All Collections
Access Control
Roles and Permissions
Creating and managing custom roles in Genea
Creating and managing custom roles in Genea

Learn how to create and manage custom roles. Managing roles includes creating, modifying, cloning, and deleting roles.

Ankita Chakraborty avatar
Written by Ankita Chakraborty
Updated over a week ago

Bulk update of roles

Genea provides some predefined roles that give granular access to specific application resources and prevent unwanted access to other resources.

Genea doesn't directly grant users permission. Instead, it grants them roles, which bundle one or more permissions.

With custom roles, administrators can:

  1. Enforce the principle of least privilege, ensuring that the user in their organization has only the permissions essential to performing their intended functions.

  2. Bundle one or more supported permissions to meet their specific needs.

  3. Allow team members to control features in applications that are designated for their team only.

Understand Genea's role-based access control application

Genea supports two types of role definitions:

  1. Built-in roles: Built-in roles include, Admin, Security, Front Desk, User Manager, and Users. These roles are out-of-box roles that have a fixed set of permissions. Some of the built-in role definitions such as Admin and User cannot be modified. All other built-in roles can be managed from your Genea dashboard. To meet our customers' sophisticated requirements, Genea also supports custom roles. Granting permission using Genea custom roles is a two-step process that involves creating a custom role definition and then assigning it to users.

  2. Custom Roles: A custom role definition is a collection of permissions that you add from a resource group list. Once you’ve created your custom role definition, you can assign it to a user. A role assignment grants the user the permissions in a role definition at specified resources.

What is a resource group?

Custom roles are extremely precise in their scope and targeting. For example, a global administrator can define a custom role to allow the recipient of that role to have access to specific resources in the application and not others. This level of precision means administrators must specifically allow or deny actions for every resource they want the role recipient to be able to take. If they do not specify an action for a resource, that action is set to No access by default.


A resource group is a container that holds related resources in Genea. While creating custom roles, permission has to be provided to the resource groups, all resources listed under a specific group will get the same permission that is provided to the parent resource group. For example, Access Control Management is a resource group that contains access groups, schedules, holidays, and holiday group resources in it. When you assign permission to the Access Control Management resource group, all the resources that are part of this group will get the same permission.



Create a custom role in Genea

If you are a global admin, you can create custom roles from your Genea dashboard. To do so:

  1. Navigate to User Management > Custom Roles from Genea global view or from location view if you are on HID VertX platform.

  2. Click on +Add. Fill in the details and click Save.


    Name and description: Name of the custom role. Add an optional description.

    Rank in Hierarchy: The rank of the role in the hierarchy determines if the lower-ranked role would have permission to manage the higher-ranked roles. Genea provides a list of priorities as 0,1,2, and 3. The rank 0 is the highest and is assigned to Global Admins. 3 is the lowest. The following points will be applicable even if the lower-ranked roles have the relevant resource group permissions:

    • Lower-ranked roles cannot add or edit the higher-ranked roles.

    • Lower-ranked roles cannot edit the name and email ID of the higher-ranked roles.

    • Lower-ranked roles cannot delete the user profile of the higher-ranked roles.

    • Lower-ranked roles cannot delete the Cards/PIN of higher-ranked roles (optional). If you do not want the lower-ranked roles from deleting the credentials of higher-ranked roles. then this option can be enabled. By default, the option remains disabled.

    Default Access for New Resources: You can specify permission to be assigned to the specific role when Genea introduces any new feature or resources in the future. By default, this is set to "No Access".

    Access to Global Overview: This option can be found on the detailed page of the custom role you created. If you do not wish to provide global view access to the specific role, then this flag can be toggled off. Please note that the menu on the global view will be based on the permission given to the role.

Assign permissions to the custom role:

Now that you have created a custom role, go ahead and provide the permissions to the resources for the role.

  1. Click on Edit in the Resource Permissions section. Start providing the permissions you wish to assign to the specific role. For a detailed description of each permission, see here.


  2. Once, all changes are done, click Save.

Resource group permission levels

There are three standard permission levels that can be assigned to the resource groups:

  • No Access: The role will not have an access to the specific resource group and the group will not appear on the menu of the Genea dashboard.

  • Read Access: The role can read the resources of the group. You can choose to either turn off or on the Menu Management so the resource group appears on the menu of the Genea dashboard.

  • Full Access: The role has full access to the resource group and can create, edit and delete the resources of the group. The system automatically turns on the Menu Management for all full access resources/groups, so that they start appearing on your menu on the dashboard. However, if you have any specific use case where you would like to hide the full access resources from appearing on the menu of the role holder's dashboard, then that can be done.

What is menu management?

Menu management gives you the ability to hide the resources with either read access or full access from appearing on the Genea application. When turned off, the assigned permission to the resource will still be there to be used as dependent permissions wherever required, but the resource group will not appear on the menu.

Dependent resources and permissions:

Dependent resources are those to which the system requires access to provide selected permissions to your base resources. The system will automatically provide READ permission to dependent resources.

Let's take an example to understand dependent resources. So, you want to provide user management FULL permission to a role, which means the members of that role should be able to create, edit and delete the users in Genea.

Now let's take a look at what all information is required to be able to create a user in Genea.

From the above image, we can see, that we will need the list of "Custom Roles" and also need a list of "Access Groups" to be able to add a user. Custom roles are a part of a resource group called "User Management - Advance" and Access Groups are the part of the resource group "Access Control Management". And both these resource group permissions would be required to have FULL access to User Management. Hence, User Management - Advance and Access Control Management become the dependent resources of User Management.

Now, you can give manual permissions to required dependent resources. But Genea facilitates by automatically providing READ access to all required dependent resources as soon as you select the BASE resource permission.

Permissions for control center, emergency plans, and a few others:

There are a few resource groups that you will find on the custom roles permission matrix that allows permission on the individual resource of the group. These resource groups are:

Control Center Management

Emergency Plan Management (Mercury-based portals)

Safe Workplace Log Management

  • Reservations

  • Contact Tracing

Manage doors for quick grant and lock/unlock functions in the control center

After assigning either READ access or FULL access to quick grant or lock/ unlock resources under control center management, you can further go ahead and select the doors that you would like to permit with these permissions. To select a door,

  1. Navigate to Control Center Management from the resource permissions matrix.

  2. Click on Lock/Unlock link.



    3. You will see the list of all your locations. To select a door, click on the location name.


    4. Select/deselect the door. All selections are auto-saved.


Cloning a custom role:

Cloning a custom role allows you to copy all the permissions and settings to another custom role. To clone a role:

  1. Click on the Actions dropdown, you will see an option to Clone the custom role.

  2. Once you click on clone, you'll be prompted to name and add a description to the role. Click Clone.


A custom role can also be cloned from inside the role detailed page.

Editing a custom role:

For changing the role name, description or settings click on Edit under Actions.

To edit the permissions for the role, click on the name of the custom role.

Deleting a custom role:

To remove a custom role, click Delete from Actions. You cannot delete a role if it is assigned to any active users in Genea.

Now that you have created a role, go ahead and assign it to users at your location.

Bulk update of roles:

Global Admins can update roles in bulk. To do so:

  1. Navigate to user management from your admin dashboard.

  2. Click on More > Change Role

  3. Select the required fields and proceed to apply the role changes.


NOTE:

  1. Full access to Integrations will now be available to Global Admins only. However, you can provide Read only access to all location roles.

  2. The inbuilt ADMIN and USER roles are non editable as they are used in one or more users flows, however, you can clone the role and make changes as per your preference.

If you have any questions about this feature or have any other requests, please reach out to acsupport@getgenea.com.

Did this answer your question?