# Managing Permissions with User Roles

Role permissions enable Admins to assign permissions to a specific user without affecting <a href="/en/gr/23647/">security profiles,</a> allowing an incremental approach to access control that reduces the need for complex security profile configuration and maintenance. While security profiles form the basis of access control in Vault, role permissions can provide an added layer for specific or temporary purposes. This can be particularly useful when users play various roles over time that require access to different combinations of object or application permissions.

To use role permissions, an Admin associates permission sets with _Application Role_ records, then joins those _Application Roles_ with _User_ records via the _User Role_ join object.

## Example: Simplifying a Security Profile Configuration

Suppose that, depending on training and role, the users in your organization will need varying combinations of the following permission sets:

* _Full User Actions_
* _Deviation Owner_
* _Audit Owner_
* _Change Control Owner_
* _Complaint Owner_

The intent of this is to distinguish between users who can participate in all processes (_Full User Actions_) and users who can start or create new records of their respective business flows. If you were to configure security profiles for each possible access scenario so that a user could participate in each process, but only start the processes they're owners of, you would need 16 profiles to meet your needs: One profile providing _Full User Actions_, another providing _Full User Actions_ and _Deviation Owner_, and so on. Each added permission set that you wish to incorporate into such a configuration dramatically increases the number and complexity of necessary security profiles.

Instead of using security profiles only, however, you can use role permissions to greatly simplify this configuration. In this example, given the same intent as above, you would create one (1) basic security profile and four (4) _Application Roles_:

* _Security Profile: Full User_
* _Application Role: Deviation Owner_
* _Application Role: Audit Owner_
* _Application Role: Change Control Owner_
* _Application Role: Complaint Owner_

You can now assign all users the basic security profile and add the appropriate _User Roles_ to their _User_ record as they complete training, gain new roles, or become otherwise qualified to own new processes within the organization.

## Example: Temporary Access

Suppose a single user in your organization requires access to <a href="/en/gr/26597/">Vault Loader</a> on a temporary basis. Rather than creating or modifying a custom security profile which includes both the user's standard access as well as Vault Loader, you simply create an _Application Role_ record called _Vault Loader User_.

You can then associate a specific permission set for Vault loader access to the new _Application Role_, and assign this role to the user. This method negates the need to alter security profiles.

## Configuring Role Permissions {#configuring}

Perform the following to enable the use of role permissions in your Vault:

* Add a <a href="/en/gr/26387/#sections">related object section</a> for the _User Role_ object to the _User_ object detail page layout.
* Ensure that users who will be managing _User Roles_ and _Application Roles_ have the [required permissions][1]. Note that a user cannot assign or remove _User Roles_ with permission sets containing more permissions than they possess themselves.
* Optional: To allow access to _User_ object records outside of **Admin > Users & Groups > Vault Users**, select **Display in Business Admin** in the _User_ object configuration, or add a _User_ <a href="/en/gr/23516/">custom object tab</a>.

## Adding Permission Sets to Application Roles

To make an _Application Role_ useful for role permissions, you must first associate it with a permission set.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: You can only apply permission sets to custom <em>Application Roles</em> (those with names ending in <code class="language-plaintext highlighter-rouge">__c</code>). Standard roles (those typically ending in <code class="language-plaintext highlighter-rouge">__sys</code> or <code class="language-plaintext highlighter-rouge">__v</code>) cannot have permission sets added to them.</p>
    </div>
  </div>
</div>



To add a permission set to an _Application Role_:

1. Navigate to an _Application Role_ object record in **Business Admin > Objects > Application Roles** or a custom object tab.
2. Click **Edit**.
3. Select a permission set in the **Permission Set** field, or click the binoculars icon to open the record search dialog.
4. If you want Vault to enforce _User Role_ associations when creating _User Role Setup_ records for use with sharing rules, select the **Yes** value for _Constrain User Role Setup_. Use this value in conjunction with the <a href="/en/gr/35144/">User Role Constraints</a> feature.

The _Application Role_ applies its associated permission set when [assigned to a _User_][2]. A user can add or remove a permission set on an _Application Role_ only if the user has at least the same permissions.

If there are any assigned _User Role_ records for an _Application Role_, Vault will not allow you to edit its _Permission Set_ or _Status_ field values.

## Assigning an Application Role to a User {#assigning}

To assign an _Application Role_ to a _User_:

1. Navigate to a _User_ object record in **Business Admin > Objects > Users** or a custom object tab.
2. In the _User Role_ section, click **Create**.
3. Select one or more _Application Roles_ from the dialog.
4. Click **Save**.

The permission sets associated with the added _Application Role_ take effect immediately. Note that you can assign or unassign a role with a permission set only if you have at least the same permissions.

Vault limits the number of active _User Roles_ on a _User_ record to 50. If you later set a *User Role*'s _Status_ value to _Inactive_, the user will not have access to the associated permission set.

## Related Permissions {#permissions}

To add or remove permission sets on _Application Role_ records, a user requires _Edit_ permission on the _Application Role_ object and _Admin: Permission Sets: Read_ permission.

To add or remove _User Roles_ on the _User_ object, a user requires the **Admin > Security > User > Manage User Object** permission and _Read_, _Create_, _Edit_, and _Delete_ permissions on the _User Role_ and _User_ objects.

 [1]: #permissions
 [2]: #assigning