Users and Roles

Users and Roles

Users and Roles are managed on the ‘Organization Settings’ page, accessed through the action menu in the top-right corner of the screen (three vertical dots):

You will only see this menu action if you have appropriate permissions in your roles. By default, only the ‘SuperUser’ role will get access, but you can assign admin rights to any role.

On the left-hand side of the screen you find a menu that takes you to the different pages in the organization settings. We will cover the Users and Roles pages in this document.

Users

The ‘Users’ page lists all users that currently have access to your organization. You can modify the settings for a User by clicking on the row. This will open the ‘Manage User’ modal where role assignment (see below) can be changed, two-factor authentication enabled and so forth.

New users can be added by clicking on the ‘+’ button to the right above the table. You need to fill-in the user’s email and should assign at least one role to make the account useful. When clicking on ‘Send Invite’ the user will receive an invite email with a link to sign-up.

Roles and Permissions

Access to the different parts of the Control Center is managed through Roles. Each user must have at least one role. When a new organization is created, two default roles are created:

• Crosser Standard User - This role is intended for regular users that will design and deploy Flows, but not manage users and other administrative tasks. Even though it can be modified we recommend leaving this role as is, so that it can be used as a starting point for your custom roles.

• SuperUser - This is a special role without any limitations. Users with this role can circumvent any limitations applied through other roles. It is fixed and cannot be modified. The organization owner, assigned when the organization is created by Crosser, will get this role.
  If you don’t need granular access control, use this role for users that need to manage other users. For more controlled access we recommend creating dedicated roles for admin users. At least one user should have this role, as a last resort when you need to overcome limitations imposed by other roles, e.g. accessing private Flows belonging to a user that no longer exists.
  Note that the SuperUser role is required when assigning labels to Nodes.

You can create any number of custom roles, to meet your specific requirements.

As a first step when creating a role you need to define permissions to the different features in the system:

For each of the above features you can specify the type of access (View/Create/Update/Delete)  the role should give, by filling out the permission matrix:

When creating a new role you can either start with a blank role and add the permissions you want, or you can use an existing role as a starting point using the ‘Import from Role’ button.

In addition to the View/Create/Update/Delete permissions, some features have additional permissions that you set by clicking in the ‘Additional’ column.

You can check/uncheck all boxes on a row or in a column by clicking on the corresponding headers. Note that also ‘additional’ permissions will be affected when clicking on a row header.

Additional Nodes permissions

• Remote Session - Test Flows in remote sessions inside the Flow Studio.

• Flow Management - Manage Flows on Nodes (Deploy/Undeploy/Start/Stop/Sync).

Additional Universal Connector permissions

• Publish - Publish Universal Connectors, so that they can be used in Flows.

Additional Users permissions

• Assign Roles - Assign Roles to Users.

Access control through Categories

In addition to the feature-level permissions described above, it is also possible to limit access to specific instances of user created Flows, Resources and Credentials by using Categories.

On the Flows, Resources and Credentials pages you can organize created items by creating categories and subcategories and then place your items in these categories.

Once categories have been created you can use them to limit access by specifying which categories a given Role should have access to. By default all users can access all categories.

Category restrictions are specified in the Role configuration modal by clicking in the ‘Restricted To’ column on the type of items you want to restrict. You can have separate restrictions for Flows, Resources and Credentials. The picture below shows some restrictions on Flows. A user with this role will only see Flows in the ‘Line 1’ category. Categories the user doesn’t have access to will not be visible either.

Node access control through Labels

Access to Nodes is also controlled through Roles, but instead of categories, labels are used to select Nodes. The Labels a user role has access to is specified in the same way as selecting categories, using the slide-in panel in the ‘Edit Role’ modal. A role can give access to multiple labels.

Note: Only users with the SuperUser role can assign labels to Nodes.

A word of caution

The Control Center has a very flexible permission/access control system that lets you create roles that will give each user the access they need, but not more. However, with great flexibility also comes the risk of creating roles that don't make sense, or even won’t work. Below are some guidelines to help you avoid some of these pitfalls:

• Any role with ‘Create’ permission should also have ‘View’, ‘Update’ and ‘Delete’.

Example roles

Here are some examples of roles that could be useful.

Note: A user can have multiple roles.

Organization Administrator

This role is intended for users that need to manage users and access, but not design and deploy Flows:

Read Only User

A role for users that only need to view, but not change anything: