Roles and Permissions - Detailed Overview

Overview - Managing Roles

SS&E supports the creation of dynamic security roles.

Roles represent a group of people at your institution whom you wish to perform a specific function.

For example, advisors, administrators, and disability services all represent roles that can be assigned in SS&E . In addition, when creating a new role in SS&E, the name of the role can be anything*, however, the function must be selected from a list of pre-defined SS&E functions. 

*For clarity, most roles will/should include the function name in the role name. For example:

  • The "Student" function is almost always only associated with one role, the "Student" role.
  • The "Administrator" function is also almost always associated only with one role, the "SS&E Administrator" or "Administrator" role.

For an overview and complete list of SS&E functions, see here.

Limited Profile View and Full Profile View Settings

In addition, on each role, the Profile View Configuration section determines if/how the role can view all/on caseload/off caseload student records,

The Profile View settings can be configured to allow users to view the same information on ALL student records, whether the students are included in the logged-in user's caseload ("On caseload) or not ("Off caseload"). This would indicate that the logged in user has a Full Profile View for all students.
Or if the logged-in user can only view certain information on student records depending on whether the student is "on caseload" or "off caseload". This would indicate that the logged-in user has a Full Profile View of students that are included in their caseload, and a Limited Profile View of student records that are "off caseload".

For more detailed information about Limited Profile View and Full Profile View settings, click here.

How to create a new role:

  1. Navigate to the Administration section of SS&E.
  2. Go to People & Roles - Roles. A list of existing roles will display on this page.
  3. Click the New button in the upper right. The next screen will permit you to create a new role by entering a role name, a description and selecting the role function.
        • It is very important to select the appropriate function since all individuals assigned this role will be associated with any "underlying" permissions associated with the specific function, further explained here.
        • The function is what helps SS&E understand whether a role represents a student-based role (users only see a Student View) or a staff-based role (users see a Staff View).
  4. For each role, available permissions can be assigned to the role by being selected via checkboxes. Select the relevant permissions that you wish all users assigned this new role to have enabled.
  5. When complete, click the Save button.

The new role you have defined is now available throughout SS&E.

  • Tags, Note Types, Analytics, Reports, Alerts, Achievements, Resource Guide, SMS Texting, and more are all configured by role.
  • From the item's administration page, clicking on Edit will allow an SS&E Administrator to select which roles are associated with and allowed to use/view each item.
  • When a new role is created, this will not be added automatically to any existing functionality configuration within SS&E.
  • If needed, an SS&E Administrator will need to assign the new role manually to each item by visiting each pertinent section of the administrative screens in order to add the role.

How to Assign a Role

Roles can be assigned by one of the following methods:

SIS Person Import Role

When people records are imported from your SIS via the Person data feed, users may have a role setting included in their Person record.

  • When a function/group name is passed in from the SIS, roles are assigned based on the "Person Import Role" Type.
  • Role types are only applicable when a function/group name is passed in from the SIS on the Person data feed, which applies the function's associated "person import role" . If a function name is not passed in from the SIS, then the Integration ID is used to assign this role instead.
      • Ancillary role types will not be assigned by the SIS if using function/group names. Since this would assign the role that is associated with the function/group name instead.
      • Person Import role types may be assigned by the SIS if using function/group names or passing in the associated Integration ID.
  • If the Person data feed "role" value is empty, then person roles are assigned manually by an administrator within the SS&E application. 

Important Notes:

    • Once a role has been set through the SIS import process, it will not be removed if the role is no longer present in the import for a user. It must be removed using the user interface.
    • Once a role is removed using the user interface it cannot be re-added using an import. It must be re-added manually.

When a person record is imported from the SIS with a person import role, SS&E will automatically match the "role" included on the Person Data Feed to a specified "Function".

  • Only one role associated with each "Function" type is marked with "Person Import Role".
  • The Integration ID is case sensitive and must match between the Person data extract and Role Administration.
  • To check the role in SS&E, go to Role Administration found here and click on the Person Import Role "Name" to view the Integration Id.
  • To assign/change the role integration id, select "Edit" and enter the exact role assignment (ROLE_xxxx) being imported on the Person data feed extract (person.json) from the SIS.
      • From SS&E help text: "This ID can be passed in the Person data feed to automatically assign this role to a person. It must be prefixed with "ROLE_".
  • Once a user is assigned a role via the SIS Import, a future SIS Import Job cannot remove that role from the user, and the role would need to be removed manually.

