A role is a collection of permissions that determines how people with that role will use your Smartabase site. There are two types of permissions:
- System permissions: these are generic permissions that are common to every Smartabase site. There are important system permissions that govern a person's ability to enter data, view or edit their account details, see the sidebar, access their inbox, view their performance history and make use of tools such as reports, training blocks, scheduling and appointments.
- Data permissions: these are permissions specific to the content of your Smartabase site. Each time you create a category, build a form or set up a dashboard, Smartabase provides data permissions so that you can control which people are able to interact with that part of your site and how they're able to interact with it.
This article contains important information about:
- Managing roles.
- Assigning a role to people.
- Enforcing multi-factor authentication for a role.
- Steps to create a new role.
- Examples of different roles.
- System permissions.
- Data permissions.
Managing roles
The Roles tool is used to manage how people can use your Smartabase site. This tool allows you to see a complete list of all roles on your Smartabase site including the Name and Description of the role and whether multi-factor authentication is enabled for the role. You can sort the roles by selecting any of the list headers.
The collapsible search menu lets you search for:
- Roles with a name that matches your filter.
- Roles with a description matching your filter.
- Roles that contain (or don't contain) a specific system permission.
- Roles that contain (or don't contain) a specific data permission.
You can use other features in the Roles tool to:
- Edit the role.
- Delete a role. Deleting a role will delete the role itself but not the user accounts for the people who have access to the role. However, if those people do not have access to any other roles, they will not be able to log into the Smartabase site.
- Duplicate a role. Duplicating a role creates a new role with the same system and data permissions as the original. Other components of the role, such as people, are not included in the duplicate.
Assigning people to a role
Roles must be assigned cautiously. Each role has different levels of access to sensitive data, including medical records and personal information. It is important that people are assigned to roles that match their authorized level of access to the data.
To assign a role to a person, create a new role or open an existing role and type their name into the search box. Select their account from the drop-down list and select Add person to confirm the selection. Alternatively, select the Add multiple people button. This will open a sidebar on the right-hand side of the page.
The People tab shows all of the user accounts that exist on the site. The number of entries displayed can be altered with the pagination drop-down menu below the table. Tick the accounts to be added to the role, or select the plus ( + ) icon at the top of the sidebar to filter the data.
In the Filter pop-up window, select the account detail to filter the results by, then click the Select button. The results can be filtered by first name, middle names, last name, username, known as, email address, UUID, language or whether the user account is active. After selecting a field, the filter will appear above the table. Enter the filtering conditions and then select the Search button or click the Enter key. You can add more filtering conditions by selecting the plus ( + ) icon again. Use the Remove button to delete a filtering condition or select the Reset button to remove all filtering conditions.
In the example above, we have added a filter to only show user accounts where the first name field contains “Emma.” If we wanted to add only Emma Williams to the role, we would tick the box next to her name and then select the Add people to role button. To add both Emma Williams and Emma Delaney, we could either:
- Click Select all 2 people.
- Tick the box in the header row of the table.
- Tick the box next to both of their names.
To confirm the selection, select the Add people to role button. Selections will be retained while the sidebar remains open, even if the filtering conditions are changed.
If we wanted to add two people (Emma Williams and Finn O’Mahoney, shown in the example below) to the role, we could perform the steps above to select Emma Williams, then change the filtering condition to search for “Finn” in the first name and select the correct account. To confirm your selections, switch to the Selected tab. You can add the people to the role from either the People or Selected tabs.
Enforcing multi-factor authentication for a role
As an administrator, you can enable multi-factor authentication (MFA) for specific roles. For example, MFA may be required for a medical role, but not an athlete role. If MFA is enabled, people must verify their identity on each device or browser they use to access Smartabase.
Multi-factor authentication expiry
To enable MFA for a role, tick the box to indicate that that MFA is required and then specify an expiry period. This is the duration, in months, after which someone must re-authenticate.
- An expiry period of 0 or a negative value means that the person will need to authenticate every time they log in, as the authentication expires immediately.
