Managing user roles and permissions

A user must have the role of Super Admin to edit roles and permissions in Arbor Finance. The user management area is accessed through System > System Setup > User details

A user role type defines if the user can or cannot create and edit other users.

A user permission defines which areas of the system the user has access to. 

This article also covers deactivating a user, checking who is logged in and multifactor authentication.

How to change a user role

Only a user with the role of Super Admin will have access to do this.

1. In the user details page highlight the user you want to change the role of by clicking on their name on the left. This will highlight them in blue and populate their details into the main body of the page.

2. On the right hand side click on Edit 

3. Use the drop down under Role to select the relevant role type

Super Admin  - allows the user to create new users and edit role types and permissions

Admin  - allows the user to edit permissions but not create users or edit role types

User  - does not allow the user to create users or edit role types or permissions

4. Click Save

If the user being updated is logged in, they will need to log out of the system and log back in for the change to take effect.

How permissions are managed in Arbor Finance

There are four permission types to choose from when setting up a user.

None - This will not allow the user to access any area of the system. You may want to use this setting for staff who are on long term absence from the school.

View only - This will allow the user to view the records area and a select number of options in the reporting area.

Full - This will allow the user access to all areas of the system.

Custom - This is when one of the above has been selected and the permissions customised for the user.

How to assign user permissions 

Only a user with the role of Super Admin or Admin will have access to do this.

1. In the user details page highlight the user you want to change/assign permissions by clicking on their name on the left. This will highlight them in blue and populate their details into the main body of the page.

2. On the right hand side click on Edit If the user has just been created and you are assigning permissions for the first time the system will automatically enter the Full permission type when you click edit 

3. Use the drop down under Permission to select the relevant permission type

4. Click Save

Using custom permissions

Custom user permissions are controlled at two levels:

• Arbor Finance allows you to control access to its main areas: Records, Transactions, Reporting, System manager, Other, and BACS. If a user doesn't have permission to access one of these areas, the corresponding menu options will be disabled or hidden, preventing them from accessing any screens within that section.
• Within each Arbor Finance area, you can manage access to individual features. For example, under Records, you can independently control a user's access to Income sources / Suppliers, Income / Expenditure analysis, Budget accounts, Suppliers catalogue, and VAT.

Permission levels for component features in most areas are:

• None: No access.
• View only: Read-only access.
• Full: Read/write access.

The Transactions area has a distinct set of permissions:

• None: No access.
• Batching: Provides read/write access to submit transactions into a batch. This permission is ideal for roles like data entry staff or department heads who need to enter their own purchase orders but should not have the ability to post or update batches.

• Full: Grants complete read/write access.

   

When selecting the custom permission the system will automatically use the permission options that were in place before custom was selected.

For example;

If the Full permission is in place and you change the permission to custom. The blue dots will stay on the full permission and you will need to change any that you do not want the user to have access to.

If the None permission is in place and you change the permission to custom. The blue dots will stay on the none permission and you will need to change any that you want the user to have access to.

It is also possible to amend access to individual areas directly from the full, none and view only permission. Doing this will automatically update the permission to custom.

Depending on what you would like the user to have access to will prompt which permission you start with. There are two examples below to help. 

Example one

You want the user to have full access to all areas of the system but not be able to run period end. 

Assign the full permission. scroll down to the Other section and change the dial next to period end from full to none. This will automatically change the permission type to custom.

Example two

You want the user to only have access to the approvals area of the system.

Assign the none permission, all the selections will be greyed out. Scroll down to the Reporting section and tick the box next to the word reporting. You can now change the dial next to approvals to full. This will automatically update the permission type to custom.

How to tell who is logged in

The person icon beside a user's name shows their login status. A green person icon indicates the user is currently logged in, while an outline of a person means they are logged off.

Making a user status inactive

Making a user inactive will prevent the user from being able to login.

You may wish to do this for staff who have left but you do not want to delete their profile for audit purposes or for staff on long term absence.

Making a user inactive will also log them out of the system and can be a work around if you are trying to complete a period/year end and they have forgotten to log out.

Only a user with the role of Super Admin can change a user to inactive

1. In the user details page highlight the user you want to make inactive by clicking on their name on the left. This will highlight them in blue and populate their details into the main body of the page.

2. On the right hand side click on Edit 

3. Use the drop down under Status to make them inactive

4. Click Save

You can reactivate a user at anytime if necessary

Multifactor Authentication

Enabling Multifactor Authentication (MFA)

If you are logged in as a Super Admin, you can enable MFA by going to System setup > User details > top right hand corner MFA toggle is visible. As default this is set to disabled,  please toggle to enable this feature. 

.

How it works: MFA is managed at the school level and sends an authentication code to the user's email address.

• Important email address: The code is sent from account-security-noreply@accountprotection.microsoft.com. Make sure your email provider does not block messages from this address.
• User behaviour: Once MFA is enabled for a school, it applies to all users. If a user has access to multiple schools, they will be required to use MFA for every login, regardless of which school they are logging into.