Manage Access to Security & Permissions

By default users with Edit User, Create/Edit/Delete Report Roles, Create/Edit/Delete User Roles & Permissions access are limited to editing within their access level. This includes permissions, locations, and report access - collectively referred to as rights. Users can only add or remove permissions, roles, and locations that they personally have access to.

To edit another user, the editing user must share at least one location in common with the user being modified. Users with Edit User permissions can manage user records for users with equal or lesser access. These restrictions help organizations maintain control over user permissions while enabling designated team members to manage personnel without full system access.

These limitations apply to users with the following permissions:

  • Administration → Users → Edit Users

  • Administration → Users → Create & Impersonate Users

    • The Create & Impersonate Users permission is dependent on the Edit Users permission.

  • Administration → Users → Report Roles → Create/Edit/Delete Report Roles

  • Administration → Users → User Roles → Create/Edit/Delete User Roles & Permissions

To edit users beyond their rights (permissions, location access, report roles) users must have the ‘Can grant access beyond personal level’ setting enabled on their User record.


User Record

Users can only assign or remove permissions, report roles, and locations that are within their own access. Editing a user requires at least one shared location between the editing user and the user being modified.

Users with Edit User permissions that do not have the setting ‘Can grant access beyond personal level’ selected will have the following access in the user record:

View Access

  • Users can view all tabs on the user record including general, permissions, reporting, and locations.

  • Permissions, user roles, report roles, and locations that are not available to the editing user are read-only and are often displayed with a locked icon.

  • If the editing user cannot make changes to the user record because they do have a location in common, all fields are read-only and the save dropdown is removed.

User Edit Restrictions

  • If the editing user does not share any locations with the user being viewed, each tab of the user record will display the warning:

    • ‘Cannot edit users if there are no locations in common.’

  • On all tabs except the Location tab, the message will include a ‘View assigned locations’ link:  

    • ‘Cannot edit users if there are no locations in common. View assigned locations.’

    • Clicking this link opens the Location tab, where the assigned locations can be viewed.

  • Locked Locations in the location tab:

    • In the locations tab, locations that cannot be removed or added are indicated with a locked icon.

Edit Access

  • General tab

    • Users can edit fields on the General tab.

    • The default location cannot be changed if the editing user does not have access to the assigned default location.

  • Permissions tab

    • Users can add or remove permissions that the editing user has.

    • Users can add or remove user roles in which all permissions are included in the editing user access.

    • If a permission has a dependency that the editing user does not have, the permission cannot be edited.

    • Permissions and user roles that cannot be added or removed are read-only.

      • User roles that cannot be assigned are indicated with a lock icon in the user role row.

    • When assigning permissions by copying permissions from another user, all users will be viewable, but user roles with greater access than the editing user are designated with a locked icon and cannot be added.

  • Reporting tab

    • Users can add or remove report roles in which all reports are included in the editing user access.

    • Users cannot add or remove report roles that contain more report access than the editing user has.

    • Report roles that cannot be added/removed are ready-only and are indicated with a locked icon in the report role row.

  • Locations tab

    • Users can view all locations assigned to the user being edited.

    • Users can only add or remove locations they have access to.

    • When selecting ‘all locations’, only locations the editing user has access to will be added/removed.

    • When adding/removing location access by legal entity, all legal entities can be viewed, but only legal entities that the editing user has access to all locations can be added/removed.

    • When adding/removing location access by location reporting category, if the editing user does not have access to all locations in the category, the category is read-only and cannot be added or removed.


Users Page

Users can only assign or remove permissions, report roles, and locations that are within their own access. Editing a user requires at least one shared location between the editing user and the user being modified.

Users with that have Edit User permissions that do not have the ‘Can grant access beyond personal level’ setting, have the following access to the user page.

View Access

  • Users can view all users on the user page, including users they cannot edit.

  • Users can view all columns and fields.

    • Locations, users, and Report Roles that cannot be edited are indicated with a locked icon.

Edit Access

  • Default location

    • Users can edit if the editing user has access to the currently assigned default location.

  • User locations

    • Users can add or remove locations if the editing user has access to them.

      • Locations that cannot be added or removed are indicated with a locked icon.

