Role management
- 21 Mar 2025
- 15 Minutes to read
- Contributors
- Print
- DarkLight
- PDF
Role management
- Updated on 21 Mar 2025
- 15 Minutes to read
- Contributors
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
1. Role management
In Constellio, each user is assigned a role. This role is similar to the idea of "profiles." The "Manage roles" option allows you to create a new role and to assign responsibilities or action rights to each role in Constellio. Therefore, depending on the roles assigned to a user, the options and possible actions in Constellio are not the same. A user can have different roles depending on the collection since each collection is independent at the role level. By default, all users have a User role.
2. Definition of roles
By default, the system contains four roles: user (U), administrator (ADM), manager (M) and document manager (RGD).
- User: basic user, the one who generally uses Constellio in his daily life to create, manage, modify folders, documents, tasks and favorites. There is no access to control or delete items. Constellio gives a default user role to all users of a collection.
- Administrator: the administrator is the one who usually has the role of managing the system without having any interaction with the folders and documents.
- Manager: the one who usually consults folders and documents, gives specific authorizations such as sharing folders, authorizes downgrades, etc.
- Document management manager: this role has limited access to the management of the system, but has access to all document management functions.
This definition of the roles corresponds to the default attributions of each role. However, these roles are customizable and it is possible to modify the responsibilities and access rights of these different roles according to the needs of each environment.
The roles cover the following Constellio functions:
- Management of the RM module (document management)
- Folders
- System
- Workflow management
- Disposition
- System management
- Favorites
- Annotations
- Documents
- Manage search tools
- Office365
- Collection management
- Archive management
- Legal Holds
2.1 Consult the roles
- Click on "Administration" in the navigation menu;
- Click on "Manage Roles."
2.2 Edit a role
- Click on "Administration" in the navigation menu;
- Click on "Manage Roles";
- Modify the specificities of each of the roles, to do this, check or uncheck the different possible actions attached to the different available roles. Then click on "Save" to confirm the changes.
The "Reset" option allows you to undo changes made to roles BEFORE you save the changes. After saving the changes, it is no longer possible to restore the roles with this option. 
2.3 Create a new role
Depending on the needs of your organization and your users, it is possible to add new roles. For example, it might be useful to create a role for non-regular users, such as interns, volunteers, etc.
Once a role is created and saved, it is no longer possible to delete or change it.
It is, however, possible to "deactivate" it, to do so, you must ensure that it is not applied to a group or a user and manually uncheck all actions.
- Click on "Administration" in the navigation menu;
- Click on "Manage Roles";
- Click on "Create a new role" on the right of the screen;
- Fill in the required fields (Code and Title), then click on "Save."
By default, after its creation, a role has no responsibilities or access rights. It is therefore necessary to add specificities to this role. To do this, check or uncheck the different actions to be added to this role, then click on "Save" to confirm the changes.
3. Assignment of roles
The "Manage roles" option in the control panel allows you to assign responsibilities or action rights in Constellio to each role (user, administrator, manager and document management manager). However, it is in the "Manage security" option that it is possible to manage the assignment of one or more roles to user groups or users.
After having set up the different roles desired in Constellio. It is important to assign these roles to different groups or users. For example, if we want to allow managers of different administrative units in our environment to have more extensive responsibilities than those of a user. After setting up the Manager role in "Manage Roles", you must assign this role to a group of managers or to each manager.
Point of vigilance
- By default, all users have the User role.
- If a permissive role is applied globally to the collection, it overrides the more restrictive roles.
- It is also possible to manage user and group roles at the administrative unit level.
3.1 View assigned roles
Inherited roles are those automatically added for an administrative unit based on the roles present in the parent units, while specific permission is unique to that administrative unit.
- Click on "Administration" in the navigation menu;
- Click on "Manage Security";
- In the "Manage security" window, you can see all the groups and users previously created in the collection;
- Click on "Manage Roles" to the right of the name of the group or user for which you want to consult the roles.
3.2 Assign a role
- Click on "Administration" in the navigation menu;
- Click on "Manage Security";
- Click on "Manage Roles" to the right of the name of the group or user;
- Click on "Add role" on the right of the screen;
- In the "Add role" window, fill in the metadata and click on "Save."
| Metadata for adding a role | ||
|---|---|---|
| Name of the field | Description | |
| Roles | Obligatory | Select one or more roles to assign to the user or group. |
| Scope | Facultative | Select an administrative unit for which you are assigning a role. If this field is empty, the role you just assigned will be applied to the whole collection. |
3.3 Delete a role
- Click on "Administration" in the navigation menu;
- Click on "Manage Security";
- Click on "Manage Roles" to the right of the name of the group or user;
- Click on the "X" to the right of the role to be deleted;
- Confirm the deletion, click on "Yes".
