Roles — overview

Admin guide
Who this is for
Admins who create and manage users
Time to read
3 min
Prerequisites
You've read **Access levels explained** so you understand the seven access levels.

What you'll learn#

  • What a Role is in VAT Portal
  • How Role differs from the access levels explained in the previous article
  • Where Role appears in the UI
  • Why you can't create new roles yourself

What a Role is#

A Role is a named preset that an admin picks when creating or editing a user. Each role bundles a few things:

  • An access level (one of the seven from Access levels explained).
  • A user-friendly name (e.g., "Operator", "AppAdmin", "Manager").
  • Sometimes a scope — a specific module or resource the role is associated with.

Think of a role as a shortcut label that says "this kind of user gets this access level". Instead of setting raw numbers on every user, admins pick a role from a list, and the role determines the user's default access level across the system.

Role vs. access level#

Roles and access levels are related but not the same thing:

ConceptWhat it isWho controls it
Access levelA numeric privilege tier (1=Root through 50=ReadOnly). Determines what a user can do on each resource.The system (fixed — seven levels)
RoleA named preset that maps to an access level. Picked when setting up a user.The system catalog (maintained at deployment)

So every role points to a single access level, but the role's name is what you see in the UI — and that's what makes the system approachable. Instead of asking "what access level should this user be?" (and facing the counter-intuitive "lower is more" numbers), you ask "what role is this person?" and pick AppAdmin, Operator, or whatever matches.

Where Role appears#

On the Users page (Settings → Users)

  • Each user's row shows their Role as a small badge.

When creating or editing a user

  • The User dialog has a Role dropdown. Picking a role sets the user's default access level for the system.
  • The role dropdown lists every role defined in your system's catalog. You pick one; you don't type it freely.

On the user's own Profile page (Header → user icon → Profile)

  • The Role line in the Account Information card shows the role name the admin chose for that user.

See Creating a new user and Editing a user's profile for the full context.

Role vs. per-resource access#

Role sets the default; per-resource access overrides it.

Every user's role acts as their baseline access level across all resources they're permitted to see. But for specific resources, that default can be overridden:

  • A user whose role is Operator might be explicitly granted AppAdmin on the document resource — giving them the ability to create and manage documents, while staying at Operator everywhere else.
  • A user whose role is AppAdmin might be explicitly dropped to ReadOnly on user — they can still admin Document Flow, but can't see other people's accounts.

The per-resource overrides are set in the Manage Access dialog, covered in Managing a user's access (per-company ACLs). The role is what you pick once, at account creation; the overrides are for the exceptions.

You don't create or edit roles yourself#

There is no "Roles" page in VAT Portal's admin interface — roles are set up in the system catalog at deployment. The list of roles available to you when you create a user is whatever your VAT Portal instance was configured with.

If you need a new role that doesn't exist — say, a specialized level for a new team's needs — contact your VAT Portal implementation partner or system administrator. For most organizations, the default set of roles covers every realistic user type.

In practice: think of roles as fixed options, like blood types. You pick from them; you don't invent your own.

Common questions#

What's the practical difference between giving someone the AppAdmin role and giving them AppAdmin access on one resource?

The role sets their default everywhere. Granting AppAdmin on one specific resource (via Manage Access) overrides the role's default, but only for that resource. If you want a user to be AppAdmin on everything, pick the AppAdmin role. If you want them to be AppAdmin only on Documents and Operator on everything else, pick the Operator role and override Documents to AppAdmin.

A user's role says "Operator" but they can do something only AppAdmin should be able to do. How?

Check their per-resource access (Manage Access dialog). A role-level Operator with a per-resource AppAdmin override will be able to do AppAdmin-level things on that specific resource. See Managing a user's access.

Can I rename a role?

Not from within VAT Portal. Role names come from the system catalog and change only when your VAT Portal instance is reconfigured.

Can a user have more than one role?

No. Each user has exactly one role. The flexibility comes from the per-resource access overrides, not from multiple roles.

The role dropdown shows roles I've never heard of — what are they?

Some VAT Portal deployments have additional roles configured for specific needs (e.g., a "FieldInspector" role for a specialized Operator variant). Pick whichever role's description matches what you need; if none fit cleanly, go with the closest generic one (Operator, AppAdmin, etc.) and adjust per-resource as needed.

Does changing a user's role retroactively change what they've done?

No. Role changes affect what the user can do from now on. Actions they've already taken (approvals, edits, deletions) stay in the history with their original attribution.

Keep reading

Related articles

User & Access Management — Overview
Access levels explained
Creating a new user
Editing a user's profile
Managing a user's access (per-company ACLs)