Roles in F2

Privileges let a user perform different tasks in F2. They are given to a user through the assignment of roles. For example, if a user must be able to delete notes, the user must be assigned a role with the “Can delete notes” privilege.

In F2’s user interface, roles are sometimes referred to as "role types".

F2 comes with a number of roles, including four administrator roles. An administrator with the “User administrator” or “Administrator” role can also create new roles.

The default roles in F2 are described below.

Administrator roles

The following section describes the available administrator roles and the associated privileges.

When F2 is installed, a user with the “Administrator” role is created simultaneously. Additional users must be created afterwards. If an additional authority is created within an F2 installation, another user with the “Administrator” role must be created as with the first authority. The administrator user created for the second authority will then perform relevant tasks in this authority.

There are four integrated administrator roles:

Administrator
User administrator
Business administrator
Technical administrator.

An administrator’s tasks can be changed by either assigning or removing privileges from each role. Read more about assigning privileges to roles.

The administrator roles and their privileges are listed below.

The “Administrator” role has the following privileges:

F2 Analytics administrator (add-on module, documentation available in Danish)
User administrator
Distribution list editor
Extra email administrator
Keyword creator
Unit administrator
Unit type administrator
Flag administrator
Settings administrator
Can import documents from the server
Can import parties
Meeting forum administrator (add-on module, documentation available in Danish)
Editor of participants
Privilege administrator
On behalf of administrator
Result list administrator
Security group administrator
Template administrator
Progress codes administrator
System messages administrator
Search administrator
Team administrator
Team creator
Value list administrator.

The above privileges cannot be removed from the “Administrator” role. However, additional privileges may be added.

The “User administrator” role comes with the following privileges. These privileges may be removed, or additional privileges may be added, by a user with the “Privilege administrator” privilege:

User administrator
Extra email administrator
Keyword creator
Unit administrator
Unit type administrator
Flag administrator
Settings administrator
Can import documents from the server
Can import parties
Meeting forum administrator (add-on module, documentation available in Danish)
Editor of participants
Privilege administrator
On behalf of administrator
Security group administrator
System message administrator
Team administrator
Team creator.

The “Business administrator” role has the following privileges per default. These privileges may be removed, or additional privileges may be added, by a user with the “Privilege administrator” privilege:

F2 Analytics administrator (add-on module, documentation available in Danish)
Distribution list editor
Keyword creator
Unit type administrator
Flag administrator
Can import documents from the server
Meeting forum administrator (add-on module, documentation available in Danish)
Template administrator
Progress codes administrator
Value list administrator.

The “Technical administrator” role has the following privileges per default. These privileges may be removed, or additional privileges may be added, by a user with the “Privilege administrator” privilege:

Result list administrator
Search administrator.

The different privileges are described in Privilege overview section.

Other default roles in F2

Besides the administrator roles, F2 comes with a number of other roles. Most of these are either job roles or related to add-on modules. The table below describes these roles.

Role	Description
Access to data cleanup	This role is part of the F2 Data Cleanup add-on module. Users with this role have read access to all cases in the F2 installation and access to delete all cases regardless of their regular access to cases and records. This includes cases and records which otherwise could not be deleted because of e.g. registration status.
Address book owner	This role is automatically assigned to new users created in F2. Allows the user to create and edit private participants in the “Private” node in the participant register. Cannot be assigned manually and may not be removed from users.
Can delete everything on cases	This role lets the user delete a case regardless of the status of its records. When a case is deleted, a report containing information on the case and its records is sent to the user’s inbox. Read more about deleting cases.
Can use F2 GDPR	This role is part of the F2 Data Protection add-on module. Users with this role can create, delete, and edit GDPR searches and create data protection searches. Using F2 Data Protection, users can access all material in the F2 installation containing personal data. Contact cBrain for further information.
Case manager	This job role lets the user log into an associated unit. The organisation can assign privileges to the role that are relevant to a case manager.
Gated approver	This role is part of the F2 Gateway Approvals add-on module. The role is assigned to users with a gatekeeper (secretariat) who processes approvals on their behalf. The gatekeeper must be assigned “On behalf of” rights for the gated approver.
Head of department	This job role lets the user log into an associated unit. The organisation can assign privileges to the role that are relevant to a head of department.
Read access to another unit	This role lets the user search for and read records in the unit with which the role is associated. This means that a user in another unit who is assigned this role has read access to all the unit’s records with the “Unit” access level.
Read and write access to another unit	This role lets the user search for, read, and edit records in the unit with which the role is associated. This means that a user in another unit who is assigned this role has read and write access to all the unit’s records with the “Unit” access level.
Team administrator	This role is assigned automatically to users who are specified as team administrators. The role can only be assigned through this dialogue.
Team member	This role is assigned automatically to users who are specified as team members. The role can only be assigned through this dialogue.

Role

Description

Access to data cleanup

This role is part of the F2 Data Cleanup add-on module.

Users with this role have read access to all cases in the F2 installation and access to delete all cases regardless of their regular access to cases and records. This includes cases and records which otherwise could not be deleted because of e.g. registration status.

Address book owner

This role is automatically assigned to new users created in F2. Allows the user to create and edit private participants in the “Private” node in the participant register. Cannot be assigned manually and may not be removed from users.

