KBA-01399: Contacts – Granting Role Membership

Question:

I can add Roles to Contacts on the Member Of tab on the Contact detail (on the Contacts Dashboard).  Am I able to see and choose any Role in the system?

Answer:

It depends on what level of access you have been given through your own Roles. You cannot add a Role that has a capability that you do not already have in one of your Roles, unless you are specifically granted the right to do so.

There are several levels of granularity for what can be done on the Contacts Dashboard that affect Role membership:

  1. If you are given the PAGE | Contact Dashboard (R) and SYS | Contact Maintenance (RIU) capabilities, you can access the Contacts Dashboard and add new Contacts.
  2. If you are given the SYS | Add roles to contacts (RI) capability, you can add and edit Roles for a Contact, as long you also have the equivalent capabilities within those Roles.
  3. If you are given the SYS | Grant Contacts ability to log into the system (R) capability, you can make a Contact a Spitfire user and see Roles that include PAGE capabilities that you do not have.
  4. If you are given the SYS | Add roles to contacts (RIS) capability, you can add any Role to a Contact.

Note to System Administrators:

Consider carefully how much access to give those who will be adding Contacts and editing Contacts‘ roles.  Users who can add any Role to others can grant themselves additional Roles, including the System Admin role.  (There will be an audit trail.)   On the other hand, giving them only the SYS | Add roles to contacts (RI) capability might be too limiting.

As a solution, you can

  1. Create a Role (for example, Contact Role Membership)
  2. Give this Role READ/ALLOW (R) permission on all capabilities that should be available for your Contacts.
  3. Give the person in charge of Contacts this new Role.

In this manner, the person with the Contact Role Membership will have access to all Roles that include those capabilities.

Additional Comments:

See also the technical white paper Designing User Roles.


KBA-01399; Last updated: October 11, 2016 at 9:33 am; V4+
Keywords:  adding a role to a Contact; role capabilities;