  • User roles

    • Users can add or remove user roles if the editing user has access to all permissions within the role.

      • User roles that cannot be added or removed are indicated with a locked icon.

  • Report roles

    • Users can add or remove report roles if the editing user has access to all reports within the role.

      • Report roles that cannot be added or removed are indicated with a locked icon.


Setup Assistant

Users can only assign or remove permissions, report roles, and locations that are within their own access. Editing a user requires at least one shared location between the editing user and the user being modified.

Users with Edit User permissions who do not have the ‘Can grant access beyond personal level’ setting enabled, have the following access in the Setup Assistant:

View Access

  • Can view all users in the ‘users’ step - including users they do not have the ability to edit.

Access Restrictions

  • To view the ‘user Location Access’ step, the editing user must have access to all locations.

  • To view the ‘user Security Roles’ step, the editing user must have full access.

    • Users with access to user Security roles can only edit users that share at least one location.

Edit Access

  • Edit Users

    • Users can edit user information for users that share at least one location.

  • Import

    • Users can export the user template and import for users they can edit.


Import Tool

Users can only assign or remove permissions, report roles, and locations via import that are within their own access. Editing a user requires at least one shared location between the editing user and the user being modified.

Users with that have Edit User permissions but do not have the ‘Can grant access beyond personal level’ setting, have the following access in the Import Tool:

Creating New Users

When importing a new user record:

  • Default location - can only be set to a location that the importing user has access to.

    • If a location is valid but not within the importing user’s access, the import will succeed, but the default location will not be imported.

  • All Location access - can only be set to ‘yes’ if the importing user has access to all locations.

    • If set to ‘yes’ but the the importing user does not have all location access, the import will succeed, but the ‘All Locations’ access will be set to ‘no’.

Updating Existing Users

When updating existing users:

  • Location access requirement- users cannot edit another user’s record unless they share at least one location in common.

    • If the user being edited has one or more locations, but none in common with the editing user, the import row fails with the validation error:

      • ‘Must have a location in common to edit user.'

  • Default Location and All Location access - When updating users:

    • The default location can only be changed if the importing user has access to the location.

    • The ‘All Locations’ access setting can only be updated if the importing user has access to all locations.

Importing User Locations, External Locations, Legal Entities, and Location Reporting Categories

  • Users can only import locations, legal entities, legal entities, or location reporting categories for users that share at least one location in common.

    • If the user being edited does not have a location in common, the import row fails with the validation error:

      • ‘Must have a location in common to edit user.’

  • Users can only assign locations, legal entities, location reporting categories if they have access to all locations being modified by the import.

    • If an imported value is outside of the importing user’s access, the import row fails with the validation error:

      • ‘Cannot grant access beyond your own.’

Importing User Roles

  • Users can only import user roles for users that share at least one location in common.

    • If the user being edited does not share a location with the importing user, the import row fails with the validation error:

      • ‘Must have a location in common to edit user.’

  • The importing user can only grant user roles that they have all permissions for.

    • If a role includes permissions outside the importing user’s access, the import row fails with the validation error:

      • ‘Cannot gran access beyond your own.’


Security & Permissions

Users can only assign, remove, or edit user roles and report roles in security and permissions that are within their own access. Editing a user requires at least one shared location between the editing user and the user being modified.

Users with that have the Create/Edit/Delete User Roles & Permissions but do not have the ‘Can grant access beyond personal level’ setting, have the following access in the Security & Permissions:

View Access

  • Users can view any user role - including user roles they cannot edit.

  • Users can view any report role - including report roles they cannot edit.

User Roles Tab

  • If the editing user has access to all permissions in the user role being edited, all parts of the user role are editable. The user can rename, edit permissions, or delete the user role.

  • If the editing user does not have access to all the permissions in the user role being edited:

    • The user can rename or delete the user role.

    • The user cannot duplicate or share the user role.

  • Permissions Subtab

    • I couThe editing user can add or remove permissions from the user role, but only for permissions they have access to. Permissions outside of their access cannot be modified.

      • Permissions that are dependent on parent permissions the editing user does not have, cannot be edited.

  • Users Subtab

    • If the editing user does not have access to all permissions in the user role being edited, they cannot assign or unassign the user role.

