User Role-Based Access Control Management
Source file: 2026-06-08-user-manual-rbac-management.html
User Manual
| Field | Value |
|---|---|
| Document Type | User Manual |
| Portal | GRINEA – Internal Operations Portal |
| Module | User Role-Based Access Control Management |
| Version Number | 1.0 |
| Document Date | Jun 5, 2026 |
| Prepared by | Christian Canlubo |
Version History
| Version Number | Version Details | Author | Date Published |
|---|---|---|---|
| 1.0 | Initial Version | Christian Canlubo | Jun 5, 2026 |
1.0 Introduction
This document is the official user manual for the User Role-Based Access Control (RBAC) Management module of the GRINEA Internal Operations Portal. It covers all tasks that a Backoffice Administrator performs within this module, including creating, searching, updating, and deleting user roles, as well as understanding how role statuses and permissions affect platform users. Users should read this manual before consulting any other module-specific documentation, as the roles and permissions configured here govern access to all other modules in the portal.
1.1 Purpose of the Document
This manual is the official reference guide for the User Role-Based Access Control Management module within the GRINEA Internal Operations Portal, Backoffice section. It documents all module functions, explains required inputs, and describes the outcomes of each action available to authorized users.
Operationally, this module is the mechanism by which the platform controls what each type of user can see and do. A Backoffice Administrator uses this module to define roles, specify which platform modules each role can access, and set the level of access permitted per module. These role definitions are then applied when user profiles are created or updated, determining the navigation items and features available to each user.
This manual enables administrators to perform all role management tasks independently, without reliance on support staff for routine operations. It also documents known system behaviors, error conditions, and their resolutions so that administrators can diagnose and respond to issues without escalation where possible.
This document complements, and does not replace, any organizational policies governing data access, user provisioning, or security. Users who encounter platform issues that cannot be resolved using this manual should contact their system administrator.
1.2 Scope of the Document
This document covers the features and procedures available within the User Role-Based Access Control Management module of the GRINEA Internal Operations Portal, and does not extend to any other module or system. Specifically, this document covers the following areas:
- Navigating to the User Role-Based Access Control Management module
- Creating a new user role, including role name, user group, and module permission assignment
- Searching for an existing user role by name
- Updating an existing user role to add or revoke module access
- Deleting a user role and the conditions that prevent deletion
- Understanding role statuses and their effect on assigned users
The following areas are out of scope for this document and are addressed in separate documentation:
- User profile creation and management (covered in the User Management module manual)
- Authentication and login procedures (covered in the platform onboarding guide)
All procedures described in this manual apply to the production environment of the GRINEA Internal Operations Portal. Screen layouts and available options may change as the platform is updated; users should confirm that the version of this manual matches their current platform version before proceeding.
1.3 Intended Audience
This manual is written for Backoffice users of the GRINEA Internal Operations Portal who are responsible for managing user roles and platform access. It is accessible to users regardless of their level of technical experience, provided they hold the appropriate permissions described below.
Backoffice Administrator
The Backoffice Administrator is the sole actor with access to the User Role-Based Access Control Management module. To access this module, a Backoffice user must have Full Access to the User RBAC module, found under the User & Access Control permission group on their role. This role is also referred to as Super Admin; the two terms describe the same account type. The Backoffice Administrator can create, update, and delete roles scoped to either Frontoffice or Backoffice user groups from within the same module. One Backoffice Administrator account with full RBAC access is created by default when the system is initialized, to allow the initial list of user roles to be built before other administrators are provisioned.
2.0 Module Overview
2.1 Description
2.1.1 The User Role-Based Access Control Management module is located under the Settings navigation item in the Backoffice section of the GRINEA Internal Operations Portal. It is the central entry point for defining and maintaining the roles that control what platform users can access. Only Backoffice Administrators with Full Access to the User RBAC module will see this module listed under Settings.
2.1.2 When a Backoffice Administrator first opens the module, they are presented with a list of all existing user roles. The landing view displays the role list table, a search field for filtering roles by name, a button to create a new user role, and Update and Delete action icons on each role row.
2.2 Key Features and Functionalities
2.2.1 User Role List (Landing Page)
The User Role List is the default view that appears when a Backoffice Administrator opens the User Role-Based Access Control Management module. It provides a consolidated view of all roles currently configured in the system, and serves as the starting point for all role management tasks. Roles are listed in a table format, and the administrator can act on any role directly from this view using the available icons.
