Overview

User roles and permissions are key to keeping your application secure and running smoothly. They control who can access what, based on each user’s responsibilities. This article explains the basics to help you set up and manage roles in iVendNext.

---

1. Core Concepts: User Roles and Permissions

In iVendNext, user roles are predefined sets of permissions that dictate what a user can do within the system. Think of a role as a job title that comes with specific responsibilities and therefore, specific access rights. Permissions, on the other hand, are the individual actions a user is allowed to perform, such as viewing a document, creating a new record, editing existing information, or running specific reports. 

By assigning roles to users, you can efficiently manage their access levels without having to define individual permissions for each user.

2. The Administrator Role: Unrestricted Access

The Administrator role in iVendNext holds the highest level of authority within the system. 

An Administrator has unrestricted access to all features, modules, and data. 

This role is responsible for the overall configuration, maintenance, and security of the iVendNext account.

Key responsibilities of an Administrator include:

• Managing user accounts and roles.

• Configuring system settings.

• Setting up integrations.

• Performing upgrades (in self-hosted environments).

• Ensuring the system meets the organization's needs.

2.1. Administrator Access in Cloud-Hosted vs. Self-Hosted Accounts

It's important to understand how Administrator access differs based on whether your iVendNext account is cloud-hosted or self-hosted [3, 4].

• Cloud-Hosted Accounts: If your iVendNext account is hosted on iVendNext's cloud infrastructure, you will not have direct Administrator login credentials. This is a security measure implemented to protect the integrity and stability of the shared server environment where multiple customer accounts may reside. iVendNext manages backend upgrades for cloud-hosted accounts. While you won't have direct administrator access, iVendNext provides comprehensive administrative functionalities through the user interface, typically assigned to a designated "System Manager" role which has extensive permissions. 

Exceptions to this are rare and usually apply to customers with a large number of users whose accounts are exclusively hosted on a single server.

• Self-Hosted (On-Premises) Accounts: For iVendNext accounts that are self-hosted on your organization's own servers, the designated account user will have the Administrator login credentials. This provides full control over the system, including server access and upgrades.

3. Limited User Roles: Access on a Need-to-Know Basis

iVendNext also allows for the creation and assignment of Limited User roles. These roles are designed for users who do not require access to the entire system and only need specific functionalities to perform their tasks. 

This approach enhances security by minimizing the potential for unauthorized access or accidental modifications.

3.1. Understanding the "Limited User" Concept

A Limited User in iVendNext can only access specific documents within designated modules [4]. Consider a large company with many employees; not all employees need access to all aspects of the iVendNext system. For instance, employees might only need to record their daily attendance or submit leave applications. Providing full system access to all such users would be unnecessary and could pose a security risk. Limited User roles address this by granting access only to the required areas.

3.2. Utilizing User Types to Define Limited Access

The User Type document in iVendNext plays a crucial role in managing limited user access. You can access this document by navigating to: Users > User Type.

iVendNext comes with default User Types:

• System User: Can access both the main iVendNext interface (desk) and the website portal.

• Website User: Can only access the website portal.

To facilitate limited access for employees, iVendNext provides a pre-configured User Type called 'Employee Self Service'.

These standard User Types ("System User" and "Website User") cannot be deleted or edited.

3.3. Configuring Non-Standard (Custom) User Types for Granular Control

For more specific limited access requirements, you can create non-standard user types (custom user types) [6]. When configuring a custom user type, you need to define:

• Custom Role: The specific role to be assigned to users of this type.

• Document Permissions: The specific documents within modules that users with this role will have access to.

• Field-Level Permissions: In some cases, you can even specify permissions based on specific fields within a document.

• Apply User Permission On: This setting allows you to link user permissions to specific records. For example, if "Apply User Permission on" is set to "Employee" and the document has a field linked to the "User ID" of the employee, then that user will only be able to view records where their Employee ID is linked. A common example is employees only being able to view their own salary slips.

For non-standard user types, you need to explicitly select the document types that users with that type can access. 

For the 'Employee Self Service' User Type, the associated role will not be accessible in the general Role Permission Manager. This means that permissions for this user type are managed directly within the User Type configuration.

3.4. "Select Permissions Only" for Limited Users

When configuring document types for a non-standard user type, you can specify "Select Permissions Only". This grants users the ability to view records of the selected document type but prevents them from creating new records or editing existing ones. This is useful for providing information access without allowing modifications, such as allowing employees to view company policies or their attendance records without the ability to change them.

4. The Importance of Role-Based Permissions

iVendNext utilizes a Role-Based Permissions (RBP) system. This means that permissions are primarily associated with roles, and users are granted access based on the roles assigned to them. This approach offers several benefits:

• Simplified Administration: Managing access becomes easier as you only need to manage roles rather than individual user permissions.

• Consistency: Ensures that users with the same responsibilities have the same level of access.

• Enhanced Security: Reduces the risk of granting excessive permissions to users.

• Auditability: Makes it easier to track who has access to what within the system.

5. Managing User Access: A Step-by-Step Approach

While detailed steps for adding users and assigning roles will be covered in separate articles (as indicated in the "Related Topics" section for "Administrator" [1]), the general process involves:

1. Defining Roles: Determine the different roles required within your organization based on job functions and responsibilities.

2. Configuring User Types (for Limited Access): If you need to implement limited user access, configure the necessary User Types and define the associated permissions.

3. Adding Users: Create user accounts in iVendNext.

4. Assigning Roles: Assign the appropriate roles (and User Types, if applicable) to each user.

6. Security Considerations

Implementing a well-defined system of user roles and permissions is a fundamental aspect of iVendNext security. By carefully assigning roles and limiting access based on necessity, you can:

• Protect sensitive data from unauthorized viewing or modification.

• Reduce the risk of human error by preventing users from accessing functionalities they are not trained to use.

• Maintain compliance with data privacy regulations by controlling who has access to personal or confidential information.

Highlight: Always follow the principle of least privilege when assigning roles and permissions, granting users only the access they absolutely need to perform their duties.