Question

Photo of Jason Bostian

0

Security Roles and Permissions

How do I give someone limited Admin access in Rock? I would like to allow someone to manage the database of our members, but not allow them to see the financials. Is there a way to set this up? Can someone tell me step by step instructions on how to do this?

  • Photo of Daniel Hazelbaker

    0

    Hi Jason,

    This has been asked a few times in various places (not meaning you didn't look, just that it's a common question) and the easy answer is "you can't". The issue is, even as a limited admin they can grant themselves access to see the financials one way or another.

    If it is simply a matter of "I trust them to not go digging, but want to take it off the UI so they don't accidentally come across is" then you can do that. Just know it's not really secure and they can get to it if they want.

    The method to do this, is basically to change security on the financial pages. Since security works in a "first match wins", you can a specific security role access which only they are a part of (use a role not the person even if it is just one person). So you would end up with the following security, as an example:

    1. RSR Administration = Allow (always always always grant full administration access at the top before tweaking security on things)
    2. No Financial Access = Deny (so anybody who is NOT in the full RSR Administration but IS in the No Financial Access role will be denied)
    3. default roles come below

    So you grant full admins explicit access, then you take away access to anybody in that "No Financial Access" role, and then the out of the box roles take affect, which probably includes the "RSR Limited Administration" - but since they have already been denied it will stop before hitting this role.

    The downside, is as a limited administrator they can add themselves to the full RSR Administration role or simply remove themselves from the No Financial Access role. There are various ways for them to do this.