About Roles

Watch It

Roles are created in SBM Composer as part of a process app, which can comprise multiple applications. Roles span the applications within the process app, and serve two functions:

They are a named collection of privileges. The privileges secure user actions and data access. For example, a role named User could be a collection of privileges suitable for someone to whom items are assigned but who has no administrative tasks. Someone with that role could be unable to execute some transitions and view some fields on forms.
They are a means to populate selection lists for User, Multi-User, and Multi-Group fields. You associate roles with these fields in SBM Composer.

The two functions can be connected or disconnected. When the functions are connected, a role provides privileges and populates a selection list. When the functions are disconnected, a role either populates a selection list with no privileges, or only provides privileges.

Privileges fall into two broad categories:

System privileges control a user's ability to deploy and promote process apps, and perform actions that affect application configuration.
Application privileges define what a user can view and act on within an application. These privileges allow fine-grained control over items, attachments, notes, reports, workflows, and fields.

Roles are distinct from groups, which are named collections of users. Administrators can use groups to identify a set of users based on criteria other than job function. A group could be created for a particular project, for example, or for a division within the company. You can assign roles to a group.

Note: If you associate a user or group with a role, and the role contains privileges that conflict with the user or group level of product access, those privileges are not granted to the user or group.

Users and groups are associated with roles for particular projects in the SBM Application Administrator.

Note: When groups or users are copied, role assignments are copied with them. Also, when groups or users are imported through LDAP using a template group or user, the role assignments associated with the template are copied to the new group or user.