  • Settings Subtab

    • The editing user can edit any settings on the settings tab.

Report Roles Tab

  • If the editing user has access to all reports in the report role being edited, all parts of the report role are editable. The user can rename, edit reports, or delete the report role.

  • If the editing user does not have access to all the reports in the report role being edited:

    • The user can rename or delete the report role.

    • The user cannot duplicate or share the report role.

  • Permissions Subtab

    • The editing user can add or remove reports from the report role, but only for reports they have access to. Reports outside of their access cannot be modified.

  • Users Subtab

    • If the editing user does not have access to all reports in the report role being edited, they cannot assign or unassign report roles.

  • Settings Subtab

    • The editing user can edit the P&L Cutoff at or below their level of P&L access.

      • If the editing user has ‘Prime Cost’ or ‘Controllable’ P&L access, all other options are read-only.

Audit Access Tab

Only users with the View user Roles & Permissions permission are able to access the ‘Audit Access’ tab.

  • Permission Access Report

    • Users with access to the ‘Audit Access’ tab can view and run this report without restriction.

    • All users and user roles are displayed in the results — the results are not filtered based on the editing users permissions or access.

  • User Access Report

    • Users with access to the ‘Audit Access’ tab can view and run this report without restriction. Permission access of the user running the report does not limit the results of the report.

  • User Permissions Report

    • Users with access to the ‘Audit Access’ tab can view and run this report without restriction. Permission access of the user running the report does not limit the results of the report.


Mass Role Update

User Roles

  • View Access:

    • Users can view all user roles without restrictions.

      • All user roles are available in the ‘Select Role’ dropdown. User roles in gray can be viewed, but not edited.

  • Edit Access:

    • Users can assign or remove user roles for other users if they have access to all permissions included in the role being edited.

User Locations

  • View Access:

    • Users can view their assigned locations without restriction.

    • Users in gray in the ‘Users without User Location’ column cannot be edited.

  • Edit Access

    • Users can assign or remove locations they have access to when one of the following conditions is met:

      • The editing user shares a location in common with the user being edited.

      • The user being edited is not assigned any locations.

Report Roles

  • View Access

    • Users can view all report roles without restriction.

      • All report roles are available in the ‘Select Role’ dropdown. Report roles in gray can be viewed, but not edited.

  • Edit Access

    • Users can assign or remove report roles for other users if they have access to all reports included in the role being edited.


Grant Access Override

For users that require the ability to grant access without restriction, an option to ‘Grant access beyond personal level’ is available on the user record. When enabled, the requirement to share a common location, and the limitation of adding/removing access based on the editing users permissions is lifted. Users with ‘Grant access beyond personal level’ or 'Grant access override’, can edit users without restriction. This user can:

  • Add any permissions or user roles to any user - even if they do not have the permission themselves.

  • Add or remove any location access - no matter the location access they are granted.

  • Add or remove any report roles - without regard to their own report access.

Prerequisites for Grant Access Override

To have the ‘Grant access beyond personal level’ setting enabled, the user must have one of the following permissions:

  • Administration → Users → Edit Users

  • Administration → Users → Create & Impersonate Users

  • Administration → Users → Report Roles → Create/Edit/Delete Report Roles

  • Administration → Users → user Roles → Create/Edit/Delete user Roles & Permissions

If the user being edited does not any of the permissions listed above, the check box for this setting is unchecked and read-only.

View and Edit Grant Access Override

  • Only users with: full permission access, access to all locations, and access to all reports can view/edit this setting for other users.

    • These users have an additional column on the users page, ‘Grant Access Override’ that displays a read-only toggle of users with the ‘Grant access beyond personal level’ setting enabled.

  • Users with the  â€˜Grant access beyond personal level’ setting enabled on their record, but without full access, all locations, and all reports, cannot view or edit this setting for other users.

Default Settings

The ‘Grant access beyond personal level’ or ‘Grant Access Override’ setting is not enabled by default unless the a user has the following permissions:

  • Full permission access

  • Access to all locations

  • Access to all reports

If a user’s access changes and no longer meets all required conditions (listed above), the setting is disabled but remains editable.