Role management

18 Oct 2022
14 Minutes to read
Contributors

Print
Share
Dark
Light
PDF

Role management

Updated on 18 Oct 2022
14 Minutes to read
Contributors

Print
Share
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

1. Role management

In Constellio, each user is assigned a role. This role is similar to the idea of "profiles". The "Manage roles" option allows you to create a new role and to assign responsibilities or action rights to each role in Constellio. Therefore, depending on the roles assigned to a user, the options and possible actions in Constellio are not the same. A user can have different roles depending on the collection since each collection is independent at the role level. By default, all users have a User role.

2. Definition of roles

By default, the system contains four roles: user (U), administrator (ADM), manager (M) and document manager (RGD).

User: basic user, the one who generally uses Constellio in his daily life to create, manage, modify folders, documents, tasks and favorites. There is no access to control or delete items. Constellio gives a default user role to all users of a collection.
Administrator: the administrator is the one who usually has the role of managing the system without having any interaction with the folders and documents.
Manager: the one who usually consults folders and documents, gives specific authorizations such as sharing folders, authorizes downgrades, etc.
Document management manager: this role has limited access to the management of the system, but has access to all document management functions.

This definition of the roles corresponds to the default attributions of each role. However, these roles are customizable and it is possible to modify the responsibilities and access rights of these different roles according to the needs of each environment.

The roles cover the following Constellio functions:

Management of the RM module (document management)
Folders
Collection management
Workflow management
Filing
Archive management
System management
Favorites management
Documents.

2.1 Consult the roles

Click on "Administration" in the navigation menu;
Click on "Manage Roles".

2.2 Edit a role

Click on "Administration" in the navigation menu;
Click on "Manage Roles";
Modify the specificities of each of the roles, to do this, check or uncheck the different possible actions attached to the different available roles. Then click on "Save" to confirm the changes.

The "Reset" option allows you to undo changes made to roles BEFORE you save the changes. After saving the changes, it is no longer possible to restore the roles with this option.

2.3 Create a new role

Depending on the needs of your organization and your users, it is possible to add new roles. For example, it might be useful to create a role for non-regular users, such as interns, volunteers, etc. Once a role is created and saved, it is no longer possible to delete it. It is however possible to "deactivate" it, to do so, you must ensure that it is not applied to a group or a user and manually uncheck all actions.

Click on "Administration" in the navigation menu;
Click on "Manage Roles";
Click on "Create a new role" on the right of the screen;
Fill in the required fields (Code and Title), then click on "Save".

By default, after its creation, a role has no responsibilities or access rights. It is therefore necessary to add specificities to this role. To do this, check or uncheck the different actions to be added to this role, then click on "Save" to confirm the changes.

3. Assignment of roles

The "Manage roles" option in the control panel allows you to assign responsibilities or action rights in Constellio to each role (user, administrator, manager and document management manager). However, it is in the "Manage security" option that it is possible to manage the assignment of one or more roles to user groups or users.

After having set up the different roles desired in Constellio. It is important to assign these roles to different groups or users. For example, if we want to allow managers of different administrative units in our environment to have more extensive responsibilities than those of a user. After setting up the Manager role in "Manage Roles", you must assign this role to a group of managers or to each manager.

Point of vigilance

By default, all users have the User role.
If a permissive role is applied globally to the collection, it overrides the more restrictive roles.
It is also possible to manage user and group roles at the administrative unit level.

3.1 View assigned roles

Inherited roles are those automatically added for an administrative unit based on the roles present in the parent units, while specific permissions are unique to that administrative unit.

Click on "Administration" in the navigation menu;
Click on "Manage Security";
In the "Manage security" window, you can see all the groups and users previously created in the collection;
Click on "Manage Roles" to the right of the name of the group or user for which you want to consult the roles.

3.2 Assign a role

Click on "Administration" in the navigation menu;
Click on "Manage Security";
Click on "Manage Roles" to the right of the name of the group or user;
Click on "Add role" on the right of the screen;
In the "Add role" window, fill in the metadata and click on "Save".

