Role Permissions grant system users the ability to access module areas and create, edit, and delete data. Role Permissions also allow a user to utilise module-related actions, run standard and quick reports on module records, and participate in the approval and review workflow of module records, including the ability to view confidential records. A Role (a named permission set that is applied to one or more modules and one or more Organisational Units) is configured in Settings > Organisational Configuration > Roles. The Role is then selected within a user profile and applied to the specific Organisational Units where the permissions should apply. The system user will only have access to data within those Organisational Units; they cannot view data outside them.
Provides users with an in system overview of Role Permissions. You can watch this video for an overview to learn about this topic or keep reading the article below.
Available to watch in - French, German, Spanish, Italian, Polish, Dutch, Brazilian, Portuguese, Chinese (Simplified)
Role Permissions are distinct from Supervisor Privileges (which control system configuration access). Role Permissions control what a user can do with module records. This article covers every available Role Permission and the rules that govern how permission values are resolved.
How to Navigate to Roles
Navigate to Settings > Organisational Configuration > Roles. Click the + New icon to create a new Role, or click the cog menu icon against an existing Role and select Edit to make changes.
Permission Value Definitions
Each permission within a Role can be set to one of three values:
- Allow: Grants the user access to the permission.
- Deny: Removes the user's access to the permission. Deny overrides Allow when resolving permissions.
- Inherit: The system continues to look up the Organisational Structure until it finds a value of either Allow or Deny. If no value is found at the root level, the permission is treated as Deny. Inherit is overridden by both Allow and Deny.
Include Children
If a user's Role permission has Include Children enabled, all Organisational Units underneath the assigned Organisational Unit share the same permission as the parent.
Individual Permissions Explained
Read – View module record contents and the detail view page of the record. (Read-Only).
Write – Create, edit, and copy module records. Add or edit attachments against module records.
Create actions against module records.
Delete – Delete module records.
Assign - Gives the User the ability to be Assigned a record, to Assign an "in progress" record to a User, and Submit an "in progress" record in the Approval Process workflow
Override Assign - Edit the assigned stage of a module record (change assignee and change submission due date).
Approve – Eligible to be selected as a default approver within an organisational unit (including user roles). User will also appear for selection if using the manual approval workflow.
Force Approve – Approve a module record that you are not the designated approver of.
Archive – Archive a module record, archiving must be enabled in the module and system settings.
Can Edit Approved/Archived Records – Edit an approved or archived module record.
Review – Eligible to be selected as a default reviewer within an organisational unit (including user roles). User will also appear for selection if using the manual review workflow.
Override Auto Ref – Can uncheck system assigned referencing, allowing for a custom reference when creating a module record.
Delete Attachments – Delete attachments from a module record.
Add/Remove policies – Add and remove policies within the Policy/Guidance/Method Statement area and link these to module records.
Confidential Record – Create a module record as confidential and be able to view other confidential records. Users without this permission will not see the "Is this Confidential?" tickbox in the associated module forms.
View Audit Trail Log – View the audit trail log for records. (Created by, edits etc).
Submit RIDDOR to HSE –Submit a RIDDOR record to the HSE within the RIDDOR module.
View Reports – Run standard reports within a module, also includes running user created quick reports.
Configure Dashboard – Create and edit quick browse, quick add links and create Assure charts on their homepage or module dashboards.
Link to Records by Module – Similar to "Link to any record" supervisor privilege, when enabled will allow the user to link to any record for the associated modules in the role permission.
This permission will be overridden if "Link to any record" is set to Deny within the supervisor privilege.
To use this permission correctly, set "Link to any record"to Inherit.
If Link to any record is set to deny it will be disabled
If link to any record is set to allow then this permission is ignored.
Permissions that to not apply to Modules.
Override Review – Edit the review stage of a module record (change review by and review due date). – Can be utilised in review manager.
Delete Review – Delete a review from a module record or review manager. – Can be utilised in review manager.
Reassign Action – Reassign an action to another system user. Can be utilised in action manager.
Override Actions – Edit a module record or freestanding action (change action for and action priority, detail due date). Can be utilised in action manager.
Delete Actions – Delete module record or free-standing actions. Can be utilised in action manager.
View Tasks for Other People – View tasks that are not your own (Actions, Reviews and Approvals).
Confidential Item – View questions marked as confidential in an IQ template.
Manage Portal Queue – Process or reject (with a reason) portal questionnaires that have been submitted to the portal queue.
View Personnel Data – See personnel data on module records (Name, address, phone number, email, and other personal details). Data is viewable in Incident records and person register primarily.
Reassign IQ – Redundant.
Modules Section
The Modules section of the Role configuration allows the administrator to add or remove the modules to which the Role Permissions apply. The Role is then selected within a user profile and applied to the relevant Organisational Units.
Step-by-Step: How to Create a Role
- Navigate to Settings > Organisational Configuration > Roles.
- Click + New to create a new Role.
- Enter a Name and optional Description for the Role.
- Configure each permission by setting it to Allow, Deny, or Inherit.
- In the Modules section, add the modules to which these permissions apply.
- Click Save and Close.
- Navigate to the relevant user profile and assign the Role to the user, specifying the Organisational Unit(s) where the permissions apply.
Step-by-Step: How to Edit an Existing Role
- Navigate to Settings > Organisational Configuration > Roles.
- Locate the Role to edit.
- Click the cog menu against the Role and select Edit.
- Amend the required permission values or module assignments.
- Click Save and Close.
Note: Changes to a Role apply immediately to all users who have that Role assigned to their user profile.
Relationship to Supervisor Privileges
Role Permissions and Supervisor Privileges serve different purposes in Assure:
- Role Permissions control what a user can do with module records and data (for example, viewing, creating, editing, approving, archiving records).
- Supervisor Privileges control what a user can do with system configuration (for example, managing org units, configuring roles, managing users, and importing data).
A system user does not require a Supervisor Privilege in order to log in and create, edit, or report on data within the module areas.
AI Metadata
- Product Area: Assure - Organisational Configuration, User Management
- User Role: System Administrator (requires the Manage Roles Supervisor Privilege to create or edit roles)
- Tags: roles, permissions, Allow, Deny, Inherit, module access, role configuration, organisational unit, user permissions, approval workflow, review workflow, confidential records, RIDDOR, portal queue, IQ template
- Version/Region: All Assure versions; all regions
- Important synonyms: role permissions, user permissions, access control, module permissions, permission settings, role configuration, org unit permissions
- Suggested embedding keywords: Role Permissions Assure, configure role Assure, Allow Deny Inherit permissions, module access control, approval workflow permission, review permission Assure, confidential record permission, create edit delete module records, role org unit, Include Children role
- Relevant modules and cross-module implications: Role Permissions are scoped to Assure and apply across every Assure module (for example, Incidents, Audits, Risk Assessments, Actions). Cross-module implications include: AssureGO+ (the Assign permission controls assignment on submitted portal forms); the Portal Queue (the Manage Portal Queue permission controls who can process or reject portal submissions); Insights+ (View Reports controls access to standard and quick reports); and Task Management (Override Actions, Delete Actions, Reassign Action, and View Tasks for Other People control behaviour in the Action Manager). The Manage Roles Supervisor Privilege is required to configure roles.