Appearance
Roles
The Roles page lets you define roles with specific sets of permissions. Roles are the primary mechanism for controlling what users can see and do in PinkApple ERP.
Navigation: Administration → Access → Roles
What Is a Role?
A role is a named collection of permissions assigned to users. Each permission grants access to a specific action on a specific page. For example:
- Branch Manager — Can view all client data, approve loans up to a threshold, run reports
- Teller — Can process deposits and withdrawals, view till balances
- Accountant — Can create journal entries, view chart of accounts, run financial reports
- Administrator — Full access to all administration and configuration pages
Role Scoping
Roles are scoped to a business unit type. This means:
- A role defined for the "Branch" business unit type is available to all users in any branch
- A role defined for the "Head Office" type is only available to head office users
- Permissions available within a role are filtered by the service profiles attached to the business unit type's service
TIP
This scoping ensures that branch-level users never see head-office-only features, and users in one service never see permissions from another service's profiles.
Role List
The roles table displays:
| Column | Description |
|---|---|
| Role Name | The display name of the role |
| Business Unit Type | The BU type this role is scoped to |
| Description | A description of the role's purpose |
| User Count | Number of users assigned to this role |
| Approval Status | Whether the role has been approved |
Creating a Role
- Click Create Role
- Fill in the form:
| Field | Description | Required |
|---|---|---|
| Role Name | A descriptive name (e.g., "Branch Manager") | Yes |
| Business Unit Type | The BU type this role applies to | Yes |
| Description | What this role is for | No |
- After creating the role, you'll be taken to the permission assignment view
Assigning Permissions
The permission assignment view shows all available permissions organised in a tree structure:
Profile: ACCOUNTING
├── Level 1: Accounting
│ ├── Level 2: Operations
│ │ ├── Level 3: GL Journals
│ │ │ ├── ☐ VIEW_GL_JOURNALS
│ │ │ ├── ☐ CREATE_GL_JOURNALS
│ │ │ ├── ☐ EDIT_GL_JOURNALS
│ │ │ ├── ☐ DELETE_GL_JOURNALS
│ │ │ └── ☐ APPROVE_GL_JOURNALS
│ │ └── Level 3: GL Reconciliation
│ │ ├── ☐ VIEW_GL_RECONCILIATION
│ │ └── ☐ CREATE_GL_RECONCILIATION- Check/uncheck individual permissions to grant or revoke specific actions
- Check a Level 3 header to select all permissions under it
- Check a Level 2 header to select all Level 3 permissions under it
- Check a Level 1 header to select everything in that module
INFO
Available permissions are automatically filtered by the service profiles attached to the role's business unit type. You will only see permissions relevant to your service.
Default Admin Role
When your company is provisioned, a default ADMIN role is created with all available permissions. This role is assigned to the initial administrator account.
WARNING
Be careful when modifying the ADMIN role. If you accidentally remove critical permissions, you may lock yourself out of certain configuration pages. It's recommended to create new roles rather than modifying the default ADMIN role.
Best Practices
- Principle of least privilege — Give users only the permissions they need
- Role per function — Create roles based on job functions (Teller, Loan Officer, Accountant) rather than individual users
- Test before deploying — Create a test user with the new role and verify they see the correct menus and can perform the expected actions
- Document your roles — Use the description field to clearly describe each role's purpose
Next Steps
- Approval Levels — Set up approval tiers
- Approval Configurations — Configure approval chains