Create Role and Permissions
Overview
You can create assignable roles and permissions according to the member's role.
Purpose
The role and permissions creation feature is used for the following purposes:
- Realization of access control according to business content: You can finely control the range of available features and viewable data according to the department, job type, and assigned tasks.
- Reduction of information leakage and operational error risks: By reducing the number of members with unnecessary write or delete permissions, you can prevent accidental updates or deletions of important data and viewing of confidential information.
- Safe delegation of authority to business partners and external partners: You can grant operational authority to external parties such as warehouse contractors or sales agencies, limiting the access range to only the minimum necessary features and data.
- Centralization of permission management and reduction of operational load: By managing permissions by role instead of by member, you can efficiently grant and revoke permissions when assignments change or transfers occur.
- Strengthening compliance and internal control: By designing permission levels that satisfy the "principle of least privilege," you can support compliance with audits and security policies.
Feature Description
What are Roles and Permissions?
A "Role" is a configuration feature for specifying Access Scope and Actions (Read / Write) for a member in detail.
When the "System Role" alone provides too wide an access scope, combining roles and permissions allows you to restrict access according to business content as follows:
- Allow access to only specific features
- Prohibit editing and allow only viewing
- Allow viewing and editing only for customer data assigned as a person in charge
In this way, using roles and permissions enables fine-grained data access control for each member.
Members Eligible for Roles and Members Who Can Manage Them
Created roles can be assigned to members whose System Role is "Member" and System Permission is "Write".
This allows you to control the range of accessible data and executable actions for each "Member / Write" member.
Administrative operations such as creating and editing roles can be performed by the following members:
- Members whose System Role is "Primary Owner"
- Members whose System Role is "Owner"
- Members whose System Role is "Member" and System Permission is "Admin"
On-Screen Behavior Due to Permission Settings
Members who are granted only "Read" permission by a role can view data but cannot perform writing operations such as creation, editing, or deletion.
Depending on the content of the permission settings, operations are restricted on the screen, such as buttons and menus related to writing being hidden or disabled.
Difference from "System Role / System Permission"
"System Role" is a high-level concept that defines the role of the member itself, and unlike the "Role and Permissions" mentioned earlier, it differs from the structure where individual setting information is registered and assigned to members.
"System Role" allows you to set mainly one of the following two.
- Owner:
You can use all features of DEXTRE.
Note that one of the Owners in the Maker will be a special role called "Primary Owner" as a representative. - Member:
Some DEXTRE features are restricted.
Currently, restrictions are placed on operations related to contracts.
"System Permission" is defined directly for members in the same way.
Mainly, you can set one of the following two.
- Admin:
You can use all features allowed by the "System Role".
If the System Role is "Owner", the System Permission is fixed to "Admin". - Write:
This is a System Permission that allows you to configure "Role and Permissions", which is the main theme of this document.
Unless specifically restricted, it has almost the same operational authority as "Member / Admin" regarding business execution.
*Some important operations such as "Invite a new member" are restricted.
Instructions
Go to the Operation Screen
This action can be performed by members with "Primary Owner", "Owner", "Member / Admin" roles.
- Click Maker Settings > Open Maker Settings on the top left of the screen.
- Click Member.
- Click Access Control.
- Click Create Role and Permissions.
Transition to the "Create Role and Permissions" page.
Enter the Form
Basics
- Code *Required
Enter the "Code" to be used primarily as an identifier by the system within DEXTRE.
Registration with half-width alphanumeric characters and symbols is recommended.
Note that a code that duplicates another role cannot be registered. - Role Name *Required
Enter the Role Name. - Description *Optional
You can enter a Description of the role.
Role Settings
Currently, there are no configurable items. It is planned to be expanded in a future release.
Permission Settings
Set the combination of "Access Scope" and "Actions" for each target resource.
-
Expand resources to configure
- Expand All: Expands details for all resources.
- Expand only some resources: Click ">" on the right side of each resource to expand details.
-
Access Scope
Select one of the following two via radio buttons.-
All: Operational permissions targeting the entire range are set.
-
Member's Assigned Customer Buyers:
Operational permissions targeting only the buyers assigned to the member are set.*Depending on the resource, only "All" may be displayed, and "Member's Assigned Customer Buyers" may not be displayed.
-
-
Actions
Select one of the following two via radio buttons.- Read Only: You can only view data for resources within the access scope.
- Read / Write:
You can view and write data for resources within the access scope.
"Write" refers to general data writing operations such as creating, editing, and deleting data.
Checking the Select All Permissions checkbox sets the following combination for all resources.
- Access Scope: All
- Actions: Read / Write
Also, checking the checkbox to the left of each resource name sets the following combination for each corresponding resource.
- Access Scope: All
- Actions: Read / Write
Example of "Access Scope" and "Actions" combinations
Allowed operations are highlighted depending on the combination of permissions.
-
Permission for "Read / Write" operations on all ranges of target resources
- Access Scope: All
- Actions: Read / Write
-
Permission for "Read Only" operations on all ranges of target resources
- Access Scope: All
- Actions: Read Only
-
Permission for "Read / Write" operations on the range of data where access is "Member's Assigned Customer Buyers"
- Access Scope: Member's Assigned Customer Buyers
- Actions: Read / Write
Execute the Operation
When various settings are complete, click Create.
If creation is successful, the created role will be displayed in the "Role and Permissions" list.
If an error is displayed, please check if a code that duplicates another role is registered.
Important Notes
Please note the following when using the feature to create roles and permissions.
Members with permission to create roles
Only members with the System Role of "Primary Owner", "Owner" or the System Permission of "Admin" can create roles and permissions.
Target and behavior of role application
Created roles can be granted to users whose System Role is "Member" and System Permission is "Write".
Members granted a role will not be able to view or operate resources other than those "Allowed" within the role.
*Please note that if you forget to include permissions for necessary resources, you may not be able to view the data necessary for your business.
Duplicate codes with registered codes cannot be used
Since the "Code" serves as an identifier for the entire system, you cannot register the same code as an existing role.
Please set a unique half-width alphanumeric string that is easy to manage.
About "Expand All" and bulk check function
Using "Select Expand All" or the checkbox next to each resource automatically sets "Access Scope: All" and "Actions: Read / Write".
Please be sure to check the contents after bulk setting so as not to unintentionally grant excessive permissions.
Limitations on Access Scope
In "Access Scope", the option "Member's Assigned Customer Buyers" is only selectable for some resources linked to buyer information, such as "Customer Buyer", "Order", and "Delivery Note".
For other resources, only "All" is selectable.
About the limit on the number of creations
The creation of roles is limited to a maximum of 5.
You cannot create a new role while the limit has been reached.
Please delete unnecessary roles or edit and reuse existing roles.
*Please note that if you edit an existing role, it will be immediately reflected in the permissions of all members to whom that role is granted.