From the landing page, the administrator can initiate role creation, search for a specific role, navigate to update an existing role, or initiate deletion of a role. All available actions are visible on the page without requiring navigation to a secondary screen.
Visible elements and available actions on the landing page include:
- Role list table showing existing user roles with name, office type, and status
- Search field for filtering the role list by role name
- "New User Role" button to open the role creation form
- Update icon on each role row, used to open the pre-populated update form for that role
- Delete icon on each role row, used to initiate the deletion process for that role
- View of users assigned to each role, accessible from the role row or role detail view, showing which users are currently assigned to that role
[Screenshot: User Role List – Landing Page]
2.2.2 Create User Role
The role creation function allows a Backoffice Administrator to define a new user role, specify its user group, and assign module-level permissions. A role created through this process is immediately available in the User Management module for assignment to user profiles. The creation form is structured as a sequential set of steps that the administrator completes before submitting.
The administrator must complete all required fields before the form can be submitted. The system validates the role name for uniqueness and will reject a submission if the name already exists in the system.
Step 1 – Open the Creation Form
The administrator opens the role creation form by clicking the "New User Role" button on the User Role List landing page.
- Click the "New User Role" button in the upper area of the User Role List page
- The creation form opens on screen
Step 2 – Complete Role Details
The administrator enters the basic identifying information for the new role:
- Role Name: a text field requiring a unique name for the role; the system will reject duplicate names
- Role Description: a short text field for a brief description of the role's purpose
- User Group: a dropdown selection with two options, Front Office or Back Office; this field determines which type of users can be assigned to this role; the selection is mandatory and cannot be changed after the role is saved
Step 3 – Assign Module Permissions
The administrator selects which platform modules the role can access and specifies the level of access for each selected module:
- Module selection: the administrator selects one or more platform modules to include in the role's permission set
- Permission level per module: for each selected module, the administrator sets the permitted operations; available levels are Read, Create, Update, Delete, or Full Access
- Selected permissions overview: a summary of the chosen permissions is displayed in real time as the administrator makes selections, allowing review before submission
Each toggle defaults to OFF. The administrator switches ON any module this role should be permitted to access.
Step 4 – Submit
- Click the Submit button to save the new role
- The system displays a success message confirming the role has been created
- The new role is immediately available in the User Management module's profile creation dropdown for assignment to user profiles
[Screenshot: Create User Role – Form]
2.2.3 Search User Role
The search function allows a Backoffice Administrator to locate a specific role within the User Role List without scrolling through all entries. This function is useful when the role list is large and the administrator knows all or part of the role name they are looking for.
- The search field is located on the main User Role List view
- Partial name matches are supported; the administrator does not need to enter the full role name
- Roles whose names match the search input remain visible in the list
- Roles whose names do not match the search input are hidden from the list while the search term is active
- Clearing the search field restores the full role list
2.2.4 Update User Role
The update function allows a Backoffice Administrator to modify the permission configuration of an existing user role. When a role is updated, the changes apply to all users currently assigned to that role. The administrator accesses the update form directly from the User Role List and the form is pre-populated with the role's current settings, reducing the risk of overwriting existing configuration unintentionally.
Changes to module permissions take effect immediately for all users assigned to the updated role after the update is saved and page refresh. No logout or re-login is required by affected users.
Step 1 – Open Update Form
- Locate the target role in the User Role List
- Click the Update icon on the row corresponding to that role
- The update form opens, pre-populated with the role's current name, office type, and permission assignments
Step 2 – Modify Permissions
- Add module access by selecting additional modules and assigning permission levels
- Revoke module access by removing or reducing the permission level for selected modules
- Review the updated permission summary displayed on the form before saving
Step 3 – Save
- Click the "Update User Role" button to save all changes
- The system applies the changes to the role record
- All users currently assigned to this role are subject to the updated permission set immediately after the change is saved
[Screenshot: Update User Role – Form]
2.2.5 Delete User Role
The delete function allows a Backoffice Administrator to permanently remove a user role from the system. Deletion is irreversible; a deleted role cannot be recovered. The system enforces a rule that prevents deletion of any role that still has users assigned to it. The administrator must reassign or remove all users from the role before deletion can proceed.
