# Roles ## Description

Soffid allows you to create roles to specify permissions that can be assigned to a user, a group, or an account. These permissions determine what operations are allowed on a resource. You can use roles to delegate access to users, applications, or services. The main goal is to achieve optimal security administration.

Roles can be defined at different levels: - Organizational permissions. - Application permissions. - Low-level permissions. When needed, generic roles can be created. When such a role is granted to any user, it is converted into a specific role by specifying an organization unit, information system, or a specific value. So, for instance, a generic emergency coordinator role can be created. The master emergency coordinator will have this role granted for the whole organization, while a remote office emergency coordinator will have this role granted for his single unit. ## Screen overview [![image-1698682539184.png](https://bookstack.soffid.com/uploads/images/gallery/2023-10/scaled-1680-/image-1698682539184.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-10/image-1698682539184.png) ## Related objects 1. [**User**](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/users "Users") 2. [**Groups**](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/groups "Groups") 3. [**Information System**](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/information-systems "Information systems") ## Standard attributes #### Role detail - **Name**: name used to identify the role - **Description**: detailed role description. - **System**: information storage system from a technical point of view (active directory, database, CSV, ...). - **Category** - **Information system name**: asset or application, from a functional point of view, on which the permissions are granted or revoked. - **Domain**: limitation of role scope to this domain. Initially, there are two domains defined, Groups and Information Systems. It is allowed to add more domains. - **BPM enabled**: enables "Role assignments" workflow. - **Approval start**: at this date, Soffid will connect to the system and will assign the role. If there is no approval start, it will be assigned at the moment. - **Apploval end**: at this date, Soffid will connect to the system and will revoke the role.

More information about workflows on the [BPM Editor Book](https://bookstack.soffid.com/books/bpm-editor "BPM Editor").

#### Granted roles On the granted roles tab, you can assign the privileges of this role to another role in another system. To assign privileges you must click the button with the add symbol (+), then select the target role, finish, and apply changes. With this operation, all the permissions of this will be assigned to the target role. If you want to revoke permissions, you must select one or more records from the list and click the button with the subtraction symbol (-). In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them. #### Grantee roles On the grantee roles tab, you can assign the privileges of a role of any other system to this role. To assign privileges you must click the button with the add symbol (+), then select the source role, finish, and apply changes. With this operation, all the permissions of the source role will be assigned to this role. If you want to revoke permissions, you must select one or more records from the list and click the button with the subtraction symbol (-). In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them. #### Grantee groups On the grantee groups tab, you can assign the privileges from a specific group to this role, or revoke the privileges. To assign privileges you must click the button with the add symbol (+), then select the group, finish, and apply changes. With this operation, all the permissions of this group will be assigned to the role. If you want to revoke permissions, you must select one or more records from the list and click the button with the subtraction symbol (-). In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them. #### Users On the users tab, you can assign or revoke roles. To **assign a role** you must click the button with the add symbol (+) and choose one or more users, fill the scope when it is mandatory, and set membership properties. Each role needs an account to be applied to, so, if a user has no account on a system and a role on that system is granted, a new account will be created on this system. In case a user has more than one account on a system, you should indicate which of the suitable accounts will be granted the role. It is also possible to **revoke roles** to the user from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol. The users with the role assigned by rules will be displayed with different colors. Soffid does not allow to revoke roles, on that page, that were assigned by rules. Additionally, you can **download a CSV file** with the basic users data. #### Role assignment rules You can consult the Role assignment rules related to this role.

For more information, you can visit the [Role assignment rules page](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/role-assignment-rules).

## Actions #### Roles query
**Query** Allows you to query roles through different search systems, [Quick, Basic and Advanced](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/search-types "Search Types").
**Add or remove columns** Allows you to show and hide columns in the table.
**Add new** Allows you to add a new role in the system. You can choose that option on the hamburger menu or click the add button (+). To add a new role it will be mandatory to fill in the required fields
**Delete** Allows you to remove one or more roles by selecting one or more records and next clicking the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
**Import** Allows you to upload a CSV file with the role list to add or update roles to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.
**Download CSV file** Allows you to download a csv file with the basic roles data.
#### Roles detail
**Apply changes** Allows you to save the data of a new role or to update the data of a specific role. To save the data it will be mandatory to fill in the required fields
**Delete** Allows you to delete a role. You can choose that option on the trash icon. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
**Undo** Allows you to quit without applying any changes.
**Preview changes** Shows the pending changes on users or accounts. Soffid shows the information about the user or accounts, the action and de Role.
**Apply now (changes)** Allows you to apply the pending changes.
##### Granted roles
**Apply changes** Allows you to update the data changes.
**Add** Allows you to add a new granted role. To add a granted role, first you need to click the add button (+). Second, you need to write or search for a role. Once you have selected the role, if it is necessary, the next step will be to set the scope. Then, you need to finish the process. And finally, you need to apply changes.
**Delete** Allows you to delete one or more granted roles. To delete one, you can select the record and click the button with the subtraction symbol (-) or the trash button located at the end of the row. To delete more at the same time, you need to select the records and then click the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes.
**Preview changes** To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
**Apply now (changes)** Allows you to apply the pending changes.
##### Grantee roles
**Apply changes** Allows you to update the data changes.
**Add** Allows you to add a new grantee role. To add a grantee role, first you need to click the add button (+). Second, you need to write or search for a role. Once you have selected the role, if it is necessary, the next step will be to set the source scope and the scope. Then, you need to finish the process. And finally, you need to apply changes.
**Delete** Allows you to delete one or more grantee roles. To delete one, you can select the record and click the button with the subtraction symbol (-) or the trash button located at the end of the row. To delete more at the same time, you need to select the records and then click the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes.
**Preview changes** To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
**Apply now (changes)** Allows you to apply the pending changes.
##### Grantee groups
**Apply changes** Allows you to update the data changes.
**Add** Allows you to add a new grantee group. To add a grantee group, first you need to click the add button (+). Second, you need to write or search for a group. Once you have selected the group, if it is necessary, the next step will be to set the scope. Then, you need to finish the process. And finally, you need to apply changes.
**Delete** Allows you to delete one or more grantee groups. To delete one, you can select the record and click the button with the subtraction symbol (-) or the trash button located at the end of the row. To delete more at the same time, you need to select the records and then click the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes.
**Preview changes** To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
**Apply now (changes)** Allows you to apply the pending changes.
##### Users
**Add or remove columns** Allows you to show and hide columns in the table.
**Add** Allows you to add users or accounts to assign the role. To add users or accounts, fist of all, you need to click the add button (+) or the "Add new" action located on the hamburger icon. Second, you need to search the users and/or accounts and select the users and/or accounts you want to add. Once you have selected the users and/or accounts, if it is necessary, the next step will be to set the scope. Then you need to fill in the membership properties and finish the process. Finally, you need to apply changes.
**Delete** Allows you to delete one or more users and/or accounts, that is, Soffid will revoke the role. To delete one, you can select the record and click the button with the subtraction symbol (-) or the trash button located at the end of the row. To delete more at the same time, you need to select the records and then click the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes.
**Preview changes** To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
**Apply now (changes)** Allows you to apply the pending changes.
**Download CSV file** Allows you to download a CSV file with all the information about users.