Estimated Read Time: 6 Minutes
Sections in this article:
- Introduction
- Roles
- Permissions
- Workflow Groups
- eSign Permissions
- Vendor Permissions
- Sensitive Data Permissions
- Additional Permissions
Introduction
In Gatekeeper, roles and permissions control what a user can see and do across the core platform. These are set directly on the user's account, and define access to records in the Vault as well as other features such as reporting or configuration.
Workflow access, however, is managed separately. It is assigned through workflow configuration and does not rely on a user’s core roles or permissions. For example, a user may have limited access to vendor records in the Vault, but still be able to interact with all vendors during a workflow.
Understanding this separation is key when assigning access:
- User Roles and Permissions: Define access to records in the repository, including contracts and vendors. These control visibility and editing rights.
- Additional Permissions: Grant broader access across Gatekeeper, such as reporting, configuration, or user management.
- Workflow Access: Control what users can see and do within workflow phases. This is assigned within individual workflows and controls which phases the user can interact with.
This article provides a description of each of the core user roles and permissions, and additional permissions within Gatekeeper.
Note: For additional information on workflow access, see Workflow Authorisation Overview.
Roles
Roles define what actions the user can perform when navigating Gatekeeper.
| Role | Description |
| Administrator | Write access. They can add, delete, and edit data. |
| Collaborator | Read-only access. They can perform some actions, such as adding messages or files. See Collaborative Functions for a full breakdown of what actions they can perform. |
| Custom | Role Based Access Controls (RBAC) defines custom roles. This gives a greater level of granularity to user permissions. Availability may vary depending on your tenant configuration. |
| Employee Portal Only |
This provides a more restrictive level of access. Users have minimal visibility of contracts and vendors, but can submit requests via the Employee Portal. You cannot downgrade users to Employee Portal Only if they have already been granted access through one of the other roles. This role is only available if the Employee Portal is enabled in your tenant. |
Collaborative Functions
For a detailed breakdown of the functions available to Global Collaborators, see the below table:
Permissions
Permissions define what a user can see when navigating Gatekeeper i.e. which records they have access to.
| Permission | Description |
| Global | Users can see all data in your tenant, including contracts, vendors, teams, categories, and entities. |
| Own Team | Users can only see contracts and their associated vendors based on the team they have been assigned. |
| Owned Only | Users can only see records that they are explicitly set as an owner of. See Owned Only Access for a full breakdown of this permission. |
Owned Only Access
For further details on Owned Only Access, see the description and diagram below:
Owned Only Access Breakdown
Each object (entity, category, team, supplier, or contract) can have assigned owners (also known as managers). Users with the Owned Only permission will have access to objects they directly own. They may also gain access to related objects through secondary associations.
Contracts are at the base of the data structure. They link to vendors, teams, categories, and entities. This structure allows access for Administrators to be inherited based on associations.
See the below diagram for further details and examples:
Workflow Groups
Workflow groups are used to set ownership within specific workflow phases. They can be set up as static groups of users. For example, the IT Team workflow group may contain all IT Team members who are required to interact with an explicit phase within a workflow.
eSign Permissions
eSign Permissions determine which users can send a document for eSign, and who can be set as a Signatory.
| eSign Permission | Description |
| eSign Sender | Allows this user to send documents for eSign. |
| eSign Signer | Allows this user to be set as an authorised signatory within eSign. |
Vendor Permissions
Vendor permissions allow users to view vendor records without providing access to the related contract records.
| Vendor Permission | Description |
| Global Vendor Administrator | This user will have administrator (read/write) privileges to all vendor records. |
| Global Vendor Collaborator | This user will have collaborator (read) privileges to all vendor records. |
Sensitive Data Permissions
Sensitive data permissions allow users to view all custom data groups marked as sensitive. See Configure Sensitive Data for further information.
Additional Permissions
This area enables a user to be provisioned with additional permissions.
| Additional Permission | Description |
| Users* | Enables a user to add users, and manage their roles and permissions in Gatekeeper (including their own access). |
| Configuration* | Grants access to the Configuration area, allowing them to amend the settings in Gatekeeper. |
| History | Grants access an unrestricted history of all user activity in Gatekeeper. |
| Reports | Enables a user to run and export reports on all data within Gatekeeper. |
| Workflow Administrator | Enables a user to manage all workflows within Gatekeeper. |
* These additional permissions are only available for Global Administrators.