General description of access permissions
This group has full configuration and record access permission for the system. Admin users can see and do everything that is possible in the system. The number of admin users should be as small as possible. Admin users generally should not be deleted.
|Admin Import||Power User||This group is a copy of the Admin group that has additional create permissions specifically for importing. Admin Import users generally should not be deleted.|
|Adobe Sign User||Power User||This group, along with the Admin and Business Admin groups, is the only group that can see and work with Adobe Sign elements, such as the Adobe Sign Envelope and Adobe Sign Recipient by default. This group can create, edit, delete, import, export, or copy records they own in any of the AdobeSign tables.|
This group sets up unregistered users with the ability to edit records. Unregistered users can click on a hyperlink in an outbound email to edit records if they are given the Anonymous user distinction. If all your users have user records in the system, you do not need this group. As a power user, the Anonymous user uses an assigned or floating license. Anonymous users generally should not be deleted.
This group contains people who can approve either Contracts, Change Requests, or both. Approvers primarily interact with their own Approval records, but they can also edit Approval records assigned to their team, and view related records. They can also view and edit Contracts and Change Requests for which they are an approver, and can view tables related to approving Contracts such as Approvals, Approval Templates, and Companies.
Can view and edit own Sourcing Events; can edit other Sourcing Events where they are the Sourcing Event Owner/Requester/Selection Approver, have tasks assigned to them, or are one of the Approvers or assigned to no one and on approval team; can view other when Department matches, have tasks assigned to them, or are one of the Approvers or assigned to no one and on approval team.
Base Service Desk
This group uses the same base permissions as the highly privileged groups who work with Service Desk tables. Users in those privileged groups should also be in the Base Service desk group. All IT Staff should belong to this group, as well as any additional groups for special permissions.
This group has full create and edit access to all the records in the Support Case, Service Request, Incident, Problem, and Task tables, and create and edit access to Change Request and Time Entry records that they own. These users have full view access of the Asset, Service, Company, and Employee tables, can edit their own Employee records, but does not have any other create or edit access in those tables. It can create and edit End Users records. It cannot delete records.
|Budget Manager||Power User||Person responsible for reviewing and entering contract and sourcing budgets.|
|Business Admin||Power User||This group is for business administrators who can view or edit all records in all tables. Business Admin users generally should not be deleted.|
This group is responsible for management of Change Request records and has full privileges on the Change Request table. Members can create, edit, and delete records in this table and are typically users with Change Manager or Change Owner roles. They can also create task and approval workflows for Change Requests, and can edit Change Request related services.
This group has full control over records in the Asset and Model tables. People responsible for working on and configuring Asset records, managing asset resources, or other similar projects, are typically in this group. They might also be added to the Service Manager group if they are responsible for setting up change request workflows or services related to assets.
|Contract Creator||End User||This is a read/request group that can create contracts and view them.|
This group has full control over records in the Contract, Approval, Approval Templates, Approval Workflow, and Company tables. They also have limited access to the End User and Employee tables. They are responsible for creating, editing, and approving contracts for customers or the company.
This group has similar permissions to the Contract Managers group. Members are responsible for and have full permission of Contracts where they are the Internal Contract Owner, but can also view Contracts that they did not create or were not assigned to.
|Contract Requester||Power User||This group is for internal employees who can create and edit their own contracts as power users. They can also view all contracts, see dashboards and reports, and interact with the contract system.|
This group is used for end user customers, who can submit and view their own support cases. This group is generally only used when providing external customer support.
This group is used so Customer Managers can view all support cases for their own company. Similar to the Customer group, the Customer Manager group is generally only used for providing external customer support.
This group can create, edit, and export their own Document records. However, they cannot view the Document records of others.
This group has nearly full control of all records in the Documents table. However, they do not have the ability to modify the Status field of a Document record manually.
This group can edit Approval records where they are the Approver. They can also view all records in the Document table.
|DocuSign User||Power User||This group, along with the Admin and Business Admin groups, is the only group that can see and work with DocuSign elements, such as the DocuSign Envelope and DocuSign Recipient tables, by default. This group can create, edit, delete, import, export, or copy records that they own in any of the DocuSign tables.|
This group is assigned to external users who can click on a hyperlink in an outbound email that allows them to create new requests, such as leads, users, or incidents, in the system without needing to access the rest of the End User Interface. Guest users generally should not be deleted.