Manually Assigning a Role within SS&E

Once new roles are created in SS&E, they are ready to be assigned to the appropriate individuals. 

When a role is manually assigned within People & Roles Administration, it will not be overwritten or removed by the SIS Import.

To manually assign a role in SS&E:

  1. Navigate to Administration - People & Roles - People page found here.
  2. Search for the appropriate person by name or ID, then click on their Institution Id.
  3. From "Security Roles", click on +Add.
  4. Select the appropriate Role from the Security Roles dropdown.
  5. Select Save.
  6. Refresh the student/staff record to view the new role permissions associated with the individual.

NOTE: It is recommended to create a spreadsheet as a helpful tool for institutions to use when thinking through the additional security role groups you would like to deploy.  This spreadsheet will better prepare you to see what all permissions, features, and functionality will be impacted by each role that is created.

Please keep in mind that if you build your own dynamic security role(s), you will need to manually assign each role to the appropriate individuals from their User Detail Security Tab.

Going through all of the items listed on the spreadsheet will help ensure that the appropriate role has been given access to the desired features, functionality, and permissions within SS&E Administration.

Bulk Actions - Add/Remove Roles

Roles may also be associated with or removed from user(s) in bulk from the People Administration page action menu using the Bulk Actions Add/Remove function.

For more information about People Administration bulk actions, see here.

  • Once a role is removed manually from a person record in SS&E, a future SIS import Job will not be able to add the same role back to the user record.
  • If needed, any manually removed role must be manually reassigned in SS&E (either via the person record - security roles - add or via people admin - add - role).

The Role Function

The role function is what determines if a user role is associated with a Student View or a Staff View when using SS&E. 

  • If a user is assigned multiple roles that includes at least one non-student function, they will have a Staff View when accessing SS&E.
  • Only users assigned a role(s) that are only associated with Student function have a Student View.
      • If a student does not have any assigned roles, their student profile view will not include the student success team, and "Follow" on the top menu bar is inaccessible.
      • To fix this, the student role must be assigned either be manually adding it to their User Detail record in People Administration or importing it from the SIS via the Person data feed.
      • Students that are also staff/faculty will NOT see a student view as they only have a staff view.
  • All non-Student functions (except New Registrant and External API) will give users a Staff View.
  • If a user has multiple roles that are all associated with staff functions, the user will have a staff view when logging into SS&E. The permissions displayed on the User Permissions tab are gathered from all roles that display on the User Details tab.
      • If one of the user roles/function is "Adjunct Faculty", this function can remove permissions otherwise assigned from other user roles. If this is not the intention, the adjunct faculty function role should be removed.
      • In addition, the Manager, Analyst, and LMS Administrator roles/functions also have built-in/limited permissions and should only be assigned when needed.
  • If a user has multiple roles, and at least one role has a staff function and at least one role has a student function, this user will only have a Staff View when logging into SS&E even though they are also assigned the "student" function.
      • Since this student-staff user sees a staff view when accessing SS&E, it is very important to pay attention when setting permissions on all assigned roles, so that when permissions are "combined", the student-staff user does not have permissions granted on items they should not be allowed to access, especially from the "student" function role.
      • Currently, each user is only allowed one "view" type after logging into SS&E. However, we are planning to eventually allow users the ability to switch between different views. For example, once users are able to access both student and staff view types, then administrators can set different permissions on the Student function role that only apply to the logged-in user's Student view and will not apply to the logged-in user's Staff view.
  • In order for staff to display on the Student's Success Team as the student's Primary Advisor, they must be assigned a role that is associated with the Advisor function.
  • In order for staff to display on the Student's Success Team as the student's Primary Coach (second position), they must be assigned a role that is associated with the Coach function.

Role Removal

When a security role is manually removed from the UI, that same security role will never be added back again to the same user by the SIS import process.

How to manually remove an assigned role in SS&E:

  1. Navigate to the People Administration page from Administration - People & Roles - People, found here.
  2. Search for the appropriate person by name or ID, then click on their Institution Id.
  3. From the list of "Security Roles", find the role to remove and click on the red icon to the right.
        • If a role was removed by mistake, add the role back by selecting +Add and selecting the appropriate role from the Security Roles dropdown.
  4. Refresh the student/staff view to view the new role permissions associated with the individual.
  • Removing a role from the Person data feed imported via the SIS Import Process/importing a person record with a blank role will NOT remove a role that was imported in the past and displays in SS&E.
  • Therefore, removing a role must always be done manually in SS&E.

