📍 Where can I find this module?
Settings > User Management > Access Rights
Introduction #
Kafinea’s access rights system allows for precise control over what each user can view and do within the application. It is based on four complementary levels:
| Level | Role | Setup Screen |
|---|---|---|
| Roles | Define the organizational hierarchy | Settings > User Management > Roles |
| Profiles | Set permissions on a per-module basis | Settings > User Management > Profiles |
| Sharing Rules | Set data visibility between users | Settings > User Management > Sharing Rules |
| Groups | Group users for data sharing | Settings > User Management > Groups |
Good to know: A standard administrator user has full access to all modules and data, regardless of the roles, profiles, and sharing rules that have been configured. There are two types of administrators in Kafinea:
- Standard administrator: Full access to data and all system settings.
- Limited Administrator: Data access rights identical to those of a standard user (as defined by their profile and role), but with access to system configuration—with the exception of permission management (users, profiles, roles, groups, sharing rules).
These restrictions apply only to non-administrator users (and to administrators with limited access to data).
1. Administrators #
By default, permission restrictions do not apply to administrators. Kafinea offers two types of administrative accounts:
The Standard Administrator #
The standard administrator has full access to the entire application.
- Data access: Can view, edit, and delete any record in any module, regardless of the hierarchy or sharing rules.
- Configuration: Full access to all configuration screens (users, profiles, roles, module manager, system settings, etc.).
- Security: This is the only profile that can enable or disable other administrator accounts.
The Limited Administrator #
A limited administrator is a hybrid role designed to delegate the management of settings without the risk of privilege escalation.
- Data access: same as for a regular user—their permissions are determined by their profile and role. They can only view what their profile allows them to see.
- Access to settings: Can access most configuration screens (workflows, SMTP, features, logs, etc.).
- Restrictions: Cannot access permission management—the Users, Profiles, Roles, Groups, and Sharing Rules screens are hidden from them. This prevents privilege escalation (they cannot grant themselves additional permissions).
- Recommended use: an IT administrator who manages workflows or SMTP but does not need access to invoicing accounting.
Practical example: An IT manager with the "Internal Support" profile (limited access to HR and accounting modules) can be assigned limited admin privileges to manage workflows and SMTP, without ever being able to view records or modify other users' permissions.
How do I enable a limited administrator?: In record , check the " Limited Admin" box. This option is available only to standard administrators.
2. Roles #
Principle #
A role defines a user's position within the organizational hierarchy. Roles are organized in a tree structure (organizational chart). This hierarchy determines which data a user can view:
- A parent role can view the data of its child roles (subordinates)
- A child role can only see its own data (unless sharing rules allow it)
Configuration #
To manage roles: Settings > User Management > Roles.
- The screen displays the complete role hierarchy
- Click on a role to edit it, or use the "Add Role " button to create a new one
- Each role must be associated with a parent role (except for the root role)
- Associate one or more profiles with the role—the profile determines the specific permissions
Important: Each user is assigned a single role. This role determines both their position in the organizational hierarchy and their permissions (through the profiles associated with the role).
Hierarchy in Practice #
Example: A company with the following structure:
Directeur Général
├── Directeur Commercial
│ ├── Responsable Ventes France
│ │ └── Commercial France
│ └── Responsable Ventes Export
│ └── Commercial Export
└── Directeur Financier
├── Comptable
└── Contrôleur de gestion
In this configuration:
- The CEO can view data for all roles
- The Sales Director can view the data for his or her subordinates (Managers and Sales Representatives) but not that of the Chief Financial Officer
- A sales representative in France can only view their own data
3. Profiles #
Principle #
A profile defines detailed permissions on a module-by-module basis. It is the core of the access rights system. A profile determines:
- Module access: Is the module visible and accessible to this user profile?
- Permitted actions: create, view, edit, delete
- Field access: For each module, which fields are visible and/or editable
- Global permissions: "View All" and "Edit All" (optional)
- Tool permissions: import, export, merge duplicates, etc.
Configuration #
To manage profiles: Settings > User Management > Profiles.
- Click on an existing profile to edit it, or click Add Profile to create a new one
- On the edit screen, you'll see a list of all the modules and their options
Global permissions #
Note: These options are not typically visible in the default Kafinea interface to prevent major configuration errors. They are only displayed if they are already enabled for an existing profile.
At the top of the profile editing screen, two global options may be available:
| Global permission | Effect |
|---|---|
| See all | Users can view all records in all modules, regardless of the owner. Sharing rules and the role hierarchy no longer apply to viewing. |
| Edit all | The user can edit all records in all modules, regardless of who owns them. |
Warning: “View All” and “Edit All” are very powerful permissions. They override sharing rules and the role hierarchy. Reserve them for users who truly need them (e.g., management, administrative support).