Metadata for adding a role
Name of the field		Description
Reles	Obligatory	Select one or more roles to assign to the user or group.
Scope	Facultative	Select an administrative unit for which you are assigning a role. If this field is empty, the role you just assigned will be applied to the whole collection.

3.3 Delete a role

Click on "Administration" in the navigation menu;
Click on "Manage Security";
Click on "Manage Roles" to the right of the name of the group or user;
Click on the "X" to the right of the role to be deleted;
Confirm the deletion, click on "Yes".

Constellio users always have at least one User role on the collection. Therefore, you cannot remove this role from a user if no other role is assigned to him. However, you can remove a Manager role from a Constellio user. The system will automatically assign a User role to the user.

4. Permissions

Permissions are the different authorizations granted to each role. They allow users to perform very specific actions in the application.

Manage RM module
Name of the field	Description
Manage uniform subdivisions	Allows the user to add, modify or delete uniform subdivisions of Constellio through the administration.
Manage storage spaces	Allows the user to add, modify or delete Constellio locations through the control. This permission is also required to select the location when creating a container.
Manage file plan	Allows the user to add, modify or delete the Constellio classification plan through the pilot.
View classification plan	Allows the user to access the Constellio classification plan page. However, the user is limited to consulting the plan, and cannot modify or delete headings.
View retention calendar	Allows the user to access the Constellio retention calendar page. However, the user is limited to viewing the calendar, and cannot modify or delete rules.
Manage retention rule	Allows the user to add, modify or delete Constellio retention rules through the control.
Manage borrowings	Allows the user to access the borrowing management page of the pilot.
Deletion of elements contained in a container	Allows you to delete the elements contained in a container.
Use notifications	Allows you to receive notifications.
Manage webhooks	Allows you to manage webhooks.

Folders
Name of the field	Description
Manage authorizations	Allows to close the security of a folder. This allows the user to add, modify and delete permissions, but also to cut off the inheritance of these.
View authorizations	Allows to consult the permissions of a file, without being able to make changes to it.
Share a folder	Allows to share a folder with another Constellio user. The user is limited in sharing to the accesses he has. For example, a user with write access can share read or write access, but cannot share delete access.
Share a semi-active folder	Allows to share a semi-active folder. Must be combined with the Share Folder permission.
Share an inactive folder	Allows to share an inactive folder. Must be combined with the Share Folder permission.
Share an imported folder	Allows to share an imported folder. Must be combined with the Share Folder permission.
Create a subfolder	Allows to create a sub-folder if the user has write access to the parent folder.
Create a semi-active subfolder	Allows to create a sub-folder in a semi-active parent folder. Must be combined with the Create Subfolder permission.
Create an inactive subfolder	Allows to create a sub-folder in an inactive parent folder. Must be combined with the Create Subfolder permission.
Borrow folder	Allows to borrow a file.
Edit a folder	Allows to modify the active folders to which the user has write access.
Edit a semi-active folder	Allows to modify the semi-active folders to which the user has write access.
Edit an inactive folder	Allows to modify inactive folders to which the user has write access.
Edit an imported folder	Allows to modify the imported folders to which the user has write access.
Delete a semi-active folder	Allows to delete semi-active folders to which the user has delete access.
Delete an inactive folder	Allows to delete inactive folders to which the user has delete access.
Create a folder	Allows to create a folder in the application.
Duplicate a folder	Allows to duplicate active folders.
Duplicate a semi-active folder	Allows to duplicate semi-active folders.
Duplicate an inactive folder	Allows to duplicate inactive folders.
Edit a borrowed semi-active folder	Allows to modify a borrowed semi-active folder to which the user has write access.
Edit a borrowed inactive folder	Allows to modify a borrowed inactive folder to which the user has write access.
Modify folder's opening date	Allows to modify the opening date of a file after its creation.
Borrow folders without requesting	Allows to borrow a file without having to go through the loan application and approval system. Must be combined with the Borrow a File permission.
Make request of borrowing on folders	Allows to borrow a file through the loan application and approval system.
Make reactivation request on folders	Allows to approve reactivation requests.
Manage requests on folders	Allows to approve borrowing and return requests.
Return other users folders	Allows to return files borrowed by other users.
Move folders	Allows to move folders.