Furthermore, once a role is removed manually from a person record in SS&E, then a future SIS import Job cannot re-add the same removed role to the user. If needed, the same role would need to be added manually from the Person User Details.

Why are users missing a role in SS&E?

If a role is included in the Person data extract imported from the SIS yet does not display on the Person record in SS&E, this means that the same role was assigned and manually deleted in the past from the UI, and therefore the same role cannot be assigned via the SIS Import again.

By design, any past role included in the Person data extract (person.json) will NOT display in SS&E and must be reassigned manually on the Person record from here.

How to Delete a Role

To remove a role entirely from the system, from the Roles Administration page, select the role and then select "Delete" from the main menu bar.

  • In order to delete a role, the role must not be used anywhere and cannot be assigned to any users.
  • Trying to delete a role that is being used will "do nothing" and hovering over the Delete action will display a message stating "Cannot delete this role as it is currently being used". To find out where and how the role is still being used, check the role's Role Usage section and make sure that all role usage items show zero use. When all Role Usage items are set to zero. the delete action will work.

rrrd.PNG

 

delro.PNG

 

Role Usage

From the Roles Administration page found here, each role displays the following item with links that represent where in SS&E Administration has the role been assigned, i.e. "permitted". This helps administrators quickly assess how a specific role is currently being used in SS&E.

Each link displays "how many times" the role is used, and clicking on the link will list "what/who" is associated with the specified role.

  • People - Which users are assigned to the specific role.
  • Tag(s) - The Tags that the role is able to view and use.
  • Note Type(s) - The Note types that the role is able to view and use.
      • If Note Type(s) = 0, this means that the role is not associated with any note types and notes will not display even when Notes permissions are set to "Yes" (unless the user has another role that allows "note types", e.g.. Note Type(s) is greater than 0 on their other role(s)).
      • By design, each note is associated with a note type. If a user does not have any role with permitted note types, they will not be able to create/add a note within SS&E.
  • Achievement(s) - Which Achievements the role is able to view and use.
  • Alert(s) - Alerts that the role is able to view and use (both Automated Alerts and Staff-Initiated Alerts).
      • By default, the Alert(s) usage link opens on Automated Alerts yet alert role usage also includes Staff Initiated Alert - Security Role assignment that needs to be checked separately.
  • Report(s) - Which Built-In Reports is the role able to view and use.
  • SMS - Is the role allowed to send SMS messages from SS&E (1=true, 0=false).
  • Excused Absence(s) - Is the role allowed to manage excused absences (1=true, 0=false).
  • Success Scoring Strategy(s) - Is the role allowed to view analytics (1=true, 0=false).

c5.JPG

Clicking on a linked usage item will open the corresponding item administration page (tags, note types, reports, etc.) to quickly view what exactly is associated with a specific role.

  • This can be very helpful when trying to determine which and why different items are available for different users throughout SS&E based on their assigned role(s).

For example, if a user has three assigned roles, and all three roles show 0 report(s), then the reports tab will not display for this user when they are logged into SS&E.

However, if any one of the three roles has at least one report associated with the role in SS&E Administration, then the user will be able to view the Report tab and view the report(s) that their role has permissions for.

  • Clicking on the Role - Report(s) link will open Reports Administration and display which exact report(s) are permitted for the specified role.
  • In addition, using the "Roles" filter in Reports Administration, administrators can find out what reports will display for any combination of select role(s).

Captured.JPG

Staff Functions

Some functionality in the system depends on the user having a role that is associated with a "staff" function. Eventually, this behavior will be deprecated for a more dynamic model, but for now, the following functions are considered "staff" functions:

  • Adjunct Faculty
  • Administrator
  • Advisor
  • Analyst
  • Coach
  • Faculty
  • Faculty Advisor
  • High School Staff
  • LMS Administrator
  • Manager

Student/Staff Users

Users that are assigned multiple roles that are associated both with student and staff functions require special attention when setting up Role permissions.

For more information about student-staff roles, see here.

Role(s) Permissions

To view the permissions applied in SS&E from all user assigned roles, from People & Roles - People, select the user and click on the Read-Only "Permissions" tab.

Capturep.PNG

Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more
How to Contact Support
There are many ways to reach out! Click here for our support options.
Watermark Academy
Click to access the Watermark Academy for consultation, training, and implementation companion courses.