Access Role rules

An access role rule defines a name for a role, and represents a set of capabilities. To deliver these capabilities to users, you reference the access role name in other rule types to assign the access role to users and to provide, or restrict, access to certain classes.

The following tabs are available on this form:

Create access role names using the format application name:role name, where application name is the name of your application and role name is the name of a role that uses the application.

An access role identifies a job position or responsibility defined for an application. For example, an access role can define the capabilities of LoanOfficer or CallCenterSupervisor. The system grants users specified capabilities, such as the capability to modify instances of a certain class, based on the access roles they acquire at sign on.

The Access Role form defines only the existence of a new access role. It contains no other information and conveys no capabilities. Through other rule types, access roles provide users with various types of access to classes. Access roles provide a finely tuned differentiation of categories or groupings of users of your application.

When you create an access role, you can configure dependencies from other roles to determine access rights. Role dependencies are relationships between roles that can mirror an organizational hierarchy or more complex relationship between groups of operators, roles, or functional areas. For example, a manager should have all or almost all the access rights that a user has, plus some access rights that only managers have. An example of a more complex access relationship, is an HR application. An operator can be allowed to create or modify a job position, set a salary, enter an interview evaluation, make a job offer, or run reports. The access rights in all these cases depend on the operator's department and level in the organization.

If you create access roles, be sure to create a last-resort Access of Role to Object rule at @baseclass for that access role, so that the class inheritance search always ends successfully.

Where referenced

Access role names form the first key part of Access of Role to Object rules (Rule-Access-Role-Obj rule type) and Access Deny Obj rules (Rule-Access-Deny-Obj rule type). Access roles are conveyed to users through access groups.


To view or modify a list of the access roles in your application, use the Access Roles landing page tab on the Security landing page (Designer Studio > Org & Security > Security > Access Roles) .

To list all access roles that are available to you, use the Records Explorer .


Access Role Name rules are instances of the Rule-Access-Role-Name class. They are part of the Security category.