Constellio users always have at least one User role on the collection. Therefore, you cannot remove this role from a user if no other role is assigned to him. However, you can remove a Manager role from a Constellio user. The system will automatically assign a User role to the user.
4. Permissions
Permissions are the different authorizations granted to each role. They allow users to perform very specific actions in the application.
| Manage RM module | |
|---|---|
| Name of the field | Description |
| Manage uniform subdivisions | Allows the user to add, modify or delete uniform subdivisions of Constellio through the administration. |
| Manage storage spaces | Allows the user to add, modify or delete Constellio locations through the control. This permission is also required to select the location when creating a container. |
| Manage file plan | Allows the user to add, modify or delete the Constellio classification plan through the pilot. |
| View classification plan | Allows the user to access the Constellio classification plan page. However, the user is limited to consulting the plan, and cannot modify or delete headings. |
| View retention calendar | Allows the user to access the Constellio retention calendar page. However, the user is limited to viewing the calendar, and cannot modify or delete rules. |
| Manage retention rule | Allows the user to add, modify or delete Constellio retention rules through the control. |
| Manage borrowings | Allows the user to access the borrowing management page of the pilot. |
| Consult legal requirements | Do not activate without the plugin. |
| Manage legal requirements | Do not activate without the plugin. |
| Deletion of elements contained in a container | Allows you to delete the elements contained in a container. |
| Use notifications | Allows you to receive notifications. |
| Manage webhooks | Allows you to manage webhooks. |
| Manage public portals | Allows the user to add, modify or delete public portals through control. |
| Manage public portals linked searches | Allows you to create saved searches in public portals. |
| Consult public portal configurations | Allows you to view the configurations of public portals. |
| Manage recurring reports | Allows you to configure recurring reports. |
| Folders | |
|---|---|
| Name of the field | Description |
| Manage authorizations | Allows to close the security of a folder. This allows the user to add, modify and delete permissions, but also to cut off the inheritance of these. |
| View authorizations | Allows to consult the permissions of a file, without being able to make changes to it. |
| Share a folder | Allows to share a folder with another Constellio user. The user is limited in sharing to the accesses he has. For example, a user with write access can share read or write access, but cannot share delete access. |
| Share a semi-active folder | Allows to share a semi-active folder. Must be combined with the Share Folder permission. |
| Share an inactive folder | Allows to share an inactive folder. Must be combined with the Share Folder permission. |
| Share an imported folder | Allows to share an imported folder. Must be combined with the Share Folder permission. |
| Create a subfolder | Allows to create a sub-folder if the user has write access to the parent folder. |
| Create a semi-active subfolder | Allows to create a sub-folder in a semi-active parent folder. Must be combined with the Create Subfolder permission. |
| Create an inactive subfolder | Allows to create a sub-folder in an inactive parent folder. Must be combined with the Create Subfolder permission. |
| Borrow folder | Allows to borrow a file. |
| Edit a folder | Allows to modify the active folders to which the user has write access. |
| Edit a semi-active folder | Allows to modify the semi-active folders to which the user has write access. |
| Edit an inactive folder | Allows to modify inactive folders to which the user has write access. |
| Edit an imported folder | Allows to modify the imported folders to which the user has write access. |
| Delete a semi-active folder | Allows to delete semi-active folders to which the user has delete access. |
| Delete an inactive folder | Allows to delete inactive folders to which the user has delete access. |
| Create a folder | Allows to create a folder in the application. |
| Duplicate a folder | Allows to duplicate active folders. |
| Duplicate a semi-active folder | Allows to duplicate semi-active folders. |
| Duplicate an inactive folder | Allows to duplicate inactive folders. |
| Edit a borrowed semi-active folder | Allows to modify a borrowed semi-active folder to which the user has write access. |
| Edit a borrowed inactive folder | Allows to modify a borrowed inactive folder to which the user has write access. |
| Modify folder's opening date | Allows to modify the opening date of a file after its creation. |
| Borrow folders without requesting | Allows to borrow a file without having to go through the loan application and approval system. Must be combined with the Borrow a File permission. |
| Make request of borrowing on folders | Allows to borrow a file through the loan application and approval system. |
| Make reactivation request on folders | Allows to approve reactivation requests. |
| Manage requests on folders | Allows to approve borrowing and return requests. |
| Return other users folders | Allows to return files borrowed by other users. |
| Move folders | Allows to move folders. |
Others | |
|---|---|
| Nom du champ | Description |
| Use application programming interfaces (API Cmsi) | Allows the user to manage Constellio through application programming interfaces (CMIS API) |
| System | |
|---|---|
| Name of the field | Description |
| Delete version | Allows the user to delete versions of a document |
| View audit | Allows to access the audit module |
