Roles

Learn about roles and how to assign and revoke roles to users.

Manage Roles

User roles define the information that a specific user assigned to the role can view and what they can do in Sugar Integrate. Each role includes a list of privileges that you can add or remove depending on how you want to manage roles in your organization.

Sugar Integrate supports the following roles:

  • Organization Administrator — Manage all aspects of security; create adapters, procedure templates, and common resources for the organization; and can access all logs in Activity.
  • Account Administrator — Performs the same function of the Organization Administrator, but only on the account where they are the administrator. Account Administrator cannot create or manage accounts or set security rules.
  • Default User — A non-administrator role for users in non-default accounts.
    Note: 
  • You cannot manually set default-user roles for the users in your account. This is intentional behavior, as the default-user role is system-assigned.
  • Organization User — non-administrator users in the default company account. Users with the Organization User have no different privileges than other default users.

Update Permissions Assigned to Roles

You can customize the permissions assigned to the Sugar Integrate roles. You can grant access to new permissions or remove access from existing permissions.

To update permissions assigned to roles:

  1. Access the Security page.

    Note: If you don't see Security, your assigned role does not have access to it. 

  2. Click the Roles tab.
  3. Click the check boxes to assign or remove permissions.
  4. Click Update Roles.

Update User Roles 

You can assign a user as an organization or account administrator or remove roles. If you want to assign a user as an organization administrator, they must be in the Company Default Account.

Using our APIs?

Change a users role with PATCH /users/{id} .

Remove a role with DELETE /users/{userId}/roles/{roleKey}.

Assign a role with PUT /users/{userId}/roles/{roleKey}.

To update a user's role or information:

  1. Access the Accounts Edit page.
  2. Click Edit Button.
  3. Update the user role or information. To reassign the user to be an organization or account administrator, select Org Admin or Account Admin
  4. Click Save.

Role-Based Access Control to Adapter Instances

The Sugar Integrate platform allows users to view, use, modify, and delete adapter instances from the same account, provided the user has a role with one or more of these privileges active:

PermissionDescription
viewAccountElementInstancesAbility to view instances from users of the same account
useAccountElementInstancesAbility to use instances from users of the same account
editAccountElementInstancesAbility to modify instances from users of the same account
deleteAccountElementInstancesAbility to delete instances from users of the same account


Changing User Permissions

While these adapter-related privileges are granted to account administrators by default, but they and other permissions can be disabled. In order to enable or disable changes to user permissions, users must have the necessary permissions to do so. To enable or disable adapter-related or other permissions, follow these steps:

  1. After logging in to Sugar Integrate, navigate to the Security page.

  2. From the Security page, click the Roles tab.

  3. On the Roles tab, toggle permissions on and off using the checkboxes in the Enabled column, and then click Update Roles.
    Update Roles button

Role-Based Adapter Listing

The Role Based Adapter Listing feature provides the ability for users to control listing adapters at organizational level; that is, the ability to control what adapters at organization level can be viewed by all the accounts and users under an organization.

To list adapters of your preference, you need to enable the Manage Adapter Org Lists privilege. You require this privilege to add, update and delete adapters for listing adapters as per your requirements. 

  • On Sugar Integrate UI, click the Security option on the navigational panel to your left.
  • Switch to the Roles tab on the console that opens.
  • Ensure that the Manage Adapter Org Lists privilege is enabled.

This privilege is enabled for Organization Administrators by default. Organization administrators can use the listing APIs without having to explicitly enable this privilege as mentioned above. 

This feature makes use of the following APIs:

  1. Get Adapter Safelists - GET/url/organisations/{organisationId}/adapters-safelist - Gets the list of safelisted adapters for the provided organization id.
  2. Update Adapter Safelists - PUT/url/organisations/{organisationId}/adapters-safelist - Adds adapters to be safelisted for the provided organization id.
  3. Patch Adapter Safelists - PATCH/url/organisations/{organisationId}/adapters-safelist - Adds adapters to adapters saflisted in an organization.
  4. Delete Adapter Safelists - DELETE/url/organisations/{organisationId}/adapters-safelist - Deletes adapters from the list of safelisted adapters in an organization.
  5. Delete Adapter Safelists by Adapter Id - DELETE/url/organisations/{organisationId}/adapters-safelist/{ adapter Id} - Deletes the adapter corresponding to the adapter Id, from the list of safelisted adapters in an organization.

Points to note:

  • Sugar Integrate also has a feature to add {{snippet.termElementlcPlural} to a Denylist at the super-organization level. This feature is implemented only for white-label partners, using which they can make sure an adapter is not visible to any of the organizations under the super-organization.
  • If a white-label super-organization which contains multiple organizations has added an adapter to it denylist at the super-organization level, that adapter cannot be safelisted for any of its organizations. Both the safelist and denylist are mutually exclusive to each other for a given organization. An error message appears when you try adding an adapter to a denylist when it is already added to a safelist and vice versa.
  • When adapters are added to safelist by an organization, all the accounts and users under the organization will only be able to see the safelisted adapters. Any user who has private adapters in an organization, will not see them.
  • This privilege is enabled by default for an organization administrator and can be enabled for other roles by enabling the configure_roles privilege. Hence this feature is not tied to any particular role and is at the discretion of the organization administrator.
  • To remove adapters from the safelist of an organization, you will need to use the DELETE API and delete the adapters from the safelist. The privilege does not directly impact the behaviour of this functionality, so enabling or disabling the privilege would not change what is on the list.