Setting up Roles

Modified on Wed, 15 Jul at 8:35 PM

Roles

How Roles connect Users, Teams, and Security Groups, and how to create and manage them in the Clew Platform


Contents


1. Introduction & Context

A Role represents a specific function within your organisation's hierarchy, such as Risk Manager or Internal Auditor, and is the central unit that connects Users, Teams, and Security Groups to control who can access what in the Clew Platform.

In the Clew Platform, a Role is not just a single entity but a central organisational unit that binds Users, Teams, and Security Groups together:

  • Users are assigned to Roles.
  • Teams are assigned to Roles.
  • Roles are linked to Security Groups, where permission sets are assigned to Registers.

This structure helps ensure that permissions are granted in an organised and consistent manner across all users, teams, and groups, reducing administrative overhead while maintaining security in access control.

A diagram showing how Users and Teams are assigned to Roles, which are linked to Security Groups that grant permissions on Registers

How Users and Teams connect to Roles, Security Groups, and Registers.

Who is it for? System Administrators who configure access control, and Team Administrators or Team Managers who assign roles within their teams.

What does it impact? Roles determine the permissions users inherit through Security Groups, which control access to registers, projects, and modules across the platform.


2. Key Features & Functions

  • Role-centric user management: when Role-based user management is enabled, Roles serve as the intermediary between Users and Permissions.
  • Assignment of Users and Teams to Roles: Users and Teams are assigned to specific Roles, which are then linked to Security Groups.
  • Hierarchical structure: Roles are organised hierarchically, much like business units, locations, and projects. This hierarchy mirrors your organisation's structure and ensures that access control aligns with your organisational needs.
  • Multiple Roles per user: a single user can be assigned multiple Roles. The permissions granted to that user are defined by the Security Groups associated with those Roles.
  • Role sharing across users: Roles can be shared by multiple users who perform similar tasks. For instance, a Management Role can be assigned to several users who share similar responsibilities within the organisation.

3. Requirements

Roles can be assigned to users by:

  • A System Administrator.
  • A Team Administrator or Team Manager, if team management is enabled. Team admins and managers can only assign Roles that have been linked to the team by a System Administrator.
Note: Roles can be assigned to users only if User-Centric Group Management is disabled in settings. When it is enabled, Roles are automatically created and mapped to users and are less significant in day-to-day management.

4. Step-by-Step Guide

Creating a Role

  1. Navigate to the Admin section, enter Roles in the search box, and click the Roles icon to open the Roles list view.
The Admin search box with Roles entered and the Roles icon shown in the results

Searching for Roles in the Admin section.

  1. Click the Add button to open the Add Role form.
The Roles list view with the Add button

The Roles list view. Click Add to create a new Role.

  1. Fill in the required and other relevant fields using the reference table below.
FieldDescription
TitleName of the Role (for example, Internal Auditor).
DescriptionAn optional field to provide additional context or the purpose of the Role.
Reports ToDefines the hierarchical parent Role. Used to model organisational structure.
External IDA reference identifier for external system integrations, if applicable.
ActiveIndicate whether the Role is active.
UsersAssign users to this Role. A Role can be filled by one or more users. Each assigned user will inherit the Security Groups linked to the Role.
Security GroupsSecurity groups granted through this Role that determine the projects and modules that the users linked to this Role can access.
TeamsTeams associated with this Role.
The Add Role form showing the Title, Description, Reports To, and other fields listed in the table above

The Add Role form showing the fields described above.

  1. Click Save to finalise the Role configuration.

Checking Which Roles Are Assigned to You

If User-Centric Group Management is disabled:

  1. Go to the Admin section and select Users from the top dropdown.
  2. Find your name in the Users list and click the Edit icon.
  3. Scroll to the Security section to view your assigned Role(s).

If User-Centric Group Management is enabled, Roles are automatically created and mapped to users. Role details can be found in Admin Roles, but they are less significant in this mode.

Note: Administrator access is required to check user Role assignments. To review a user's level of access, open their Access Control Matrix from the Admin Users list view.

Changing a User's Role

  1. Navigate to Admin > Users.
  2. Select the user and edit their profile.
  3. Update their assigned Role(s) and save.

5. Common Issues & Troubleshooting

IssueLikely CauseSolution
A user cannot access a registerThe user's Roles are not linked to the correct Security GroupsCheck the user's Role assignments and ensure the correct Security Groups are linked. Use the user's Access Control Matrix to verify access permissions
A user without a Role cannot access any registersWhen User-Centric Group Management is disabled, users without a Role have no register access unless linked to items via ABAC or a Global Permission Set is enabledAssign the user an appropriate Role, or confirm whether ABAC links or a Global Permission Set should apply
A newly added user is assigned a Security Group by defaultA Security Group has the Default option enabled, which automatically assigns it to all new usersVerify the Default setting on your Security Groups and adjust it if new users should not receive it automatically
A user can see all registers without being linked to a RoleA Global Permission Set is enabled, which gives all users access to all registersCheck whether a Global Permission Set is enabled and confirm it reflects your intended access policy
A user can see some registers but no Role or Security Group appears on their User pageThe Role was assigned through the user's team. Security groups assigned via teams do not appear on the User profile page but still applyCheck the user's team memberships and the Roles linked to those teams

Best practices:

  • Design your Role hierarchy to mirror your organisational structure using the Reports To field, so access control stays aligned with how your organisation actually works.
  • Share a single Role across users with similar responsibilities (for example, a Management Role) rather than creating near-identical Roles for each person.
  • Use the Access Control Matrix as the definitive check when investigating a user's access, as it reflects permissions from all sources including teams.
  • Fill in the Description field on each Role so other administrators understand its purpose without having to inspect its Security Groups.
  • Assign multiple Roles to a user only when their responsibilities genuinely span different areas, and review multi-Role users periodically.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article