| Modify public saved search | Allows to edit public shared searches |
| Delete public saved search | Allows to delete public shared searches |
| Modify records using batch processes | Allows to modify records through batch processing. This permission is limited by the configuration Maximum number of records that can be modified by batch processing. |
| Modify unlimited number of records using batch processes | This authorization is limited by the configuration Maximum number of records that can be modified by batch processing. This permission allows you to edit an unlimited number of records. |
| View announcements on login | See Constellio's announcements during the connection. |
| View search statistics | Allows to see the search statistics |
Workflow management | |
|---|---|
| Name of the field | Description |
| Manage workflows | Allows to configure the workflow templates available to the organization. |
| Start workflows | Allows the user to use the organization's workflows. |
| Delete a workflows | Allows to delete a workflow template. |
| Read workflow executions | Allows to consult the progress of the execution of a workflow. |
| Modify workflow executions | Allows to modify the execution of a workflow. |
| Modify workflow executions status | Allows you to pause or cancel a workflow. |
| View key performance indicators | Allows to see the statistics of the tasks of your administrative unit. |
| View all key performance indicators | Allows to view task statistics for the entire organization. |
| Disposition | |
|---|---|
| Name of the field | Description |
| Edit a folder or document disposition date | Allows to modify the transfer, deposit and destruction dates of a file. |
| Edit disposition lists | Allows to modify the content of a downgrade list. |
| Approve disposition list | Allows to approve decommissioning lists. |
| Manage boxes | Allows the user to create containers and associate them with the folders when declassifying. |
| Delete boxes | Allows to remove containers. |
| Consult boxes | Allows to consult the containers. |
| Borrow a box | Allows to consult a container and its contents. |
| Borrow boxes without requesting | Allows to borrow a container without having to go through the loan request and approval system. Must be combined with the Borrow a Container permission. |
| Make borrow request on boxes | Allows you to borrow a container by going through the borrowing request and approval system. Must be combined with the Borrow a Container permission. |
| Manage boxes requests | Allows for the approval of container borrowing requests. |
| Return other users boxes | Allows to return containers borrowed by other users. |
| Create analog transfer list from active to semi-active | Allows to create downgrade lists from active to semi-active transfer for paper files. |
| Edit analog transfer list from active to semi-active | Allows to modify the downgrade lists from active to semi-active transfer for paper files. |
| Generate SIP archives | Allows to generate SIP archives in the search and in the downgrade lists. |
| Manage archive descriptors | Allows to configure SIP archive descriptors. |
| Create disposition list | Allows to create a disposal list. |
| Process disposition lists | Allows to process a disposal list. |
| System management | |
|---|---|
| Name of the field | Description |
| Configuration | Allows to modify the system configurations. |
| Manage groups | Allows to manage the system's groups. |
| Manage groups activation | Allows to change the activation status of groups. |
| Manage users | Allows to manage the users of the system. |
| Manage collection | Allows to add, modify and delete collections in the system. |
| Import | Allows to export and import data from the system. |
| Update center | Accesses the update center to perform an update, reindex or install a license. |
| Manage LDAP Configuration | To configure LDAP synchronization of users and groups. |
| Manage labels | Allows to configure label templates. |
| Manage slips | Allows to configure slip templates. |
| Manage report templates | Allows to configure PDF report templates. |
| View systems batch processes | Allows to see all the batch processes in the system. |
| Edit other user annotation | Allows to modify the document annotations of other users. |
| Access temporary records page | Allows access to the temporary records page. |
| See all temporary records | Allows to see the temporary records generated by the entire organization. |
| Access to delete any temporary record | Allows to delete temporary records generated by the entire organization. |
| View system state | Allows to view the System button and see the status of the server. |
| Manage tenants | Allows you to manage tenants when you find yourself in a multi-tenant environment. |
| Favorites | |
|---|---|
| Name of the field | Description |
| Use my favorites | Allows to use the user's default bookmark group. |
| Use favorites groups | Allows to use favorites groups other than My Favorites. |
| Batch delete of all records in a favorites group | Allows to batch delete records from a favorites group. |
| Annotations | |
|---|---|
| Name of the field | Description |
| Add annotation layers | Allows to add annotation layers. |
| Manage annotation layers | Allows to add, modify and remove annotation layers. |
| Share annotation layers | Allows to share annotation layers. |
| Documents | |
|---|---|
| Name of the field | Descrition |
| Manage authorizations | Allows to manage the security of a document. This allows the user to add, modify and delete permissions, but also to cut off the inheritance of these. |
| View authorizations | Allows to view the permissions of a document, without being able to make changes to it. |
| Share a document | Allows you to share a document with another Constellio user. The user is limited in sharing to the accesses he has. For example, a user with write access can share read or write access, but cannot share delete access. |
