Access and Permissions

Locked with Key Understanding User Access and Permissions

This guide explains how user access and permissions work in our platform. It’s intended for customer administrators and anyone managing user profile or access rights within your organization.


Compass Why Access Control Matters

Our access control system ensures that:
  • Each user only sees and edits what they’re allowed to.
  • Sensitive data (e.g. financials, allocations) is protected.
  • Administrators have tools to manage users efficiently and securely.


Brick Core Building Blocks

We use a profile-based access control model, structured like this:

1. Rights

These are individual permissions such as:
  • View project details
  • Edit employee profiles
  • Approve resourcing requests
Users don’t get rights directly - instead, they’re bundled into profiles.


2. Profiles

A profile is a predefined set of rights (permissions).
For example, a “Line Manager” profile might include:
  • View and edit projects
  • View team members
  • Edit resourcing data


3. Authorization Groups

These are used to manage users in bulk.
  • You assign profiles to a group, and then add users to that group.
  • This helps you easily give multiple people the same level of access.


Globe with Meridians Global vs Contextual Profiles

There are two types of profiles:

Check Mark Button Global profiles

  • Apply across the whole system.
  • Example: A user with a global “Viewer” profile can see all projects and people (if viewer access is granted).

Puzzle Piece Contextual profiles

In addition to global profiles, our access model supports contextual profiles that dynamically filter access based on relationships, organizational structure, or custom logic.
  • Limited to a specific part of your organization.
  • Example: A “Organization Manager” profile limited to the organization node at hand.
Lock Important Limitation:You cannot assign permissions for a specific project or single object.For example:Cross Mark "Alice can view Project A, but not Project B" is not supported.Check Mark Button "Alice can view all projects in a specific organization node" is supported.

Counterclockwise Arrows Button How Context Profiles Work

When checking access to an object (e.g., UserProjectCustomer, etc.), we use the right module for that domain to interpret special profile names such as:
Context Profile
Description
Anyone
Grants access to everyone
Self
Grants access to the user’s own record
Colleague
Grants access to users in the same organization subtree
Project member
Grants access if the user is part of the project
Project manager
Grants access if the user is the project lead
Assisting project manager
Grants access if the user holds a special profile defined in config
Program manager
Grants access if the user is leading the associated program
Supervisor
Grants access to subordinates in the user hierarchy
Node admin /manager/member
Grants access based on organization nodes where the user is a node lead


Busts in Silhouette How Access is Assigned

    Add people to a specific Authorization Group
    Automatically based on the context


Counterclockwise Arrows Button Can You Mix and Match?

You can:
  • Assign multiple profiles to the same group
  • Add a user to multiple groups
  • Limit profiles to organization nodes or customer units
You cannot:
  • Customize profiles per customer or user
  • Give one-off permissions to a specific item (like a single project)
  • Edit individual rights within a profile


Locked with Key Who Can Manage Access?

By default:
  • Customer Admins can manage user access within their organization.
  • They can:
  • Add/remove users
  • Assign profiles through groups
  • View who has access to what


Test Tube Tips for Successful Access Management

  • Use descriptive group names like Nordic PMs or HR Viewers.
  • Keep access as simple as possible — fewer profiles and groups = easier maintenance.
  • Use the "Full access read-only" group to grant wide visibility to trusted users.


Fire Extinguisher Common Questions

Small Orange Diamond Can I give someone access to only one project?

→ No, access is always defined at the profile/group/context level. You can limit by department or node, but not a specific project.

Small Orange Diamond Can I request a custom profile?

→ At this time, all profiles are defined centrally. If you have a suggestion, feel free to contact our support.

Small Orange Diamond Can someone belong to multiple groups?

→ Yes! A user will receive all profiles from all groups they belong to.