- An expiry period of >0 means that the person will need to re-authenticate their device when this number of months passes since their most recent authentication (e.g. if the expiry period is 6, the person will need to re-authenticate their device in 6 months).
If a new expiry period is set in the future, expiry will occur from the most recent date of authentication. If MFA is enabled site-wide and for a role where each has a different expiry period, the shorter expiry period will be adhered to.
Multi-factor authentication communication channels
There are up to three communication channel options for people within a role to receive their authentication codes. This setting will become available after you've enabled MFA for the role, set the expiry period and saved the changes to the role. The options are:
- Authentication App
- SMS
Depending on the site-wide MFA settings, you may not have the option to choose all three of these when setting up MFA for a role.
These options work in a hierarchy:
- If you select Email in the role settings, anyone with this role could elect to receive their codes via email, SMS or an Authentication app.
- If you select SMS, people with the role can only choose to receive their codes via SMS or an Authentication app.
- If you select the Authentication App, people will only have the option to receive codes via this method. You may not have the option to choose all three of these when setting up your role, depending on site-wide settings.
If you are restricting to authentication via an Authentication app only, people will need to have first logged in and located their MFA key. If people cannot log in and locate their key, they won’t be able to set up their Authentication app with it. The key can only be accessed by the individual who the user account belongs to (not by an administrator or coach).
Steps to create a new role
- Log in to the administration interface.
- Select the Roles tool from the administration home page.
- Select the Create new role option at the top of the page.
- Name the role.
- Provide a description of the role, if necessary.
- Set the time out for the role, if required. If you would like to set this timeout to unlimited, type in -1.
- Choose whether multi-factor authentication is required for people with this role.
- Choose whether single sign-on is required for people with this role.
- Click Save.
- Enter the people who the role will apply to.
- Specify the system permissions for the role.
- Specify the data permissions for the role.
- Click Save.
Examples of roles
Below are some examples of how you might configure roles for certain types of people, including:
Athlete
In this scenario, an athlete uses Smartabase to enter information about their daily wellness and training sessions. They also need access to a profile form with their emergency contact details and a dashboard summarizing their wellness and training data.
The system permissions that might be applicable to the athlete’s role are:
- Account write to update their account details.
- Athlete history to view their previous records.
- Dashboards read to view dashboards.
- Enter data to create and edit records.
- Profile data to create and edit profile records.
The data permissions that might be applicable to the athlete’s role are:
- Write access to the daily wellness form.
- Write access to the training data form.
- Write access to the emergency contacts profile form.
- Access to the summary dashboard.
Coach
In this scenario, a coach uses Smartabase to review the daily wellness and training session data that their athletes enter into Smartabase, as well as GPS data syncing via an integration. The coach needs to visualize this information on a dashboard to make decisions about upcoming training sessions and games.
The system permissions that might be applicable to the coach’s role are:
- Account write to update their account details.
- Dashboards read to view dashboards.
- Groups to view the different groups that they have access to.
- Reports to view tabular summaries of the data they have access to.
- Sidebar to view and navigate to athletes' data from the sidebar.
The data permissions that might be applicable to the coach’s role are:
- Read access to the daily wellness form.
- Read access to the training data form.
- Read access to the GPS data form.
- Access to the summary dashboard.
Medical practitioner
In this scenario, a medical practitioner uses Smartabase to enter and review medical consultation notes and run injury surveillance statistics to present to the board at quarterly meetings. They should also be able to see a summary form which has information linked from the wellness, training and emergency contact forms to provide them with additional context during medical consultations.
The system permissions that might be applicable to the practitioner’s role are:
- Account write to update their account details.
- Dashboards read to view dashboards.
- Enter data to create and edit records.
- Groups to view the different groups that they have access to.
- Reports to view tabular summaries of the data they have access to.
- Sidebar to view and navigate to athletes' data from the sidebar.
The data permissions that might be applicable to the practitioner’s role are:
- Write access to the medical consultation notes form.
