Roles & Permissions

Roles control what users can see and do. FSManager ships with role templates matched to common job functions — admins fill in the permissions to match how their business actually operates.

Overview

A role is a named bundle of permissions. Users get one or more roles; their effective permissions are the union of all assigned roles’ permissions.

Permissions are layered:

• Type permissions — can this role see / read / write / delete records of a given type (Customer, Quote, Job)?
• Member permissions — can this role edit specific fields on a type (e.g. write SalesPrice but only read CostPrice)?
• Navigation permissions — can this role see a given menu item?
• Custom permissions — application-defined flags (e.g. AllowedApproveLeave, AllowedEditSignIn) that gate specific actions.

Built-in roles

FSManager seeds 10 roles into every new tenant:

The blank roles are template names with no permissions attached. The expectation is that an admin opens each one and grants what makes sense — types, fields, menu items, and custom permissions to match the role’s real-world scope.

How roles map to users

Each ApplicationUser can have one or more roles. The user’s effective permissions are the union — if any assigned role grants a permission, the user has it.

Typical patterns:

• Single role for most users — assign just Sales or Production to one person.
• Layered roles for hybrid jobs — a working manager might have both Sales and Production.
• Add Administrators for IT contacts — keep this list small.

The Default role applies implicitly to every user. It’s the baseline; you don’t have to explicitly assign it.

Custom permissions

Application-defined flags that gate specific behaviour rather than CRUD on an entity. Examples surfaced elsewhere in these docs:

• AllowedApproveLeave — can mark someone Away at the time-recording kiosk; see Time Recording → Mark Away.
• AllowedEditSignIn — can override sign-in / sign-out times for other employees; see Time Recording → Supervisor edits.

Custom permissions live on the Role record (under a Custom Permissions / Permission Flags section). Tick the flags your role should have, save.

License feature gating

Separate from roles, your tenant has a license tier (Lite / Full / Pro). Tier-gated features (e.g. Manufacturing Scheduling, Stock Management) are hidden from the UI for tenants whose licence doesn’t include them — regardless of role.

You don’t manage this directly from Roles & Permissions; it’s set on the tenant by FSManager Sales when you sign up or upgrade. If a menu item or feature is conspicuously missing, the cause is most likely your tier rather than your role.

How to: configure a built-in role

1. Open Administration → Roles & Permissions.
2. Click into one of the blank templates (e.g. Sales).
3. On the Type Permissions tab, add a permission for each entity the role needs:
   • Pick the Object Type (e.g. Opportunity, Quote, Customer).
   • Set Read / Write / Create / Delete allowed flags.
   • Optionally apply a Criteria (e.g. only allow read where SalesRep = CurrentUserEmployee()).
4. On the Member Permissions tab, add field-level restrictions if you need them — e.g. Sales reps can read CostPrice on Quote but not write it.
5. On the Navigation Permissions tab, tick the menu items this role can see.
6. On the Custom Permissions section, tick application flags like AllowedApproveLeave.
7. Save.

Existing users with this role pick up the changes on their next login.

How to: create a new role

1. Administration → Roles & Permissions → New.
2. Give the role a clear name (e.g. Showroom Sales).
3. Build out the same permission tabs as above.
4. Save.
5. Assign the new role to users via their ApplicationUser → Roles tab.

How to: troubleshoot “I can’t see X”

When a user reports a missing menu, button, or record:

1. Confirm their role. Open their ApplicationUser → Roles. What’s assigned?
2. Check the role’s permissions for that area. Type permission? Navigation permission?
3. Check criteria. A role might grant Read on Opportunity but with criteria SalesRep = CurrentUser — meaning the user only sees their own.
4. Check tier. Is the missing feature available on your licence tier? Lite users can’t see Full-tier features regardless of role.
5. Have them log out and back in. XAF refreshes permissions on session restart; changes don’t always propagate live.

Tips & gotchas

• Start with templates. Don’t create a custom role for every job title — open the existing template (Sales, Production) and add what’s needed. You only need a new role when the existing ones can’t be shaped to fit.
• Permissions are additive across roles. A user with both Sales and Production gets the union of both. There’s no way to deny a permission for one role that another role grants.
• Test changes with a real account. Don’t trust your admin view — log in (or use Switch User) as a regular user to verify they see what you expect.
• Be cautious with Delete permissions. Read and Write are recoverable; Delete is often not. Default to no Delete on transactional entities (Opportunity, Quote, Job) — use Cancel actions instead.
• Custom permissions are buried. Don’t forget to scroll down on the Role detail view — AllowedApproveLeave and friends live below the standard tabs.
• Demo Viewer is your friend for sales calls. Assign it to a temporary user to give someone a guided tour without risk of edits.

Related

• User Management — creating users and assigning roles
• Time Recording — features gated by AllowedApproveLeave and AllowedEditSignIn
• System Settings — Departments, Positions, and other non-permission admin