Best Practices for Setting Up User Access

Overview

A clear permission strategy helps keep user access accurate, consistent, and easier to maintain over time.

This article outlines recommended practices for setting up user access in Aclarian and avoiding common permission management issues.

Quick links

Use Custom Roles as the primary structure

Custom Roles are the most effective way to manage permissions across multiple users.

Using roles helps you:

- assign permissions consistently
- update access in bulk
- reduce manual maintenance
- support long-term permission management

When a role is updated, all users assigned to that role inherit those changes.

Best practice: Build your permission model around roles first, then use user-level changes only when necessary.

Build and reuse roles

When creating roles, start with one role and reuse it as a template for similar access needs.

Recommended steps

1. Create a base role
2. Use Clone Role to create a similar version
3. Adjust only the permissions that need to be different
4. Assign the updated role to the appropriate users

This approach helps:

- reduce setup time
- improve consistency
- avoid rebuilding roles from scratch

Use existing users as templates when needed

For faster onboarding, you can use Copy Roles from User within a user profile.

This is helpful when:

- adding several users with similar responsibilities
- using an existing user as a baseline

However, it is important to understand how this option works.

Important note:

Copy Roles from User is a one-time copy. It does not create an ongoing link between user profiles.

This means:

- future changes to one user do not update the other
- copied settings can drift over time
- long-term consistency is better maintained through Custom Roles

Best practice: If a matching role already exists, assign the new user to that role instead of relying only on copied permissions.

Apply user-level adjustments sparingly

Sometimes one user needs access that is slightly different from everyone else in the same role.

In that case, you can update permissions directly on the user profile.

Use this option when:

- a temporary exception is needed
- a small variation is required for one person
- a new role has not yet been created

Be careful when lowering access

Reducing a user’s permission below what their role provides is generally not recommended.

If the role is updated later, the user may regain the higher level of access from that role.

Better long-term option

If a user needs permanently different access, create a separate role for that permission set.

Common setup mistakes to avoid

Relying too heavily on user-level edits

- This can make permissions harder to track and maintain over time.

Creating too many one-off exceptions

- A growing number of individual exceptions can make it difficult to understand why users have certain access.

Using copied users instead of roles for long-term setup

- Copying from an existing user may be useful for speed, but it is not a replacement for role-based access.

Assigning high-impact permissions too broadly

- Permissions such as Edit Form, Skip Approver, and Data Management - Edit should be assigned carefully because they affect workflow control, approval integrity, and audit visibility.

Frequently asked questions

What is the best way to manage permissions at scale?

- Use Custom Roles as the primary structure for managing permissions.

When should Clone Role be used?

- Use Clone Role when you need to create a variation of an existing role without starting from scratch.

When should Copy Roles from User be used?

- Use it as a short-term setup shortcut when onboarding similar users, but rely on roles for long-term maintenance.

When should a user profile be edited directly?

- Edit the user profile directly only when a true exception is needed.

What should I do if a user needs lower access than their current role provides?

- Create a separate role with the correct lower access level rather than relying on repeated manual overrides.