- Read access to the summary form.
- Linked access to the daily wellness form.
- Linked access to the training data form.
- Linked access to the GPS data form.
- Linked access to the emergency contact details profile form.
- Access to an injury surveillance dashboard.
System permissions
This section briefly describes each system permission which may be added to a role. The first list here describes the system permissions for the tools and functionality that can be used within Smartabase Online or the mobile applications. The second list of system permissions is specific to Smartabase administrator tools and functions.
About page
This system permission is scheduled for removal and relates to an obsolete About page front page tool.
Account read
This gives people the ability to view their account details, such as username, first name, last name, password field (the password itself is never visible in plain text), email and contact information. People can view but cannot edit account information unless they also have the Account write system permission.
Account write
This gives people the ability to edit their account details, such as username, first name, last name, password field (the password itself is never visible in plain text), email and contact information. It not necessary to also have the Account read permission if you have the Account write permission. See also: Edit athlete account – partial.
Athlete history
Front page tool (History) that takes the person to their Performance history; allows professional users to view the performance history of other people. Also enables the History button in the profile section of the athlete sidebar.
Athlete sidebar
This gives people the ability to view and interact with the right sidebar, which displays the selected person's photo (if available), critical information and links to their profile (if the Profile data system permission is assigned), internal messages (if the Messaging system permission is enabled), performance history (if the Athlete history system permission is assigned) and new favorite event records. Note that the athlete sidebar will always be available when the Sidebar system permission is enabled - that permission encompasses this permission.
Calendar
Front page tool (Calendar) that takes the person to a calendar containing their events (if set up to appear in calendar); allows a professional user to view the calendar of another person.
Dashboards read
This system permission gives people the ability to access the dashboard tool for the purposes of viewing custom dashboards and dashboards created using the Dashboard builder. For each dashboard created using the Dashboard builder, there is a corresponding data permission that must be included in a person’s role for them to access that dashboard. To view custom dashboards, people must have the data permission for the relevant dashboard’s category in their role.
Dashboards write
This system permission is scheduled for removal and relates to an obsolete dashboards front page tool.
Delete all
A button in reports and performance history that allows the person to delete all records when using the Reports or Performance history tools. Professional users can use this to delete multiple records for multiple people. This system permission should not be enabled in most roles and is best only assigned to site builders and administrators. Records can only be deleted if the person also has the relevant data permission to Delete records for the event form.
The Delete all system permission should not be enabled in most roles. It is best to only assign the permission to site builders and administrators.
Download all files
This permission gives people the ability to download a ZIP file containing multiple files associated with records shown in a report or performance history. This feature must also be enabled in the site’s Application details.
Edit athlete accounts
Allows professional users to edit some account information for other people without needing access to the administration site. This is done via the Athlete profiles button or the profile section of the right sidebar (requires Athlete sidebar system permission).
Edit athlete accounts - partial
Allows professional users partial ability to edit account details for other people without needing access to the administration site via the Athlete profiles button or the profile section of the right sidebar (requires Athlete sidebar system permission). This is limited to making changes to the following fields:
- Known as
- Date of birth
- Sex
- Account picture
- Addresses
- Phone numbers
- Language
- Favorite events
- Favorite dashboards
- MFA code communication preference
This system permission can be assigned in place of Edit athlete accounts (for professional users). To edit your own account details (as a professional or non-professional user), refer to the Account write system permission.
Edit athlete fields
Allows the person to tag other people in the event form using the Single athlete, Coach or Multiple athletes fields.
Enter appointment
A front page tool (Enter appointment) that allows the person to fill out appointment forms. People need Write data permission to individual appointment forms.
Enter data
A front page tool (Enter data) that allows the person to fill out event forms they have Write data permission for. This system permission must be enabled for people to fill out event forms, regardless of any Write data permissions they have.