Warning: Warning: Deletion is permanent and cannot be reversed. Administrators should confirm there are no active user assignments before proceeding.
Step 1 – Initiate Deletion
- Locate the target role in the User Role List
- Click the Delete icon on the row corresponding to that role
- The system opens a confirmation modal
Step 2 – Confirm
- The confirmation modal is displayed, asking the administrator to confirm the deletion action
- Click the Delete button within the modal to confirm
Step 3 – Outcome
- If no users are assigned: the role is permanently deleted and removed from the User Role List and from all dropdowns across the portal
- If users are still assigned: the deletion is blocked. The system indicates that the role cannot be deleted while users remain assigned. The administrator must navigate to User Management, reassign or remove all users currently assigned to this role, and then return to attempt deletion again.
[Screenshot: Delete User Role – Confirmation Modal]
2.3 Status Lifecycle
The following table describes the statuses that a user role can hold within the system, including the condition that places a role in each status and the effect of that status on users and the broader platform.
| # | Status | Description |
|---|---|---|
| 1 | ACTIVE | A role enters ACTIVE status immediately upon successful creation and submission. This is the default status for all newly created roles. An ACTIVE role is available system-wide; it appears in the User Management profile creation dropdown and can be assigned to user profiles. All permissions configured for the role are in effect for any user currently assigned to it. |
| 2 | DELETED | A role reaches DELETED status when a Backoffice Administrator confirms its deletion through the confirmation modal, and only when the role has zero active user assignments at the time of deletion. Deletion is permanent and cannot be reversed. The role is removed from the system and no longer appears in the User Role List, in any User Management dropdown, or in any other part of the portal. The system blocks deletion and displays an error if any users remain assigned to the role at the time the deletion is attempted. |
3.0 Error Handling and Troubleshooting
This section lists known error conditions that a Backoffice Administrator may encounter while working in the User Role-Based Access Control Management module, along with their likely causes and recommended resolutions. Issues that persist after following the steps below should be escalated to the system administrator.
| Scenario | Possible Cause | Resolution |
|---|---|---|
| Duplicate role name rejected on submission | The administrator attempted to create a new role using a name that already exists in the system. The system enforces a unique name rule at the point of submission. | Enter a distinct role name. Before creating or renaming a role, review the existing User Role List to confirm the intended name is not already in use. |
| Role deletion blocked | The role being deleted still has one or more users assigned to it. The system prevents deletion to avoid leaving users without a valid role. | Navigate to the User Management module. Locate all users currently assigned to the role. Reassign those users to a different role or remove the role assignment from their profiles. Return to the User Role-Based Access Control Management module and attempt deletion again. |
| User's access does not reflect a recent role update | The role update may not have been saved successfully, or the user's browser session needs to be refreshed to reflect the change. | Ask the user to refresh their browser session. If the correct permissions still do not appear, confirm the role update was saved by checking the role in the User Role List. If the issue persists, contact the system administrator. |
| Module not visible under Settings | The logged-in user is either a Frontoffice user or a Backoffice user whose role does not include Full Access to the User RBAC module. The module is only visible to users who have this permission assigned to their role. | Contact the system administrator to verify the account type and permission assignments for the affected user. Only Backoffice users with Full Access to the User RBAC module can access this module. |
4.0 FAQs
This section answers common questions about the User Role-Based Access Control Management module.
| Question | Answer |
|---|---|
| How quickly does a newly created role appear in the User Management dropdown? | Immediately upon successful submission. The User Management module retrieves the current role list at the point of user profile creation or editing, so the new role is available for selection as soon as it is saved. No additional action is required to make the role visible. |
| Can a Backoffice Administrator manage roles for both office types from the same module? | Yes. A Backoffice Administrator with Full Access to the User RBAC module can create, update, and delete roles scoped to either Frontoffice or Backoffice from within the same User Role-Based Access Control Management module. There is no requirement to switch views or sessions to manage roles of different office types. |
| What happens to users already assigned to a role when that role's permissions are updated? | Permission changes apply to all users currently assigned to the updated role immediately after the change is saved and page refresh. No logout or re-login is required by the affected users. |
| Is there a way to disable a role temporarily without permanently removing it? | The only confirmed method of removing a role from circulation is permanent deletion, which requires all assigned users to first be moved to a different role. |