Can delete everything on cases

This role lets the user delete a case regardless of the status of its records. When a case is deleted, a report containing information on the case and its records is sent to the user’s inbox. Read more about deleting cases.

Can use F2 GDPR

This role is part of the F2 Data Protection add-on module.

Users with this role can create, delete, and edit GDPR searches and create data protection searches. Using F2 Data Protection, users can access all material in the F2 installation containing personal data. Contact cBrain for further information.

Case manager

This job role lets the user log into an associated unit. The organisation can assign privileges to the role that are relevant to a case manager.

Gated approver

This role is part of the F2 Gateway Approvals add-on module.

The role is assigned to users with a gatekeeper (secretariat) who processes approvals on their behalf. The gatekeeper must be assigned “On behalf of” rights for the gated approver.

Head of department

This job role lets the user log into an associated unit. The organisation can assign privileges to the role that are relevant to a head of department.

Read access to another unit

This role lets the user search for and read records in the unit with which the role is associated. This means that a user in another unit who is assigned this role has read access to all the unit’s records with the “Unit” access level.

Read and write access to another unit

This role lets the user search for, read, and edit records in the unit with which the role is associated. This means that a user in another unit who is assigned this role has read and write access to all the unit’s records with the “Unit” access level.

Team administrator

This role is assigned automatically to users who are specified as team administrators. The role can only be assigned through this dialogue.

Team member

This role is assigned automatically to users who are specified as team members. The role can only be assigned through this dialogue.

Assigning roles

A user in F2 must have one or more roles. A role contains one or more privileges in a given authority, allowing the user to perform different tasks within.

F2 is installed with an Active Directory (a central administration of users) integration. By default, F2 uses one of two possible AD integrations:

“Full integration” in which roles and privileges in F2 are controlled using AD. Updates F2’s users once a day by default.
“Standard integration” in which an administrator must assign updated users to their respective units.

F2 can be configured to authenticate F2 users using other LDAP servers than Active Directory, e.g. Oracle Unified Directory. This configuration does not support single sign-on. This means that users must enter their user name and password every time they log into F2. Configurations are performed in cooperation with cBrain.

The following sections are based on an F2 installation with a standard AD integration, i.e. where the users are set up manually.

A user with the “User administrator” privilege can assign roles to users in two ways:

Through the “Assign role to users” dialogue in which it is possible to assign a role to several users at the same time.
Through the “Properties for the user [name]” dialogue in which it is also possible to remove the user’s roles. Read more about this in Assign role to a single user.

Assign role to several users

Users with the “User administrator” privilege can assign roles to one or more users through the “Assign role to users” dialogue, which is accessed on the “Administrator” tab in the main window. Users with the "Decentral unit and user administrator" privilege can use the same dialogue to assign decentral roles.

Figure 1. The “Assign role to users” menu item

Add one or more users to the “Users” field. Then select a role to assign to the selected users, and specify the unit in which to assign to role. Click Assign to complete the operation.

Figure 2. The “Assign role to users” dialogue

In this dialogue, users can also be moved from one unit to another. When the relevant users are added to the “Users” field, tick “Remove users from their current units”. Then select a role to assign to the users in the new unit. Click Assign to complete the move.

Assign role to a single user

Roles can be assigned to one user at a time through the “Properties for the user [Name]” dialogue. Open the dialogue by clicking on the Units and users menu item. The user’s master data can also be added here.

The steps below describe how Abigail Anderson from Administration is assigned the business administrator role.

After clicking on the Units and users menu item in the “Administrator” tab, click on the Users tab in the dialogue.

Select the user who needs a new role, in this case Abigail Anderson.

Click on Properties.

Figure 3. Select user

In the “Properties for the user Abigail Anderson” dialogue, click on the Roles tab and then on Add role.

Figure 4. Assign a role to the user

To add a role first select a “Role type”, in this example “Business administrator”. Then select the unit to which the role must be applied. In this example, it is the “Administration” unit.

Click on OK to assign the “Business administrator” role for the “Administration” unit to the user Abigail Anderson.

Figure 5. Assign a role type to a user

The role then appears in the overview of the user’s roles and job roles.

To remove a role from a user, select the role and click on Remove. The role is then removed from the user.

Figure 6. Remove a role from a user

It is important to select the correct unit for the user’s role. The role and its location determine which privileges the user has in a given unit.

Create and assign roles

An administrator can create roles as needed. To create new roles, the administrator must have either the “User administrator” or “Administrator” roles.

To view available roles, click on the Role types and privileges menu item on the “Administrator” tab.

A dialogue opens and a list of the organisation’s role types can be seen by clicking the drop-down arrow in the “Role type” field.

Figure 7. The “Role types and privileges” menu item

In this dialogue roles can also be created and edited by clicking the buttons New role type and Edit role type, respectively.

Figure 8. Role types and maintaining them

Click on New role type to open the “New role type” dialogue. Add the following information in the dialogue:

The name of the role.
A description of the role’s function e.g. “Access to edit templates and keywords”.
The synchronisation key if using full AD integration.
Tick the “Active” checkbox to activate the role so it can be assigned to users.
Tick the "Job" checkbox if the user will use the role to log in to F2. A user must have at least one job role in order to log in. You cannot untick this box later.

Figure 9. The “New role type” dialogue

You can then assign one or more privileges to the role. This lets users with this role perform a number of actions.

A role cannot be deleted, only deactivated.