Enter data for group
A front page tool (Enter data for group) that allows professional users to enter data for event forms they have Write data permission for using group entry mode. If this system permission is assigned to non-professional users, the front page tool will not appear. The event form must also be enabled for group entry mode in the advanced form properties.
Enter scheduled data
A front page tool (Enter scheduled data) that allows the person to fill out scheduling forms. People need Write data permission to individual scheduling forms.
Excel reports read
A front page tool (Excel reports) that allows people to download Excel reports about themselves that have been shared with them. Professional users can download Excel reports about other people that have been shared with them.
Excel reports write
Ability for people to create Excel reports about themselves. Professional users can create Excel reports about other people.
Group performance profile
Allows professional users to generate a group performance profile (as a PDF) of the currently-loaded group. This functionality is not available to non-professional users and will not appear if this system permission is assigned. See also: Performance profile.
Groups
Ability for people to change between groups they are members of or have access to.
Import data
A front page tool (Import data) that allows people to import historical data for an event form. People need Write data permission for individual forms.
Import profile data
A front page tool (Import profile data) that allows people to import data for a profile form. People need Write data permission for individual forms and Profile data system permission to view profile forms.
Messaging
This gives people the ability to access messaging buttons, including the inbox link if included in the page layout. Non-professional users can send messages to the professional users with access to their current group. Professional users can send messages to other professionals with access to the current group or to members of the group. Messages can be sent from the inbox or from different parts of the system, for example, the reports tool.
Pending form import data
A front page tool (Pending data) that gives people the ability to import data from Smartspeed. People need Write data permission for the forms they are to import data into.
Performance alerts read
A front page tool (Performance alerts) that allows people to view received performance alerts, if the Athlete history system permission is also enabled
Performance alerts write
This gives people the ability to create performance alerts. People can only create performance alerts with themselves as the monitored and notified user. Anyone with coach access to a group can create performance alerts with anyone in the group they are viewing (or the entire group) as the monitored group and with anyone in the current group or another professional user as the notified user/s. Note that only the person who creates a performance alert is able to edit it. For site administrators, this permission allows them to create new performance alerts using the Performance alert management tool in the administrator interface.
Performance explanations read
Gives people the ability to read performance explanations for forms they have Write data permission for. This system permission does not extend to mobile devices.
Performance explanations write
This system permission is obsolete and scheduled for removal.
Performance profile
A front page tool (Performance profile) that allows professional users to create performance profile reports comparing them to other members of the group. This requires Read data permission for event forms in the performance profile report.
Performance standards read
This system permission is obsolete and scheduled for removal.
Performance standards write
This system permission is obsolete and scheduled for removal.
Performance summary reports
A front page tool (Performance summary reports) that allows people to view the performance summary dashboard and performance summary reports. A professional user will see all members of the currently-loaded group in the dashboard and summary reports; a non-professional user will only see themselves. Requires Read data permission for individual event forms for them to be included in the dashboard or summary report.
Personal bests
A front page tool (Personal bests) that allows people to compare themselves to other members of their group. Requires Read and Write data permissions for individual event forms. Only event form fields that have been set up with the Calculates personal best property set to True will appear as a personal best.
Personal bests group selection
This gives a professional user the ability to choose which group they want to compare people to with the personal bests tool. Requires the Personal Bests system permission.
Personal groups read
A front page tool (Personal groups) that allows a professional user to create personal groups from members of the current group. Only useful to professional users.
Personal groups write
This system permission is obsolete and scheduled for removal.
Preview schedule
A front page tool (Preview schedule) that allows people to view scheduled events for related entities. Requires Read data permission for individual related entity and scheduled event forms.
Print page
A front page tool (Print results) which generates PDFs from forms the person has Read data permission for. Allows customization for forms with tables in them to include blank columns.
Profile data
A front page tool (Profile data) that allows people to fill out profile forms they have Write permission for. This system permission must be enabled for people to fill out and view profile forms, regardless of any Read or Write data permissions they have for profile forms. This system permission is also required for the person's contact information, such the phone number or email address associated with their account, to be displayed beneath their profile image.