This group is for customers in the Employee table who can create Service Requests and Purchase Requests, report Incidents, as well as see their own Asset records. This group can also edit some of their profile information, view other employee contact information, and may also have access to the Knowledge Articles table.
|Internal Vendor Manager||Power User||Employee with full control over Vendor Profiles and companies who manages the vendor onboarding process.|
|Legal||Power User||Members of the legal team handling legal requests and matters if matter management is used.|
|Legal Requester||End User||This is a read/request user who can submit legal requests for help from the legal team and view some matters.|
This group is responsible for coordinating and recording information about marketing campaigns and providing quotes to prospective customers. They have full access to the Campaign, Company, Lead, Opportunity, and Product tables. They also have limited access to the Product Quoted, Quote, Task, Team, Time Entry, People: External User, and People: Employee tables.
This group is responsible for managing the Purchase Request, Item, and Item Requested tables. They can also view and edit all records in the Company Document table.
|Project Manager||Power User||This group has full control over Project, Task, and Task Template records that are related to their project. They can also create records and edit others' records in the Asset, Billing, and Billing.SR Time Entry tables.|
Can view all Sourcing Events, Responses, and Response Evaluations for Sourcing Events in which they're a named Evaluator. Can view and edit their own Response Evaluations; can view other Response Evaluations when they’re on the Sourcing Event’s Selection Committee, and Evaluation Status = Complete or Evaluation Type = Consensus.
This group is responsible for recording sales efforts for specific companies, as well as the Purchase Order records that are created. This group can also create and update Support Case records for the companies they represent. They have full control over records in the Company, Contract, Lead, Opportunity, and PO tables. They also have partial access to records in the Campaign, Product, Product Quoted, Project, Quote, Support Case, Task, Team, Time Entry, People: End User tables.
|Self-Registered Vendor||End user||When a Person record is created for a new vendor going through onboarding, they are assigned this Group until the vendor is approved. This Group has limited permissions.|
This group has full control over records in the Service, Task, Task Step, Task Template, and Task Workflow tables. Besides Admins and Business Admins, Service Managers are the only group that can create new Services.
Sourcing Event Creator
Internal user who can request and view/edit their own Sourcing Events; can view other Sourcing Events when Department matches their Department. Has view-only access to Contracts – same visibility as Contract Creator.
Sourcing Event Manager
|Full control over Sourcing Events, Sourcing Event Approvals, Sourcing Event Tasks, Responses and conversion to Contracts.|
Sourcing Event Requester
|Internal user who can request and view/edit their own Sourcing Events; can view other Sourcing Events when Department matches their Department. Has view-only access to Contracts – , the same visibility as Contract Requester. ( If they should also be able to create contracts, members should be added to the Contract Requester group.)|
This group is used to categorize for people at vendor companies that can use the vendor portal. This group can create, edit, and view their own Company Document records, edit and view their own Company records, and view their own Contract records. Vendor users can also submit Responses to Sourcing Events. Can view only those Solicitations in Pending Response status that they’ve been invited to or Publicity Level is Open; can view their own Responses but only allowed to edit while status is In Progress (Draft, Invited or Interested); can view others without seeing competitor information if the Sourcing Event bidding type is Open. Can view Attachments that are Publication Level = Public for Sourcing Events whose Publicity Level is Open, or are Invite Only and VEnd
|Vendor Lead||End User||This is the designated main contact for a vendor who can edit user records at their company, locations, and other information.|
Access Group Permissions
To access and print group permissions in the system:
- Go to Setup > Access > Manage Groups.
- Edit a group.
- Select the Tables tab.
- Click Access to sort the Access column with Yes at the top.
- Click the box to the left of Edit in the header row, and click Select all found records.
- Hover over the printer icon and choose Print/Download Table View.
This produces a printout showing the basic Record permissions for each table. You can copy/paste the page contents into a text editor in order to document system permissions for each group, or group permissions for each system.