Permissions by module #
For each module, you can configure:
Module access (checkbox):
- Checked: The module is available for this profile
- Disabled: The module is completely hidden and inaccessible
Available actions (when the module is accessible):
| Action | Description |
|---|---|
| Create | Users can create new records in this module |
| See details | Users can view records of the entries |
| Edit | The user can edit existing records |
| Delete | The user can delete records |
Good to know: If a module is unchecked (access revoked), all actions are automatically blocked, even if they were previously checked individually. Checking the module again restores the action permissions as they were originally configured.
Field-level permissions #
For each accessible module, you can set the visibility of each field:
| Level | Description |
|---|---|
| Visible and editable | The field is displayed and can be edited by the user |
| Read-only | The field is displayed but cannot be edited |
| Hidden | This field is not displayed for this profile |
Good to know: Some system fields (such as the record name) cannot be hidden.
Permissions for utility tools #
Each profile can also configure access to cross-functional tools:
| Tool | Description |
|---|---|
| Import | Import data from a CSV file |
| Export | Export data from a module |
| Merging duplicates | Merge duplicate records |
Combination of multiple profiles #
A role can be associated with multiple profiles. In this case, permissions are combined according to the " permissive principle":
- If Profile A allows creation in the Invoices module and Profile B prohibits it, the user can create (the more permissive permission takes precedence)
- If Profile A grants access to the Contacts module and Profile B grants access to the Invoices module, the user has access to both modules
Tip: To simplify management, create themed profiles (e.g., "Sales Access," "Accounting Access") that you can combine based on the needs of each role, rather than creating a single, all-encompassing profile for each role.
4. Sharing Rules #
Principle #
Sharing rules define the default visibility of data among users. They supplement the role hierarchy by specifying, on a module-by-module basis, whether users can view each other's data.
Configuration #
To manage sharing rules: Settings > User Management > Sharing Rules.
The three levels of sharing #
| Rule | Description | Use cases |
|---|---|---|
| Private | Each user can see only their own records and those of their subordinates (based on the role hierarchy) | Sensitive data: HR, accounting, personal data |
| Access: read-only | All users can view the records, but only the owner (and their supervisors) can edit them | Data that everyone can view but not edit: product catalog, shared contacts |
| Access: read/write | All users can view and edit all records | Collaborative data: projects, shared tasks |
Important: Sharing rules define the default behavior. Exceptions can be added to grant additional access to specific roles, groups, or users.
Sharing exceptions #
When the default setting is "Private" or "Public: Read-only," you can create exceptions to grant broader access:
- On the sharing rules screen, click Add an exception for the desired module
- Select who shares (a role, a group, or a role and its subordinates)
- Choose who (a role, a group, or a role and its subordinates)
- Select the access level: read-only or read/write
Example: The "Invoices" module is set to "Private" mode. You want the collections team to be able to view invoices for the entire company. Create an exception that shares invoices from "All roles and subordinates" with the "Collections" group on a "Read-only" basis.
Recalculating sharing rules #
After changing the sharing settings, click the " Recalculate " button to apply the changes.
Please note: The recalculation may take a few seconds on instances with a large number of users and data.
5. Groups #
Principle #
A group is a collection of users, roles, or other groups. Groups are primarily used to:
- Assign records to a team rather than to a single user
- Create sharing exceptions to grant access to a cross-functional team
Configuration #
To manage groups: Settings > User Management > Groups.
A group can contain:
- Individual users
- Entire roles (all users with that role)
- Roles and subordinates (the role and all its children in the hierarchy)
- Other groups (interlocking)
Example: The "Executive Committee" group includes the roles "Sales Director," "Chief Financial Officer," and "Chief Executive Officer."
6. How permissions are evaluated #
When a user tries to access a record or perform an action, Kafinea checks permissions in the following order:
- Is the user a standard administrator? → If yes, full access to data, no additional verification. For a limited administrator, the following verifications normally apply.
- Is the module active? → If the module is disabled, no one (except administrators) has access to it
- Does the profile grant access to the module? → If none of the user's profiles grant access to the module, access is denied
- Is the action permitted by the profile? → Check the specific action (create, view, edit, delete)
- Do the sharing rules allow access to this record? → Verify the owner, hierarchy, and exceptions
Good to know: When a user has multiple profiles, Kafinea applies the " most permissive " rule: if at least one profile allows an action, it is permitted.
7. Common configuration scenarios #
Scenario 1: A salesperson who only sees their customers #
- Create a "Sales" profile with access to the Contacts, Accounts, Quotes, and Orders modules
- In the sharing settings, set the Contacts and Accounts modules to "Private"
- Create a "Sales Representative" role under the "Sales Manager" role
- Link the "Sales" profile to the role
As a result, the sales representative can only see their own customers and those of any subordinates they may have. Their manager, on the other hand, can view the data for all of their sales representatives.
Scenario 2: An accountant with read-only access to sales data #
- Create an "Accounting" profile with full access to the accounting modules (Invoices, Payments, etc.)