Manage search tools
Name of the field	Description
Manage synonyms	Allows to create, modify and delete synonyms.
Exclude and raise search result	Allows to exclude and elevate search results.
Manage Search capsules	Allows to create, modify and delete search capsules.
Manage corrector words	Allows to remove suggestions from the proofreader.

Manage search tools

Your content goes here

Others
Name of the field	Description
Use application programming interfaces (API Cmis)	Allows the user to manage Constellio through the application programming interfaces (API CMIS)

System
Name of the field	Description
Delete version	Allows the user to delete versions of a document
View audit	Allows to access the audit module
Modify public saved search	Allows to edit public shared searches
Delete public saved search	Allows to delete public shared searches
Modify records using batch processes	Allows to modify records through batch processing. This permission is limited by the configuration Maximum number of records that can be modified by batch processing.
Modify unlimited number of records using batch processes	This authorization is limited by the configuration Maximum number of records that can be modified by batch processing. This permission allows you to edit an unlimited number of records.
View announcements on login	See Constellio's announcements during the connection.
View search statistics	Allows to see the search statistics

Collection management
Name of the field	Description
Facets management	Allows to configure the facets of the search.
Virtual spaces management	Allows to create, modify and delete virtual spaces.
Manage value list	Allows to create, modify and delete value fields.
Manage metadata schemas	Allows to configure the metadata schemas.
Public links management	Allows to view and remove public links on documents.
Manage security	Allows to manage application security and add access to different groups and users. This permission should be limited to administrators since it allows global read, write and delete access to the entire collection.
Manage security clearance	Alloes to configure the security clearance.
Manage search boost	Allows to configure search boosts.
Manage metadata extractor	Allows to configure metadata extractors.
Manage connectors	Allows to configure SMB, HTTP, LDAP connectors, etc.
Manage trash	Allows to access the recycle garbage can to restore a record or to delete it permanently.
Manage email server	Allows to configure the email server.
Manage Excel reports	Allows to manage Excel reports in the management of printables in the pilot.
Manage shares	Allows to view and remove shared folders and documents.

Workflow management
Name of the field	Description
Manage workflows	Allows to configure the workflow templates available to the organization.
Start workflows	Allows the user to use the organization's workflows.
Delete a workflows	Allows to delete a workflow template.
Read workflow executions	Allows to consult the progress of the execution of a workflow.
Modify workflow executions	Allows to modify the execution of a workflow.
Cancel workflow executions	Allows to cancel workflow executions.
View key performance indicators	Allows to see the statistics of the tasks of your administrative unit.
View all key performance indicators	Allows to view task statistics for the entire organization.

Disposition
Name of the field	Description
Edit a folder or document disposition date	Allows to modify the transfer, deposit and destruction dates of a file.
Edit disposition lists	Allows to modify the content of a downgrade list.
Approve disposition list	Allows to approve decommissioning lists.
Manage boxes	Allows the user to create containers and associate them with the folders when declassifying.
Delete boxes	Allows to remove containers.
Consult boxes	Allows to consult the containers.
Borrow a box	Allows to consult a container and its contents.
Borrow boxes without requesting	Allows to borrow a container without having to go through the loan request and approval system. Must be combined with the Borrow a Container permission.
Make borrow request on boxes	Allows you to borrow a container by going through the borrowing request and approval system. Must be combined with the Borrow a Container permission.
Manage boxes requests	Allows for the approval of container borrowing requests.
Return other users boxes	Allows to return containers borrowed by other users.
Create analog transfer list from active to semi-active	Allows to create downgrade lists from active to semi-active transfer for paper files.
Edit analog transfer list from active to semi-active	Allows to modify the downgrade lists from active to semi-active transfer for paper files.
Generate SIP archives	Allows to generate SIP archives in the search and in the downgrade lists.
Manage archive descriptors	Allows to configure SIP archive descriptors.
Create disposition list	Allows to create a disposal list.
Process disposition lists	Allows to process a disposal list.

