Roles
Roles control menu visibility, object access, workflow responsibilities, and administrative permissions.
Use clear role naming and avoid granting broad administrative roles when a narrower module or client role is sufficient.
Role Categories
centraQuest installations usually combine several role categories.
| Category | Purpose | Examples |
|---|---|---|
| Application roles | Enable access to an application area. | show_App_Invoice |
| Functional roles | Grant business capabilities. | bereich_BUHA, rolle_Treuhand, rolle_Buchhaltung |
| Admin roles | Grant administrative functions. | rolle_Administrator, rolle_BUHA_admin |
| Client roles | Grant visibility for a client or mandate. | mandant - 0001 - Arlesheim |
| Feature roles | Enable optional tabs or special views. | show_order_tab, show_email_tab |
| Workflow roles | Represent approval or processing responsibilities. | Installation-specific |
The exact role names are installation-specific. The examples above are common patterns, not a complete global role catalogue.
Application Access Is Not Object Access
An application role can make a menu visible, but it does not automatically grant access to every document. A user may have show_App_Invoice and still be unable to open or approve a specific invoice if the object ACL, client assignment, or workflow responsibility does not match.
This distinction is important in support cases:
- Menu missing: usually role or configuration visibility.
- Document missing from list: often client role, object ACL, lifecycle filter, or search filter.
- Document visible but read-only: read access exists, but write permission is missing.
- Approval action fails: workflow responsibility or lifecycle-specific write permission is missing.
Administrative Roles
Administrative roles should be granted carefully. They often unlock configuration, jobs, master data, and troubleshooting pages.
Recommended practice:
- Use broad admin roles only for technical administrators.
- Use module admin roles for operational administrators.
- Use client-specific roles where possible.
- Avoid adding users to admin roles just to fix one missing document.
Role Naming
Role names should be stable and descriptive. Customer-specific roles should follow a consistent naming convention so support can understand their purpose from the name.
Good role names communicate:
- the application or module,
- the responsibility,
- the client or business area if relevant,
- whether the role is administrative.