Roles and permissions — system and tenant roles built from scoped permission grants
Last updated: July 12, 2026 by Steve
Roles and Permissions
AccessPoint uses granular, tenant-configurable permissions rather than fixed job titles. On this page you build the roles your office uses — Coordinator, Reviewer, and so on — by granting individual permissions from a categorized catalog. This page defines what each role can do; assigning roles to people happens on Manage Users.
(screenshot placeholder — capture: the Roles & permissions panel with a role selected and its permission grants visible)
Where to Find It
Open Settings from the app toolbar and choose Roles & permissions in the Users & access group.
System Roles vs. Tenant Roles
- Administrator is the only built-in system role.
- Every other role — all coordinator-style roles — is defined by you. They are typically seeded from a Configuration Pack and customized afterward.
Building a Role
| Element | Details |
|---|---|
| Name and description | Both are translatable, so the role reads correctly in each of your tenant's active languages. |
| Permission grants | Grant individual permissions from a categorized permission catalog. |
| Scope | Each grant can be Global or scoped. |
Permissions in Practice
Permissions gate what users see and do throughout the product. Examples that appear elsewhere in this documentation:
- View requestor PII — requestor names, emails, and other personal information are visible only to roles that carry this permission; custodians and contributors work from sanitized instructions without it.
- RequestorManage — required to edit requestor contacts and institutions.
- ConfigurationManage — lets a user share saved views tenant-wide and manage shared views.
*.configurepermissions — some Settings groups (review workflows, privacy incident/assessment/complaint configuration) only appear when you hold the matching configure permission.
Roles and User Assignment
Roles do nothing until they are assigned. Use Manage Users to assign or remove roles per user. A user can hold more than one role — permissions are additive — and a last-admin guard prevents removing the final administrator, so you can never lock yourself out.