Roles and permissions — system and tenant roles built from scoped permission grants

Last updated: July 12, 2026 by Steve

Roles and Permissions

AccessPoint uses granular, tenant-configurable permissions rather than fixed job titles. On this page you build the roles your office uses — Coordinator, Reviewer, and so on — by granting individual permissions from a categorized catalog. This page defines what each role can do; assigning roles to people happens on Manage Users.

Roles and permissions (screenshot placeholder — capture: the Roles & permissions panel with a role selected and its permission grants visible)

Where to Find It

Open Settings from the app toolbar and choose Roles & permissions in the Users & access group.

System Roles vs. Tenant Roles

  • Administrator is the only built-in system role.
  • Every other role — all coordinator-style roles — is defined by you. They are typically seeded from a Configuration Pack and customized afterward.

Building a Role

Element Details
Name and description Both are translatable, so the role reads correctly in each of your tenant's active languages.
Permission grants Grant individual permissions from a categorized permission catalog.
Scope Each grant can be Global or scoped.

Permissions in Practice

Permissions gate what users see and do throughout the product. Examples that appear elsewhere in this documentation:

  • View requestor PII — requestor names, emails, and other personal information are visible only to roles that carry this permission; custodians and contributors work from sanitized instructions without it.
  • RequestorManage — required to edit requestor contacts and institutions.
  • ConfigurationManage — lets a user share saved views tenant-wide and manage shared views.
  • *.configure permissions — some Settings groups (review workflows, privacy incident/assessment/complaint configuration) only appear when you hold the matching configure permission.

Roles and User Assignment

Roles do nothing until they are assigned. Use Manage Users to assign or remove roles per user. A user can hold more than one role — permissions are additive — and a last-admin guard prevents removing the final administrator, so you can never lock yourself out.