Archives management
Name of the field	Manage the reports
Manage reports	Allows to access the reports of the decommissioning module

System management
Name of the field	Description
Configuration	Allows to modify the system configurations.
Manage groups	Allows to manage the system's groups.
Manage groups activation	Allows to change the activation status of groups.
Manage users	Allows to manage the users of the system.
Manage collection	Allows to add, modify and delete collections in the system.
Import	Allows to export and import data from the system.
Update center	Accesses the update center to perform an update, reindex or install a license.
Manage LDAP Configuration	To configure LDAP synchronization of users and groups.
Manage labels	Allows to configure label templates.
Manage slips	Allows to configure slip templates.
Manage report templates	Allows to configure PDF report templates.
View systems batch processes	Allows to see all the batch processes in the system.
Edit other user annotation	Allows to modify the document annotations of other users.
Access temporary records page	Allows access to the temporary records page.
See all temporary records	Allows to see the temporary records generated by the entire organization.
Access to delete any temporary record	Allows to delete temporary records generated by the entire organization. Be able to delete all temporary records.
View system state	Allows to view the System button and see the status of the server.

Favorites
Name of the field	Description
Use my favorites	Allows to use the user's default bookmark group.
Use favorites groups	Allows to use favorites groups other than My Favorites.
Batch delete of all records in a favorites group	Allows to batch delete records from a favorites group.

Annotations
Name of the field	Description
Add annotation layers	Allows to add annotation layers.
Manage annotation layers	Allows to add, modify and remove annotation layers.
Share annotation layers	Allows to share annotation layers.

Documents
Name of the field	Descrition
Manage authorizations	Allows to manage the security of a document. This allows the user to add, modify and delete permissions, but also to cut off the inheritance of these.
View authorizations	Allows to view the permissions of a document, without being able to make changes to it.
Share a document	Allows you to share a document with another Constellio user. The user is limited in sharing to the accesses he has. For example, a user with write access can share read or write access, but cannot share delete access.
Share a semi-active document	Allows to share a semi-active document. Must be combined with the Share Document permission.
Share an inactive document	Allows to share an inactive document. Must be combined with the Share Document permission.
Share an imported document	Allows to share an imported document. Must be combined with the Share Document permission.
Create a document	Allows to create a document if the user has write access to the parent folder.
Create a semi-active document	Allows to create a document in a semi-active parent folder. Must be combined with the Create Document permission.
Create an inactive document	Allows to create a document in an inactive parent folder. Must be combined with the Create Document permission.
Edit a document	Allows to edit active documents to which the user has write access.
Edit a semi-active document	Allows to edit semi-active documents to which the user has write access.
Edit an inactive document	Allows to modify inactive documents on which the user has write access.
Edit an imported document	Allows to modify imported documents on which the user has write access.
Upload a semi-active document	Allows to upload a new version for semi-active documents.
Upload in inactive document	Allows to upload a new version for inactive documents.
Download a documents content	Allows to download the content of a document.
Delete a semi-active document	Allows to delete semi-active documents to which the user has delete access.
Delete an inactive document	Allows to delete inactive documents on which the user has delete access.
Delete a borrowed document	Allows to delete imported documents on which the user has delete access.
Delete a published document	Allows to delete a published document.
Return other users documents	Allows to return documents borrowed by other users.
Publish and unpublish a document	Allows to publish and unpublish a document.
View filename on system	Allows to see where the document is stored on the server vault.
Generate external signature url	Allows to request the signature of a document from another user.
Generate a PDF/A for active documents	Allows to generate a PDF/A for active documents.
Generate a PDF/A for semi-active documents	Allows to generate a PDF/A for semi-active documents.
Generate a PDF/A for inactive documents	Allows to generate a PDF/A for inactive documents.
Generate a PDF for active documents	Allows to generate a PDF for active documents.
Generate a PDF for semi-active documents	Allows to generate a PDF for semi-active documents..
Generate a PDF for inactive documents	Allows to generate a PDF for inactive documents.
Print documents	Allows to print a document.
Move documents	Allows to move documents.

Office 365
Name of the field	Description
Manage Office365 templates	Allows to manage Office365 templates
Delete Office365 content	Allows to delete Office365 templates

Was this article helpful?

What's Next

Administrative units authorizations

Table of contents

1. Role management
2. Definition of roles
3. Assignment of roles
4. Permissions