Setting Up Users and Roles > Setting Up Roles > Uses of Roles
  
Uses of Roles
The primary use of roles is to limit access to menu-level functions. Roles are also used to:
Limit access to other resources such as sites and GL accounts. This is described in Setting Up Additional Types of Security.
Limit access to a set of activities that are not on the menu related to component-based functions.
Create customized versions of component functions that are stored and retrieved at the role level.
Create saved browse settings and report variants that are stored and retrieved at the role level.
The last two activities are described in QAD System Administration User Guide and Introduction to QAD Enterprise Applications User Guide.
Note: The Process Maps display on the menu in the .NET UI, but are not secured through role permissions. Anyone can view the maps. However, security is invoked when a user clicks a link in a process map that executes a menu-level program. If they do not have access, an error displays.
Default Roles
Each user can be assigned a default role in Role Membership Maintain. This default is not related to security. For security, a user always is granted the sum of resources assigned to the various roles assigned to them. However, for customizations, searches, and report variants saved at the role level, a default role is required to determine what to display.
Example: Customized versions of Supplier Invoice Create are developed for role SalesClerk and SalesManager. The operations manager is assigned both of these roles, but SalesManager is marked as the default role. When the operations manager uses Supplier Invoice Create, the version customized for SalesManager displays.
If a user is not assigned a default role when multiple role-specific customizations exist, the system-level version of the function or report displays.
Non-Menu Resources
Most resources assigned to a role represent menu-level programs and activities. However, roles can be granted permission to a few system activities that are not on the menu.
Secured Items Not on Menu shows the activities that must be assigned permissions, but which do not appear on the application menu.

Secured Items Not on Menu
 
Secured Item
Description
Customization – Design Mode General (Entity)
Customization – Design Mode Role (Entity)
Customization – Design Mode User (Entity)
Determines if users with this role can customize the user interface through the Design Mode features at the system, role, or user level. For details, see the section on design mode in QAD System Administration User Guide.
Supplier – Supplier Invoices (Entity)
Determines if users with this role can access the Supplier Invoices (for the current entity) Related View as a right-click option on Supplier browses.
Customer – Customer Invoice (Entity)
Determines if users with this role can access the Customer Invoices (for the current entity) Related View as a right-click option on Customer browses.
Customer – Customer Invoices Activity
Determines if users with this role can access the Customer Invoices Activity Related View as a right-click option on Customer browses.
Customer Invoice – Modify Due Date (Entity)
Determines if users with this role can modify invoice due dates using Customer Payment Selection Modify.
Customer Payment Selection Modify is used in EDI Advanced Banking for Accounts Receivable. For details, see QAD Financials User Guide.
Evaluated Receipt Settlement Create – (Entity)
Evaluated Receipt Settlement Modify – (Entity)
Determines if users with this role can run the ERS Processor to generate supplier invoices and corresponding receiver matching records based on completed purchase order or fiscal receipts. For details, see QAD Financials User Guide.
ERS Line – Create (Entity)
Determines if users with this role can access the ERS logging activities run by the ERS Processor. You cannot run the ERS Processor if you do not have access to these activities.
General Ledger Masks – Maintain GL Masks (Entity)
GL masks have been replaced by COA masks. This option lets you access the old GL Mask Maintain function to verify the conversion to the newer COA mask functions.
Journal Entry – Create (External)
Determines if users with this role can create journal entries using an API. The API create method is used by both Operational Transaction Post (25.13.7) and Invoice Post and Print (7.13.4) to create journal entries. It could also be used to post transactions from an external system.
You must assign this resource to any users that will be posting operational transactions to the GL.
Posting - Create External Posting (Entity)
Determines if users with this role can post transactions to external systems from the current entity during Operational Transaction Post (25.13.7).
Report Schedule – MaintainSchedule (Entity)
Determines if users with this role can maintain report schedules.
Report Variant Maintain on Role Level (Entity)
Report Variant Maintain on System Level (Entity)
Report Variant Maintain on User Level (Entity)
Determines if users with this role can save report variants at the role, system, or user level. For details, see QAD Financials User Guide.
Stored Search Maintain on Role Level (Entity)
Stored Search Maintain on System Level (Entity)
Stored Search Maintain on User Level (Entity)
Determines if users with this role can save stored searches at the role, system, or user level. For details, see Introduction to QAD Enterprise Applications User Guide.
User – Create (Entity)
User – Delete (Entity)
Determines if users with this role can create or delete a user with User Maintenance (36.3.1). A role must have access to both User Maintenance and these two options to successfully create or delete a user. See Defining Users.
Tax Code – Create
Tax Code – Modify
Tax Code – Delete
Determines if users with this role can create, modify, or delete tax rates with Tax Rate Maintenance (29.4.1). A role must have access to both Tax Rate Maintenance and one of these options to successfully create, modify, or delete tax rates. Tax rates are described in the chapter on Global Tax Management in QAD Global Tax Management User Guide.
gencodegroup:APP (Domain)
gencodegroup:SYSTEM (Domain)
Determines if users can modify generalized code fields belonging to these groups. If the administrator creates other generalized code groups, they are also displayed in this list. Generalized code groups are described in the chapter on Domain Constants in QAD System Administration User Guide.
System-Supplied Roles
During system installation, a number of roles are set up automatically. System Roles Created During Installation lists these roles and their function.