- Create a second "Sales View" profile with read-only access to the sales modules (Quotes, Orders) — check "View Details" but uncheck "Create," "Edit," and "Delete"
- Assign both profiles to the "Accountant" role
As a result, the accountant can manage the books freely while viewing quotes and orders without being able to modify them.
Scenario 3: A cross-functional project team #
- Create a group called "Project Alpha Team" that includes the relevant users
- In the sharing settings for the Projects module (in "Private" mode), add an exception granting "Read/Write" access to the "Project Alpha Team" group
As a result, all team members can collaborate on the projects assigned to them, regardless of their position in the hierarchy.
Scenario 4: Restrict access to leave requests #
- In the relevant role profile, make sure the "Leave Requests" module is checked (enabled)
- Make sure the "Create," "View Details," and "Edit" checkboxes are selected
- If the user is still unable to edit requests, check the module's sharing rules
Good to know: If a module does not appear in the profile editing screen, it may mean that the module is disabled. Contact your administrator to check the module’s status in Settings > Module Manager.
8. Troubleshooting #
A user does not see a module in the menu #
Possible causes:
- The module is unchecked in the user's profile → Edit the profile in Settings > User Management > Profiles and check the module
- The module is disabled at the system level → Check under Settings > Module Manager
- The module is not in the user menu → Check the menu settings
A user cannot edit a record #
Possible causes:
- The " Edit " option is unchecked in their profile → Edit the profile and check "Edit" for the relevant module
- The recording belongs to another user, and the sharing settings do not allow editing → Check the sharing settings or add an exception
- Recording is locked → Some modules allow you to lock records (e.g., approved invoices)
A user can create but not edit #
Probable cause: The profile allows "Create" but not "Edit." These two permissions are independent of each other.
Solution: Edit the profile in Settings > User Management > Profiles, check the "Edit" box for the relevant module, then save.
Shared lists are not visible to a user #
Possible causes:
- The module in question is not accessible in the user's profile → A module's lists are only visible if the user has access to the module
- The module is disabled → Check under Settings > Module Manager
How to check a user's actual permissions #
To troubleshoot a permissions issue, check the following in order:
- User role: Settings > User Management > Users → view the assigned role
- Profiles associated with the role: Settings > User Management > Roles → view the role's profiles
- Profile permissions: Settings > User Management > Profiles → edit the profile to view permissions module by module
- Sharing rules: Settings > User Management > Sharing Rules → check the module's sharing mode
Tip: If you are an administrator and use Kafinea’s AI assistant, you can ask it questions directly, such as “Why can’t the user ‘jean’ edit leave requests?” The assistant has a permissions diagnostic tool that analyzes the configuration and tells you exactly what’s causing the problem.
9. Best Practices #
- First, define your organizational structure: create roles that mirror your organizational chart
- Create reusable role-based profiles —such as “Sales,” “Accounting,” and “HR”—rather than creating a separate profile for each person
- Apply the principle of least privilege: grant only the rights strictly necessary for each role
- Use groups for cross-functional teams rather than changing the role hierarchy
- Document your choices: note why each profile was configured in a particular way, to make maintenance easier
- Test the permissions: After making a change, log in with a test account that has the updated profile to verify the behavior
10. Frequently Asked Questions #
How do I grant access to a module for a single user?
Create a specific profile with access to the desired module, then assign that profile to the user’s role. If other users have the same role and should not have this access, create a dedicated role for that user.
Are the changes applied immediately?
Yes, profile changes are applied immediately. The user in question will see the changes the next time they refresh the page. For sharing rules, be sure to click the " Recalculate " button after making your changes.
How can two teams share their data?
Create a group that includes members from both teams, then add an exception to the sharing rules to grant access to that group.
How do I completely revoke access to a module?
Edit the user's profile and uncheck the module. The module will disappear from the menu, and all actions will be blocked.
What happens when a user has multiple profiles?
Permissions are combined according to the "most permissive" principle. If one profile allows an action and another prohibits it, the action is allowed. This is useful for combining role-based profiles (e.g., "Sales Access" + "Accounting Access").
A user reports not seeing the "Edit" button on a record. What should I check?
Check the following in this order: 1) Is the "Edit" action checked in the profile? 2) Is the record locked? 3) Do the sharing rules allow this user to edit this record?
Glossary #
| Term | Definition |
|---|---|
| Role | Position in the organizational hierarchy determines data visibility based on reporting lines |
| Profile | A set of detailed permissions (access to modules, actions, fields) associated with one or more roles |
| Sharing Policy | Rule defining the default visibility of a module's data among users |
| Group | A set of users, roles, or other groups used for assigning records and sharing exceptions |
| Global permission | Cross-cutting permission ("View All" or "Edit All") that overrides sharing rules and the hierarchy |
| Sharing Exception | An additional rule that grants read or read/write access to a specific role or group |