# Assigning Privileges to a Role ## Overview After creating a role, you must assign privileges to it before it grants any access. Privileges are displayed as a checkbox tree grouped into functional categories. This page explains how to load, set, and save privileges for a role. ## When to Use - Configuring a newly created role with the correct set of permissions - Expanding a role's access when a job function changes - Removing a privilege from a role to tighten security ## Navigating to Role Privilege Management 1. Click **Administration** → **Manage Users** 2. Select the role management area 3. Select the role from the list 4. Click **Manage Privileges** in the right action panel 5. The **Manage User Role Privileges** screen opens, showing the role name at the top > **Required privilege:** AdminManagingUsers ## Loading the Privilege Tree When the page first opens, the tree is not yet loaded. You will see a warning message: > "Please click the 'List Privileges' button to display the available privileges for selected Role." Click **List User Role Privileges** (green button) to load the tree. ## Using the Privilege Tree The tree displays all available privileges grouped into categories. Each node has a checkbox: - **Tick a category node** — selects all privileges within that category at once - **Tick an individual privilege** — grants just that one privilege - **Untick** — removes the privilege - **Half-filled checkbox** on a parent — some but not all children are selected ## Saving Changes After making your selections, click **Update Manage User Role Privileges** (yellow/warning button, top right of the panel) to save. > **Important:** Changes do not take effect until you click **Update**. If you navigate away without saving, changes are lost. ## How Privileges Propagate to Users Any user assigned this role automatically inherits all the role's privileges. Users do not need to be individually updated — the role change applies immediately to all users holding the role, on their next page load. ## Individual User Privileges vs Role Privileges If a specific user needs different access than their role provides: - Additional privileges can be added to the individual user via **Manage Privileges** on their user record - Privilege checks at the page level combine role privileges + individual user privileges - Individual privilege overrides are per-department; role privileges apply everywhere See [Creating and Managing Users](Admin-Creating-and-Managing-Users) → Manage Privileges. ## Technical Notes (Admin/Developer) The privilege tree is built by `UserPrivilageController.fillUserRolePrivileges()`. The root node is stored in `userPrivilageController.rootTreeNode`; selected nodes in `userPrivilageController.selectedNodes`. Saving calls `userPrivilageController.saveUserRolePrivileges()`, which persists `WebUserRolePrivilege` records for each selected node. The `propagateSelectionDown=true` and `propagateSelectionUp=true` attributes on the `p:tree` ensure parent/child checkbox propagation. ## Related Features - [Understanding Roles and Privileges](Admin-Roles-and-Privileges-Overview) - [Creating and Managing User Roles](Admin-Creating-and-Managing-Roles) - [Assigning Users to a Role](Admin-Assigning-Users-to-a-Role)