LESSON INFO

Audience

  • System administrators responsible for managing access in Themis-Trace.
  • Implementation/support team members who need to create or maintain roles.

Prerequisites

  • You can log in to Themis-Trace.
  • You have access to:
    • Administration → Security Profile → Roles

Skills you’ll build

  • You can create and maintain reusable roles.
  • You can activate/inactivate roles and understand when Delete may fail.

LESSON OUTLINE

Concept

  • What a Role is
    • A Role is a reusable bundle of permissions.
    • In practice, roles are how you define what a user can do.
  • How Roles are applied
    • Roles are typically granted to users through Groups.
    • Create roles to keep permissions consistent across many users.
  • Lifecycle management
    • Create records with New.
    • Toggle access with Activate / Deactivate.
    • Use Delete for removal (note: delete can fail if the record is referenced elsewhere).

Walkthroughs

  • Create a new role (with permissions)

    1. Navigate to Administration → Security Profile → Roles.
    2. Click New.
    3. Enter a unique Role Name.
      • Use a name that describes what the role enables (for example, Shipping Order Viewer or Schedule Item Editor).
    4. Select permissions for the role.
      • In the role’s Permissions section/tab, choose the smallest set of permissions needed (principle of least privilege).
      • Start with the end goal: What does this person need to do? Then, grant only the permissions required to complete that task.
      • Use the Viewer / Editor / Creator pattern:
        • Viewer: can open the screen and view records.
        • Editor: can modify existing records.
        • Creator: can create new records (and often implies Editor).
      • Prefer a single role per “job” (for example, Shipping Order Viewer) instead of one mega-role with unrelated permissions.
      • Avoid granting admin/system permissions unless the user truly needs them (for example, anything under Administration).
      • Validation rule: after saving the role and assigning it to a group, log in as a test user and confirm:
        • The user can complete the intended task.
        • The user cannot see or do unrelated actions.
    5. Click Save or Save & Close.
    6. Confirm the new role appears in the Roles grid and is Active.

  • Apply the role

    A role will not affect anyone until it is assigned to a group.

    1. Navigate to Administration → Security Profile → Groups.
    2. Create a new group (or open an existing group).
    3. In the Roles tab, add the role you created.
      • If you see separate sections for Actions and Data Access, configure both as needed.
    4. In the Users tab, add the user(s) who should receive this access.
    5. Save.
    6. Validate (recommended): log in as a user in the group and confirm the expected menus/actions are available.

  • Activate / Inactivate / Delete roles

    1. Navigate to Administration → Security Profile → Roles.
    2. Select one or more roles using the row checkbox.
    3. Choose the action you need:
      • Activate to enable.
      • Inactivate to disable.
      • Delete to remove.
    4. Confirm the prompt (the dialog should show how many records will be affected).
    5. Confirm the grid refreshes and the change is reflected.

COMMON QUESTIONS

    • Likely cause

      • The record is referenced by other records.

    • Fix

      • Inactivate the record instead, or remove references before retrying Delete.