fundamental pillars. Understanding their distinction is essential to ensure security and proper functioning of automations.

Prerequisites

Prerequisites
  • Administration rights to modify user permissions
  • Access to the Administration navigation bar
  • Understanding of the organizational chart and structure

The three pillars of rights management

1. The Right (Technical Permission)

This is the most granular level. A Right authorizes a specific technical action or access to an administration tool.

Specifications

  • It is binary (Granted or Denied).
  • It primarily concerns system administration powers.
  • Where to configure? In the Security tab of the user profile (e.g., ability to modify a workflow, ability to manage security).
  • Usage: Reserved for administrators or solution designers.

Security and Access Rights

Available rights

  • Can access: Activates restricted access to administration.
  • Process Studio: Design rights on Forms, Workflows, Organization, or Settings.
  • Security (Delegation right): "Can manage security" checkbox allowing the user to define rights for other collaborators.
  • SyncTool: Authorizes control of synchronization tools.
  • Others: Access to the ImportDoc module for data recovery.

2. The Profile (Business Set)

A Profile is a logical grouping of rights corresponding to a function in the company. It is a pre-configured access model.

Specifications

  • It defines the scope of action within business applications.
  • It is global: a user has a profile that defines their default capabilities (e.g., "Reader" Profile, "Contributor" Profile, "Business Administrator" Profile).
  • Where to configure? In the Assignments > Profile(s) tab.
  • Usage: Simplifies account creation. Instead of checking 20 boxes, you simply select the profile suited to the position.

Assignments, Groups and Roles

Profile examples

  • Reader: Read-only access to documents
  • Contributor: Creation and modification of documents
  • Validator: Validation rights in workflows
  • Business Administrator: Complete management of a business application
  • Quality Manager: Specific profile for quality managers

3. The Role (Contextual Function)

The Role defines the user's mission in a specific context (a department, a folder, or a validation circuit).

Specifications

  • Static Role: Manually assigned to give specific power (e.g., "Quality Manager").
  • Dynamic Role: Automatically deduced from the organizational chart or folder (e.g., "The requester's N+1", "The document author").
  • Where to configure? In the Assignments > Role(s) tab.
  • Usage: This is the engine of Workflows. Tasks are not sent to a specific individual, but to a "Role" to ensure continuity even in case of organizational changes.

Types of roles

Static roles (manually assigned):

  • Quality Manager
  • Buyer
  • Technical Validator
  • Security Manager

Dynamic roles (automatically calculated):

  • The requester's N+1
  • The document author
  • The department manager
  • Distribution group members

Summary table

ConceptQuestion addressedVisibility
RightWhat can I do (Admin)?Security tab
ProfileWhat is my role in the tool?Assignments tab
RoleTo whom should I validate this file?Workflows / Departments

Delegation management

Delegation is a key functionality for managing absences (vacation, illness) without blocking validation processes. It allows a user (the holder) to temporarily or permanently transfer their rights to another user (the substitute).

Types of delegation

There are two types of delegation:

1. Temporary Delegation (Substitution)

  • Defined for a given period (Start date / End date).
  • Ideal for vacations or temporary assignments.
  • The substitute receives the holder's rights only during this period.

2. Permanent Delegation

  • Active without time limit.
  • Useful for executive assistants or permanent teams who must be able to validate on behalf of their manager at any time.

Configuration

Each user can manage their own delegations from the Web Portal:

  1. Access your Preferences (top right).
  2. Go to the Delegation tab.
  3. Add a new delegation:
    • Select the concerned application (or "All").
    • Choose the Delegate (the person who will receive the rights).
    • For temporary substitution, check "Temporary" and enter the dates.

Impact on rights

The Process Studio rights system is additive. When a delegation is active:

  • The substitute inherits the Roles, Groups, and Departments of the holder.
  • They see the holder's tasks in their own task list (or via a "My managers' tasks" view).
  • They can validate forms on behalf of the holder.
Important

Delegation does not remove rights from the holder. Both can act during the substitution period.

Rights management tool

Tip

The "Manage rights" button: In the user list toolbar, you can access a summary view of authorizations to quickly check and compare the actual rights of multiple collaborators simultaneously.

Best practices

  • Principle of least privilege: Grant only the rights strictly necessary for each user
  • Use profiles: Create standard profiles for each company function
  • Document roles: Keep the list of roles and their meaning up to date
  • Periodic review: Regularly check granted rights (recommendation: quarterly)
  • Traceability: Any rights modification is recorded in audit logs