Understanding Users, Roles, and Permissions

A user is anyone who accesses and uses Mambu via the UI or the API. Users are assigned permissions which determine a user’s control in Mambu, meaning the information they can access and the tasks they can perform. Each permission has a name and covers one action or a small subset of action - for example View Client Details (VIEW_CLIENT_DETAILS). Permissions can be assigned to users either directly or through a role. A role is a way to group permissions and to control other forms of access within Mambu.

For more information about roles, see Roles and for a full list of permissions, see Permissions.

Assigning permissions to a user

You may choose to assign permissions to a user directly or they can be assigned through a role. However you cannot do both.

Permissions assigned directly to a user

You can assign permissions directly to the user either via the Mambu UI or API. For more information, see Creating a User - Permissions.

Permissions assigned through a role

To assign permissions to a user through a role, you have to both create a role and assign all the relevant permissions to it, and assign the role to the user. A user can only have one role.

Roles make it easier to add or remove permissions for a number of users as you would only need to update the permission at the role level and not for each individual user who has been assigned that permission.

Access managed by role

There are activities and groups of information where access can only be managed by assigning a user a role instead of assigning a set of permissions directly to a user.

These occasions can be split up into two main types. The first type when access is granted to users that have a specific role assigned to them which is irrespective of what permissions are assigned to the role itself. See Access granted to roles irrespective of assigned permissions, for more information.

The second type is when users are granted access provided that they have a specific role assigned to them and that this role has specific permissions assigned to it. See Access granted only to roles with appropriate permissions, for more information.

Access granted to roles irrespective of assigned permissions

In some cases, you grant access to specific pieces of information in Mambu using roles. In these cases, the access is granted to those roles irrespective of what permissions are assigned to them.

Custom fields example

For example, when you are working with custom fields there are two types of access that you can manage.

One kind of access is to determine which users can view, create, edit, or delete custom fields as a whole.

Another kind of access is to determine which users are able to manage information entered in a particular custom field that appears in specific forms throughout Mambu.

To assign a user the right to view, create, edit, or delete custom fields as a whole you have to assign the appropriate permissions to them either directly or through a role, for example by assigning the Edit Custom Fields (EDIT_CUSTOM_FIELD) permission.

However to allow a user to enter information in a particular custom field when it appears in a form they have to have a specific role assigned to them and that role has to be selected in the Rights section of that particular custom field. The permissions assigned to the role are irrelevant in this case. The only way the user can have access to enter information in the custom field is to have their role selected.

For more information about custom field permissions, see Custom field permissions and for more information about granting access to roles to manage custom field information, see Custom Fields - Rights section.

Access granted only to roles with appropriate permissions

In other cases, you have to assign appropriate permissions to a role and subsequently assign the role to a user for them to have access. Assigning permissions directly to a user will not work unless the option to grant access to all users is selected.

For example, access to view menu items with views is managed at the role level with specific permission assignment. For instance, if the All Users option is not chosen for the Clients menu item then in order for a user to see the Clients menu item the role assigned to them must have the View Client Details (VIEW_CLIENT_DETAILS) permission assigned to it and the role has to be selected in the Usage Rights section of the menu item form. If either of these conditions is not met, the user will not have access. For more information, see Menu item types and permissions.

Guidelines for assigning roles and permissions

Administrator (admin) users

Admins have access to sensitive data and can do practically anything in Mambu. We recommend you have a minimum of two admin users for account management purposes. For example, an admin user can reset another admin user's password, therefore in the case of an account lockout it is useful to have another admin in your organization.

However, we recommend a maximum of four admins in your organization for data security.

General permission assignment

We recommend assigning the least amount of access a user needs to get their job done, meaning the least permissive role or the least amount of permissions.

For example, if you want a user to manage users, roles, access preferences, and federated authentication, we do not recommend assigning the administrator user type. Instead, we recommend you create a role titled "access admin" and assign this role to the user.

Limiting role and user management permission assignment

Role and user management permissions (see below for a list) allow a user to alter the access settings for other users as well as their own user in the system.

User management permissions:

• Create Users (CREATE_USER)
• Edit Users (EDIT_USER)
• View User Details (VIEW_USER_DETAILS)
• Delete Users (DELETE_USER)

Role management permissions:

• Create Roles (CREATE_ROLE)
• Edit Roles (EDIT_ROLE)
• View Roles (VIEW_ROLE)
• Delete Roles (DELETE_ROLE)