Publish scheduled events
Ability to use the Publish and Publish with iCals buttons in the Preview schedule tool. Requires the Preview schedule system permission.
Recent entries
A front page tool (Recent entries) that allows people to view all event forms in chronological order from most to least recent. Professional users can choose to view the recent entries by group member or by group.
Related entity calendar
A front page tool (Related entity calendar) that allows people to view a calendar view of events for all related entities for which they have Read data permission.
Reports
A front page tool (Reports) that allows people to create reports using forms they have Read data permission for. Professional users can choose to create reports using one or more members of the currently-loaded group.
Reports - export
Ability to use the Excel button in the Reports and Performance history tools.
Reports - grouping
Ability to use the Pivot table button in the Reports tool, if enabled in the Application details.
Reports - investigate
Ability to use the Investigate button in the Reports tool, if enabled in the Application details.
Reports - PDF
Ability to use the PDF and PDF (Form) buttons in the Reports and Performance history tools.
Reports - send email
Ability to email a copy to selected people of exported reports created using the Excel, PDF or PDF (Form) buttons in the Reports and Performance history tools.
Reports - send to front page
Ability to use the Send to front page button in the Reports tool. For this report to be visible, the Front page reports button must be part of the person's page layout.
Reports - send to users
Ability to use the Save copy to users button in the Reports tool.
Reports - send to users front page
Ability to use the Send to front page of users button in the Reports tool. For this report to be visible, the Front page reports button must be part of the person's page layout.
Reports - summary statistics
Ability to use the Summary statistics button in the Reports tool, if enabled in the Application details.
Resources
A front page tool (Resources) which allows people to access content uploaded as a resource. Category data permission must be enabled for the person to access content in individual categories.
Resources - upload
Ability to use Manage resources button in the resources tool to upload and edit content in categories that the person has data permissions for.
Schedule calendar
Ability to view a schedule as a calendar when using a mobile device. Requires Schedule page system permission to be enabled.
Schedule page
A front page tool (Schedule) which allows people to view event forms from a selected date for a specified number of days. Professional users can view the schedule of all members of the current group.
Search Page
A front page tool (Search) that allows people to search for professional users with access to their current group. Professional users can search for members of the current group as well as other professional users with access to the current group. People can also search for groups they are members of or have access to.
Sidebar
This gives people the ability to view and interact with the left sidebar, which displays the event form categories, event forms, the enter new event form link and the event form performance history if enabled.
Spotfire read
This system permission is obsolete and scheduled for removal.
Spotfire write
This system permission is obsolete and scheduled for removal.
Summary statistics reports read
A front page tool (Summary statistics reports) that allows people to view summary statistics reports that have been shared with them. This requires Read data permission for individual forms. Professional users are able to view summary statistics reports with multiple members of the currently loaded group.
Summary statistics reports write
This gives people the ability to create and share summary statistics reports from saved reports (Reports tool). This requires Read data permission for individual forms. Professional users are able to create summary statistics reports with multiple members of the currently loaded group.
Training blocks read
A front page tool (Training blocks) that allows people to see and apply training blocks that have been shared with them. This requires Read data permission for individual forms. Professional users are able to apply training blocks to multiple members of the currently-loaded group.
Training blocks write
This gives people the ability to duplicate and edit training blocks that have been shared with them, create new training blocks and share training blocks with other people. This requires Read data permission for individual forms.
Training plans read
This system permission is obsolete and scheduled for removal.
Training plans write
This system permission is obsolete and scheduled for removal.
User onboarding
A tool that can be used on the Smartabase Kiosk app to assist in onboarding people to Smartabase via QR codes.
View current appointments
A front page tool (View current appointments) that allows people to view the current day’s appointments for a related entity. This requires Read data permission for individual related entities and Read data permission for individual appointment forms. Professional users are able to see the details of appointments for members of the currently loaded groups, otherwise the only detail that is shown is a blocked out time period.
