Access Roles define how users are allowed to interact with JForce. For security purposes, it is imperative that you set up your roles correctly.

When creating an Access Role, the first thing we need to do is give it a name. The name should be descriptive enough that you can remember what type of access it provides.

The picture below shows an example of a good Access Role for a JForce Administrator user. Any user with this role will be able to access JForce, see private objects, assign other users to items, create categories on the fly from the front-end, and View/Create/Edit/Delete any item within JForce. The user is not restricted to any companies, projects, or assignments.

Security Level

The Security Level determines whether or not a user with this role can modify another user's role. Security Level must be an integer value greater than zero. Please note that a Security Level of 1 should only be given to Super Administrators as it will give them access to all roles. The Security Level value is inversely proportional to the level of access that it provides. To put it simply, a Security Level of 5 is higher than a Security level of 10.On the front-end, you will be able to modify the Access Role of any Person you can see (from the Person form, Persons list view, Company details view, or Project People view) if your Security Level is higher than that person's Security Level. For example, if User A has a Security Level of 5 and User B has a Security Level of 10, then User A can modify User B's Access Role (assuming User A has the appropriate permissions to view or edit User B).

One exception is that you cannot change your own Access Role, even if your Security Level is 1. If you need to change your own role and you are a Joomla! Administrator (i.e. you have access to the Administrator panel) then you can assign your user to a different role from the Access Role form.

If your Security Level allows you to modify the Access Role of another user, you will only be able to set them to an Access Role that has a Security Level lower than your own. However, if your Security Level is 1 (i.e. you are a Super Administrator) then you can set another user's Access Role to any role in the system.

System Access

This setting determines whether or not users with this Access Role can access JForce. A user has to be a JForce user in order to access the system, so this setting will probably be enabled for all of your Access Roles, but it is here if you need to turn it off.

Private Objects

This setting determines whether or not users with this Access Role can see items marked as Private. You will most likely only enable this for users within your own company.

Can Assign

This setting determines whether or not users with this Access Role can assign other JForce users to items. Please note that the "Notify Assignees" checkbox on the forms will be hidden if there are no assignees on the item and the user does not have this setting.

Can Create Categories

This setting determines whether or not users with this Access Role can create new Categories from the front-end using the new Autocompleter functionality. This includes Project Status as it is treated the same as Categories, but with a different name.

Company Only

If this setting is enabled then users with this Access Role will only see:

  • Their own Company
  • People on their own Company
  • Projects that have their own Company listed as the Client
  • Attachments, Comments, Discussions, Documents, Invoices, Milestones, Quotes, Tasks, Tickets, and Time Trackers that are on a Project that has their own Company listed as the Client

 

Exception: This setting has no effect on Events.

Exception: If Company Only is used in conjunction with Project Only, then Company Only will not take effect for Projects, Attachments, Comments, Discussions, Documents, Invoices, Milestones, Quotes, Tasks, Tickets, or Time Trackers.

Exception: If this setting is enabled then users with this Access Role will NOT be able to Create or Delete companies regardless of their Company Permission Level.

Assignment Only

If this setting is enabled then users with this Access Role will only see items that they are assigned to.

Exception: If Assignment Only is used in conjunction with Project Only, then Assignment Only will not take effect for Attachments, Comments, Discussions, Documents, Invoices, Milestones, Quotes, Tasks, Tickets, or Time Trackers.

Exception: If you are Assignment Only you will still be able to see items that you created.

Events are always treated as Assignment Only.

Project Only

If this setting is enabled then users with this Access Role will only see:

  • Projects that they are assigned to
  • Attachments, Comments, Discussions, Documents, Invoices, Milestones, Quotes, Tasks, Tickets, and Time Trackers on a Project to which they are assigned

 

Exception: This setting has no effect on Events, People, or Companies.

Exception: If Project Only is used in conjunction with Assignment Only, then Project Only will take precedence and Assignment Only will not be honored for Attachments, Comments, Discussions, Documents, Invoices, Milestones, Quotes, Tasks, Tickets, and Time Trackers.

It is important to note that if Project Only and Assignment Only are both enabled, Assignment Only will still take effect for People and Companies.

Permission Levels

The available levels are None, View, Create, and Delete. These are treated the same for each item. Note: Create inherits Edit and View access. Delete inherits Create, Edit and View access. Selecting a value from the drop-down list on the top right of a permission level section will quickly change all of the levels in a section to a single value.

Person Example

If your level is set to None for Person, then you will not be able to access any item that divulges information about a Person. (i.e. You won't be able to see a person's detail page or the Persons list view, but you would still be able to see that Administrator Bob is on the same Project as you.) If you don't have access to People yet you persist in trying to view a person, you will be redirected to /dashboard/error (if you have SEF URLs turned on) and tell you that your access role does not permit you to view people.

If your level is set to View for Person, then you be able to view people. Please note that the global settings take effect on top of these, so if you are Company Only and View People, then you will only be able to view People in your Company. If you are Assignment Only and View People, then you will only be able to view People that you have been assigned to or that you created. If you are Project Only and View People, then you will only be able to view People who are assigned to any of the Projects that you are assigned to.

If your level is set to Delete for Person, then you will be able to delete other people. Again, the global settings take effect, so if you are Company Only and Delete Person, then you can only delete people in your Company. It is also important to note that you will only be able to View or Create people in your Company as well since you are Company Only.

Please note that if you set a user's access level for an item to None it may affect other areas of JForce. For example, Time Tracker data is always tied to a Person, so if you do not have access to people then you will also be locked out of Time Tracker.

To give a real world example: If I have a client, who in turn has many employees, then I would assign him to an Access Role with Company Only enabled and Create level for Person. This way my client can only see people within his own company. He can create and manage users for his employees but cannot delete them. I do not have to worry about him seeing People, Companies, or Projects that he is not supposed to.


Assigning Access Roles

A list of JForce users is shown on the top right section of the Access Role form. When you edit an existing role, the names of the JForce users who are currently assigned to that role will be selected in the Users list. You can assign the role to multiple people by selecting their names in the list. If you deselect a user that was assigned to the role and save the form, the user will be given the default role.