Create, edit, and delete roles
Roles control what users can see and do on your account. They can be applied to individual users or to all members of a team.
Each role includes a set of permissions. Permissions provide the user or team members with different levels of access to areas of the product. Learn more about individual permissions.
Here's an example of the kind of roles you might have on your account:
Compliance officer: Providing full access to all profiles and product applications but no access to the Billing section.
Institution admin: Providing full access to the Billing section but no access to profiles and product applications.
To create, edit, and delete user roles, you must have Read and write access for the Manage roles permission. If you don’t have access and you think you should, contact the administrator of your account.
Create a role
Go to > .
Select . The Add new role page is displayed.
Write the role's name in the Role name field.
To provide a short description of the role, write it in the Role description field. If you leave this field blank, the description is displayed as No description provided.
To add permissions to the role, select a permission to expand it, then select the type of access you’d like to enable, for example, Read-only or Read and write. By default, no permissions are granted. Learn what users can do with each permission.
Select . The role is displayed in the list of roles to the left. If you have Read and write access for the Manage users permission, you can assign the role to users and team members.
Edit a role
Go to > .
Select the role you’d like to edit.
To change the name, update the Role name field.
To change the description, update the Role description field.
To change permissions, select a permission to expand it, then select the type of access you’d like to enable, for example, Read-only or Read and write. Learn what users can do with each permission.
Select . The role is updated. If you modified the permissions, users and team members see the changes immediately.
If a user or team member doesn’t see changes to their permissions, ask them to refresh their browser.
Delete a role
Roles can only be deleted if they're not assigned to any users.
Go to > and remove the role from all users who have it assigned to them.
The number of users with the role assigned to them is displayed next to the role’s name in the section. This must be displayed as 0 users before the role can be deleted.
Go to > and select the role you’d like to delete.
Select . A confirmation dialog is displayed.
Select . The role is removed from the list of roles and can no longer be assigned to users.
If the button is disabled, one or more users have the role assigned. Remove the role from the users, then repeat the steps to delete the role.
What permissions can users have?
Permissions provide the user or team members with different levels access to areas of the product.
The access types are:
No access: The user or team members cannot see the area of the product at all.
Read-only: Limited access to the area of the product.
Read and write: Full access to the area of the product.
What users and team members can do with read-only and read and write access is different for each permission.
Product applications
Access for the Product application permission is assigned per product:
No access: Profiles with applications for this product only are not displayed.
If No access is assigned for all products, the Profiles tabs are not displayed.
Read-only:
See all profiles with applications for this product.
Add files and comments to profile conversations.
See tasks and check results.
Add files and notes to task notes.
Assign product applications to users and teams.
Read and write
Add new applications for the specified product.
Approve/reject/cancel applications.
Create and apply decision reasons.
Pass/fail/incomplete tasks.
Run checks.
Edit applicant profiles.
Plus, all permissions that are assigned to users with Read-only access.
Warning
What if a profile has multiple product applications and a user only has access to one of them?
If a user has Read-only or Read and write access to any of the profile's product applications, the user can see all of the profile's applications and associated tasks as well as the full history of all product applications in the audit report. However, the user may not be able to see tasks and cannot take action on the product application or tasks, such as approve/reject the application, pass/fail tasks, or run checks.
Reports
All reports
No access: The Reports tab is not displayed.
Read-only: See reports for Applications, Tasks, and Checks.
Export data
No access: The button to export report data from the Applications overview section is disabled.
Read-only: Export report data from Applications, and Checks reports. Note that to do this, you also need Read-only access for the All reports permission because this is what enables you to see the reports.
Smart policies
No access: The Policy Builder tab is not displayed.
Read-only: See all smart policies.
User management
Manage users
No access: The Manage users section is not displayed on the User Management tab.
Read-only: See all users on your account, along with their personal details and user roles.
Read and write:
Add/deactivate users.
Edit user details.
Assign roles to users and teams.
Reset user passwords.
Plus, all permissions that are assigned to users with Read-only access.
Manage roles
No access: The Manage roles section is not displayed on the User Management tab.
If No access is assigned for Manage users and Manage roles, the User Management tab is not displayed.
Read-only: See all roles for your account.
Read and write:
Create/edit/delete user roles.
Plus, all permissions that are assigned to users with Read-only access.
Billing
No access: The Billing and Payment Info options are not displayed on the Manage account menu.
Read and write:
Top up your account.
Add/update the payment card used to top up your account.
Developer tools
Master API key
No access: The API key section is not displayed on the Manage account menu.
Read-only: Get the key(s) used to make calls to the Passfort API.
Read and write: Issue/revoke API keys.
Webhook config
No access: The Webhook config section is not displayed on the Manage account menu.
Read and write: Configure/edit webhooks.
IP allow list
No access: The IP allow listing section is not displayed on the User Management tab.
Read-only: See all IP addresses on the allow list.
Read and write:
Enable/disable IP allow listing.
Add/remove IP addresses and ranges.
Edit descriptions for IP addresses and ranges.
Data protection
Permanently delete profiles
No access: The Delete this profile option is not displayed on profiles.
Read and write: Permanently delete profiles using the Delete this profile option. Deleting profiles is a permanent action and the profile cannot be recovered. We recommend only enabling this option for users who need to delete profiles to meet GDPR requirements. For profiles that may be needed at a later date, we recommend rejecting or canceling the application, which removes it from the Profiles tab.
To permanently delete a profile, the user must also have Read-only or Read and write access for the profile's product for the Product applications permission.
Permanently delete files
No access: The Delete file option is not displayed for profile files.
Read and write: Permanently delete profile files using the Delete file option. These files will be inaccessible and will not be recoverable via the Portal or the API. We recommend only enabling this option for users who need to delete files to meet GDPR requirements.