View current schedule
A front page tool (View current schedule) that allows people to view the current day’s schedule for a related entity. This requires Read data permission for individual related entities and Read data permission for individual scheduling forms.
Yearly plans read
A front page tool (Yearly plans) that allows people to view yearly plans created by professional users of the currently-loaded group and/or a yearly plan that has been applied to them. Requires Read data permission for individual forms.
Yearly plans write
This gives people the ability to duplicate and edit yearly plans that have been shared with them, create new yearly plans and share yearly plans with other people. This requires Read data permission for individual forms. Professional users are able to apply yearly plans to members of the currently loaded group.
Administrator Role Permissions
Unlike the above permissions, which give access to tools on the Smartabase main application, the following permissions provide access to administrator features. Not all administrator tools have a specific permission; this is reserved for tools that require careful management, and therefore should not be accessible to an administrator without the proper understanding of the tool's function. For this reason, these permissions can only be added to a role by the site owner.
Administrate Smart flows
This permission gives an administrator the ability to view, edit, duplicate and delete Smart flows.
Administrate Smart saves
This permission gives an administrator the ability to view, edit, duplicate and delete Smart saves.
Allow site switching (enterprise only)
This permission gives people the ability to easily switch between sites from the user, builder and administration interfaces if they’re part of an enterprise system (multiple, linked sites on the same server).
Manage object ownership
This permission enables an administrator to find and edit the owner of a data structure (object) in the builder interface, such as an event form, database form, profile form, related entity form or dashboard.
Manage password policies
If a Smartabase site's Application details has been set to allow multiple password policies, this permission enables an administrator to create, edit and delete items in the Password policy management tool.
Manage security whitelists
This permission enables an administrator to create, edit and delete items in the Security whitelist tool.
Set custom passwords
This permission enables an administrator to assign a custom password to an account. Without this permission, the administrator can only activate a password reset email, which the person can then access to update their password.
Data permissions
Data permissions are permissions specific to the content of your Smartabase site. Categories and dashboards each have a single data permission associated with them, which enables the person to view the category contents or the dashboard. Note that having permission for a dashboard doesn't include the permissions for any data which is displayed in a dashboard. You need to add these data permissions separately.
Forms have different types of permissions according to whether they are event, profile, database or related entity forms. These are Linked, Calendar, Read, Write and Delete permissions, with the former two only applying to event and profile forms. Permissions for forms are somewhat hierarchical in the sense that having the Write permission automatically allows a form to be read, and having the Delete permission also allows the form to be read and written. This means that you can give people a single data permission for a form which reflects the maximum level of interaction they can have with the data. The list below describes each type of data permission in order from most to least restricted.
Linked
Gives people the ability to see data from this form in other forms. This data permission means you don't have to give people full Read access to a form. Instead they can see selected information which is linked into forms they have Read access to.
Related entity and database forms do not have the Linked data permission.
Calendar
Gives people the ability to see this form in the calendar if it has been enabled to appear in the calendar. With this permission, someone can see that a record exists and when it was recorded but can only see data that has been set up to appear in the calendar summary.
Related entity and database forms do not have the calendar data permission.
Read
Gives people the ability to view data entered into a saved record for this form. This data permission makes the Linked and Calendar data permissions unnecessary. Forms which the person has Read access to will appear in dashboards, the sidebar, performance history, reports and other parts of Smartabase. They will not appear in the data entry process.
Write
Gives people the ability to create and edit records for this form. This data permission makes the Read permission unnecessary. Forms which the person has Write access to will appear in the data entry process, the sidebar, performance history, reports and other parts of Smartabase.
Delete
Gives people the ability to delete a record created using this form (exception: related entity records cannot be deleted by a user and must be deleted by a builder). This data permission makes the Write permission unnecessary. Forms which the person has Delete access to will appear in the data entry process, the sidebar, performance history, reports and other parts of Smartabase.
Deleting a record will permanently delete the record from Smartabase. This data permission should only be assigned to people who are authorized to delete records.