Skip to main content

Overview

Roles & Permissions is the foundation of Elementum’s security model. Best practice is to give permissions to things in Elementum via roles rather than individual user permissions. This role-based approach ensures consistent access control and simplifies permission management across your organization.

Role-Based Access Control

Control who can access and modify resources by assigning users to roles with specific permissions. Roles can be applied at organization and app levels for granular security.
Key Benefits:
  • Centralized Control: Manage permissions through roles instead of individual users
  • Scalable Security: Easily manage access for large teams and complex organizations
  • Consistent Access: Ensure uniform permissions across similar user types
  • Audit-Ready: Clear role assignments for compliance and security reviews

Permission Levels

1

Organization-Level Permissions

Permissions granted at the organization level provide access across all apps the user has access to. Org admins act as global overseers with broad system access.
2

App-Level Permissions

Permissions granted at the app, element, or task level provide access only to those specific resources and their related features.
Important: Organization-level permissions cascade down to all accessible apps. Use org-level roles carefully and primarily for administrative oversight.

Managed Roles

Elementum provides predefined managed roles with standard permission sets for common use cases.

Managed Roles Characteristics

  • Fixed Permissions: Permission sets cannot be modified
  • Membership Control: You can add/remove users and groups
  • Standard Templates: Cover common organizational roles

Common Managed Roles

App Admin

Full administrative access to all features and settings within the app. Managed role with predefined permissions.

Content Editor

Can create and manage content but cannot change app settings. Managed role with predefined permissions.

Content Viewer

Read-only access to content and basic features. Managed role with predefined permissions.

Custom Roles

Create custom roles with any permission set your organization requires. Custom roles provide complete flexibility for unique access control needs.

Custom Role Benefits

  • Full Control: Set any combination of permissions
  • Tailored Access: Create roles specific to your workflows
  • Flexible Membership: Assign users and groups as needed
  • Auto-Share Options: Automatically assign roles based on user actions

Creating Custom Roles

1

Define Role Details

  1. Click “Create Custom Role”
  2. Enter a descriptive Role Name
  3. Add a Description explaining the role’s purpose
2

Assign Users and Groups

  1. Select Users who should have this role
  2. Select Groups that should receive this role
  3. Configure Auto Share Options if desired
3

Configure Permissions

Set permissions for each resource type:
  • Records: Create, Read, Update, Delete, Comment
  • Automations: View, Create, Modify, Execute
  • Agents: Access, Configure, Monitor
  • AI Providers: Use, Configure, Manage
  • Analytics: View, Create, Export
  • Apps: View, Configure, Manage
  • And more…

Permission Types

Core Permissions

  • Records
  • Automations
  • Agents
  • System Resources
Available Permissions:
  • Create Records: Allow creating new records
  • Read Records: Allow viewing records (respects Data Access policies)
  • Update Records: Allow editing existing records
  • Delete Records: Allow removing records
  • Comment on Records: Allow adding comments to records

Auto Share Options

Configure roles to be automatically assigned when users interact with records:Available Triggers:
  • When user is added as a watcher: Automatically assign role when someone watches a record
  • When user is assigned to a record: Auto-assign when user becomes record assignee
  • When user is @mentioned: Assign role when user is mentioned in comments
  • When a record is shared with a user: Auto-assign when records are explicitly shared

Managing Roles

Role Administration

1

View All Roles

Navigate to SecurityRoles & Permissions to see all managed and custom roles
2

Manage Membership

Click “Manage Role” on any role to add/remove users and groups
3

Edit Custom Roles

Modify permissions and settings for custom roles as business needs change
4

Delete Unused Roles

Remove custom roles that are no longer needed (managed roles cannot be deleted)

Role Membership

Individual Users

Assign specific users to roles for targeted access control

User Groups

Assign entire groups to roles for efficient bulk permission management

Mixed Assignment

Combine individual users and groups within the same role as needed

Multiple Roles

Users can be assigned to multiple roles - permissions are additive

Best Practices

Role Design Strategy

Best Practice: Always use roles to grant permissions rather than individual user assignments. This ensures consistency and simplifies management.
1

Plan Role Hierarchy

Design roles that match your organizational structure and workflow responsibilities
2

Use Descriptive Names

Create clear, descriptive role names that indicate purpose and scope
3

Start with Managed Roles

Use managed roles when they fit your needs before creating custom alternatives
4

Regular Role Audits

Periodically review role assignments and permissions to ensure they remain appropriate

Organization vs App-Level Roles

  • Organization-Level Roles
  • App-Level Roles
Use When:
  • Users need consistent access across multiple apps
  • Administrative oversight is required
  • Global policies need to be enforced
Examples:
  • IT Administrators
  • Compliance Officers
  • Executive Leadership

Security Considerations

Permission Management

Principle of Least Privilege

Grant only the minimum permissions necessary for users to perform their job functions

Regular Reviews

Conduct periodic reviews of role assignments and permissions

Separation of Duties

Ensure critical functions require multiple roles or approvals

Audit Trails

All role changes are logged in the Activity Log for security monitoring

Common Security Patterns

Strategy: Separate roles by function rather than hierarchy
  • Create roles based on job responsibilities
  • Avoid overly broad permissions
  • Use multiple specific roles rather than one powerful role
Strategy: Use custom roles for temporary or project-based access
  • Create time-limited roles for contractors
  • Remove access when projects complete
  • Regular cleanup of unused roles
Strategy: Plan for emergency access scenarios
  • Designate emergency administrators
  • Document emergency procedures
  • Regular testing of emergency access
Remember: Roles & Permissions is the foundation of Elementum security. Design your role structure thoughtfully to support both current needs and future growth while maintaining security best practices.
I