| Share a semi-active document | Allows to share a semi-active document. Must be combined with the Share Document permission. |
| Share an inactive document | Allows to share an inactive document. Must be combined with the Share Document permission. |
| Share an imported document | Allows to share an imported document. Must be combined with the Share Document permission. |
| Create a document | Allows to create a document if the user has write access to the parent folder. |
| Create a semi-active document | Allows to create a document in a semi-active parent folder. Must be combined with the Create Document permission. |
| Create an inactive document | Allows to create a document in an inactive parent folder. Must be combined with the Create Document permission. |
| Edit a document | Allows to edit active documents to which the user has write access. |
| Edit a semi-active document | Allows to edit semi-active documents to which the user has write access. |
| Edit an inactive document | Allows to modify inactive documents on which the user has write access. |
| Edit an imported document | Allows to modify imported documents on which the user has write access. |
| Version a document | Allows you to track versions of a document. |
| Version a semi-active document | Allows you to track versions of a semi-active document. |
| Version an inactive document | Allows you to track versions of an inactive document. |
| Download a documents content | Allows to download the content of a document. |
| Delete a semi-active document | Allows to delete semi-active documents to which the user has delete access. |
| Delete an inactive document | Allows to delete inactive documents on which the user has delete access. |
| Delete a borrowed document | Allows to delete imported documents on which the user has delete access. |
| Delete a published document | Allows to delete a published document. |
| Return other users documents | Allows to return documents borrowed by other users. |
| Publish and unpublish a document | Allows to publish and unpublish a document. |
| View filename on system | Allows to see where the document is stored on the server vault. |
| Generate external signature url | Allows to request the signature of a document from another user. |
| Generate a PDF/A for active documents | Allows to generate a PDF/A for active documents. |
| Generate a PDF/A for semi-active documents | Allows to generate a PDF/A for semi-active documents. |
| Generate a PDF/A for inactive documents | Allows to generate a PDF/A for inactive documents. |
| Generate a PDF for active documents | Allows to generate a PDF for active documents. |
| Generate a PDF for semi-active documents | Allows to generate a PDF for semi-active documents.. |
| Generate a PDF for inactive documents | Allows to generate a PDF for inactive documents. |
| Print documents | Allows to print a document. |
| Move documents | Allows to move documents. |
| Batch importation | |
|---|---|
| Name of the field | Description |
| Manage mapping tables | Allows you to configure concordances in SharePoint and Constellio metadata. |
| Manage search tools | |
|---|---|
| Name of the field | Description |
| Manage synonyms | Allows to create, modify and delete synonyms. |
| Exclude and raise search result | Allows to exclude and elevate search results. |
| Manage Search capsules | Allows to create, modify and delete search capsules. |
| Manage corrector words | Allows to remove suggestions from the proofreader. |
| Office 365 | |
|---|---|
| Name of the field | Description |
| Manage Office365 templates | Allows to manage Office365 templates |
| Delete Office365 content | Allows to delete Office365 templates |
| Collection management | |
|---|---|
| Name of the field | Description |
| Facets management | Allows you to configure the search facets |
| Taxonomies | Allows you to create, modify and delete virtual spaces |
| Manage value list | Allows you to create, modify and delete value domains |
| Manage metadata schemas | Allows you to configure metadata schemas |
| Public links management | Allows you to view and remove public links on documents |
| Manage security | Allows you to manage application security and add access to different groups and users. This permission should be limited to administrators since it allows for global read, write and delete access to the entire collection. |
| Manage security clearance | Allows you to create, modify and delete security classifications. |
| Remove the temporary login lock | Allows you to remove the temporary connection lock. |
| Manage search boost | Allows you to configure search boosts |
| Manage metadata extractor | Allows you to configure metadata extractors. |
| Manage connector | Allows you to configure SMB, HTTP, LDAP, etc. connectors. |
| Manage trash | Allows you to access the trash to restore a recording or to delete it permanently |
| Manage email server | Allows you to configure the email server |
| Manage Excel reports | Allows you to manage Excel reports in the management of control printables |
| Manage template | Allows the management of O365 folder and structure templates. |
| Thesaurus configuration | Allows you to integrate a thesaurus to add search functionality |
| Manage shares | Allows you to view and remove shared folders and documents |
| Records management | |
|---|---|
| Name of the field | Description |
| Manage reports | Allows to access the reports of the decommissioning module |
| Legal Holds | |
|---|---|
| Name of the field | Description |
| Manage legal holds | Allows access to the legal hold to add, modify or delete a legal hold and its contents. |
| Edit a document marked as a record or under legal hold | Allows you to make changes to locked or legally suspended documents. |
Was this article helpful?