System Roles Created During Installation
 
Role
Description
_EveryOne
This role is only present in systems that were converted from an earlier version of QAD software. It includes all users that were defined in the previous system.
CustomerNotify
Members of this role receive e-mail notification when a new customer record is created with Customer Create so that the operational data can be completed in Customer Data Maintenance (2.1.1).
EmployeeNotify
Members of this role receive e-mail notification when a new employee record is created with Employee Create so that the employee can be defined as a service/support engineer in Engineer Maintenance (11.13.1).
EndUserNotify
Members of this role receive e-mail notification when a new end user record is created with End User Create so that the operational data can be completed in End User Data Maintenance (11.9.1).
SuperUser
This role provides initial access to all menu functions and is typically assigned to users with an administrative role during system implementation.
SupplierNotify
Members of this role receive e-mail notification when a new supplier record is created with Supplier Create so that the operational data can be completed in Supplier Data Maintenance (2.3.1).
The SuperUser role is initially defined to provide permissions for all menu functions loaded in the system. However, this is true only initially. If you add new menu items manually using Menu System Maintenance (36.4.4.1), you must also manually grant users rights to these menu items in Role Permissions Maintain. When you add new domains and entities, you must explicitly grant access to the SuperUser role for members of this role to continue to have access throughout the system.
Note: This is important for certain roles that are used, for example, by daemon processes and require access to all system resources. See Types of Users.
You should define other system roles for special functions such as:
An administrative role specified in Security Control (36.3.24) to receive e‑mail notifications when specific security and controlled events occur.
The .NET User Interface includes some administrative functions that can be assigned to a specific role.
Role Example
A system administrator configures the system to control access to three functions based on each employee’s organizational level. Three types of access to financial functions are required: one for clerks, one for managers, and one for the CFO.
The system administrator creates three roles: Clerk, Manager, and CFO. Sara, the AP Clerk, is assigned to the Clerk role. Don, the AP Manager, is assigned to the Manager and Clerk roles. Jane, the CFO, is assigned all three roles. In this setup, illustrated in Using Roles to Give Access, Jane’s roles grant her entry to all the levels she is authorized to access.

Using Roles to Give Access
Sample Role Setup shows how the system administrator assigns users to each role.

Sample Role Setup
 
Role
User
Clerk
Sara, Don, Jane
Manager
Don, Jane
CFO
Jane
Next, the administrator uses Role Permissions Maintain to assign the appropriate system resources to the relevant roles to determine access to the system resources that each user requires in order to complete their assigned tasks.
When Mark is hired as the new deputy CFO, the system administrator only has to assign Mark to the CFO role in order to give him access to each individual protected financial function.
When a member of the SalesClerk role logs in, the user has access to:
Sales Order Maintenance
Customer View
Customer Credit View
Instead of seeing the entire set of menus, only Customer Management and Financials display. Within these folders, only the selected functions SalesClerk can access display.
Note: Using features of the .NET UI, users can also create their own custom menu display under Favorites.