Manage Roles
The Manage Roles section is where you define the permission sets (roles) that control what administrators can do in Manage1to1. Roles are reusable collections of permissions that align with job functions and responsibilities.
You can access this page from the main navigation under Administrators > Manage Roles.
To view roles, you need Manage Administrators permission. Some districts may also require Assign Roles permission for role management.
Understanding Roles and Permissions
Think of roles as job description templates for system access. Each role defines a set of permissions that correspond to what someone in that position needs to do.
What is a Role?
A role is a named collection of permissions assigned to administrators. Instead of giving permissions to each administrator individually, you assign them a role that contains the appropriate permissions.
Examples of roles:
- Technology Administrator - Full access to devices, users, incidents, carts, settings
- Building Secretary - Access to users and device checkouts for their building
- Help Desk Support - Access to support tickets only
- Billing Clerk - Access to invoices and payments only
- Read-Only Viewer - View-only access to reports and data
What is a Permission?
A permission is a specific action or capability within the system. Permissions control access to features and functions.
Examples of permissions:
- View Devices - Can see the device list
- Add Devices - Can create new device records
- Checkout Device - Can check out devices to users
- View Incidents - Can see incident reports
- Delete Incidents - Can permanently delete incidents
- Manage Administrators - Can create and manage admin accounts
Permissions are organized into categories:
- Users - User management permissions
- Devices - Device management permissions
- Carts - Cart management permissions
- Incident - Incident and repair permissions
- Invoice - Billing and invoice permissions
- Tickets - Support ticket permissions
- Settings - System configuration permissions
- MDM - Mobile Device Management permissions
- Rooms - Room assignment permissions
How Roles Work
Role Assignment
- You create roles with specific permissions (e.g., "Building Secretary" role)
- You assign the role to administrators when creating/editing their accounts
- The administrator inherits all permissions from that role
- Changes to the role immediately affect all administrators with that role
When you modify a role's permissions, all administrators assigned to that role immediately inherit the changes. No logout or re-login required.
Role + Building Access
Roles work together with building access to control administrator capabilities:
- Role = What they can DO (e.g., "Checkout Device")
- Building Access = What they can SEE (e.g., "Lincoln Elementary")
Example:
- Role: "Building Secretary" (has permission to Checkout Device)
- Building Access: Lincoln Elementary only
- Result: Can check out devices, but only sees devices from Lincoln Elementary
Viewing Roles
The View Roles page shows all roles in your system:
| Column | What It Shows |
|---|---|
| Role Name | Display name of the role |
| Description | Brief explanation of the role's purpose |
| Actions | Edit button (Delete button for Super Admins only) |
Example:
Role Name Description Actions
Technology Admin Full system access Edit
Building Secretary Device checkout and user management Edit
Help Desk Support Support ticket access only Edit
Billing Clerk Invoice and payment management Edit
Creating a New Role
Step-by-Step Process
- Navigate to
Administrators > Manage Roles - Click the Add Role button
- Fill out the form:
- Name - Display name for the role (e.g., "Building Secretary")
- Description - Brief explanation of purpose (e.g., "Device checkout and basic user management")
- Permissions - Check all permissions this role needs (organized by category)
- System Emails - Whether role receives system notification emails
- Support Emails - Whether role receives support ticket emails
- Click Add to create the role
The role is immediately available for assignment to administrators.
Form Fields Explained
Basic Information
Name (Required)
- Display name shown in administrator accounts
- Should reflect the job function
- Examples: "Technology Administrator", "Building Secretary", "Help Desk Support", "Billing Clerk"
- Minimum 2 characters
Description (Required)
- Brief explanation of the role's purpose
- Helps distinguish between similar roles
- Appears in role selection dropdowns
- Examples: "Full system access for IT staff", "Device checkout for building secretaries"
- Minimum 2 characters
Permissions
Permissions are organized by category. Check the boxes for all permissions this role needs.
Users Category
Controls access to student/staff user management:
- View Users - See the user list
- Add Users - Create new user records
- Edit Users - Modify existing users
- Delete Users - Permanently remove users
- Import Users - Bulk import from CSV/SIS
- Checkout Device - Check out devices to users (also used for cart checkouts)
Most roles that need user access require View Users + Edit Users together. Viewing without editing is rarely useful.
Devices Category
Controls access to device inventory management:
- View Devices - See the device list
- Add Devices - Create new device records
- Edit Devices - Modify existing devices
- Delete Devices - Permanently remove devices
- Import Devices - Bulk import from CSV
- Export Devices - Generate device export files
View Devices also grants access to view device profiles (tabs like activity log, checkout history, etc.), but some tabs require additional permissions (e.g., View Activity Log for the activity log tab).
Carts Category
Controls access to cart management:
- View Carts - See the cart list
- Add Carts - Create new cart records
- Edit Carts - Modify existing carts
- Delete Carts - Permanently remove carts
- Manage Cart Devices - Add/remove devices from carts
Note: Cart checkouts currently use the Checkout Device permission (from Users category).
Incident Category
Controls access to device damage and repair tracking:
- View Incidents - See the incident list
- Create Incidents - Create new incident reports
- Edit Incidents - Modify existing incidents
- Delete Incidents - Permanently remove incidents
- Add Incident Log - Add notes to incident timeline
- Delete Incident Log - Remove notes from incident timeline
- Add Photos - Upload incident photos
- View Confidential Data - See confidential incident fields
- Edit Confidential Data - Modify confidential incident fields
- View Passwords - See stored device passwords in incidents
- Edit Passwords - Modify stored device passwords
View Passwords, Edit Passwords, View Confidential Data, and Edit Confidential Data grant access to sensitive information. Only assign to trusted staff who genuinely need access.
Invoice Category
Controls access to billing and payment management:
- View Invoices - See the invoice list
- Add Invoices - Create new invoices
- Edit Invoices - Modify existing invoices
- Delete Invoices - Permanently remove invoices
- Process Payments - Record payment transactions
Tickets Category
Controls access to support help desk:
- View Support Tickets - See and respond to support tickets
- Delete Support Tickets - Permanently remove tickets
Settings Category
Controls access to system configuration:
- Manage Settings - Access to system settings and configuration
- View Reports - Access to system reports
- Statistics - View statistical dashboards
- View Activity Log - Access to administrator activity audit trail
Manage Settings grants access to system-wide configuration. Only assign to senior IT staff or system administrators.
MDM Category
Controls access to Mobile Device Management:
- View MDM - See MDM status and commands
- Manage MDM - Send MDM commands to devices
Rooms Category
Controls access to room/classroom management:
- View Rooms - See room assignments
- Manage Rooms - Create and modify rooms
Administrator Category
Controls access to administrator account management:
- Manage Administrators - Create, edit, and manage administrator accounts
- Assign Roles - Modify role assignments
Manage Administrators allows creating new admins and modifying permissions. Only assign to trusted senior staff.
Email Notifications
System Emails
- Check this box if administrators with this role should receive system notification emails
- Examples: Device low inventory alerts, backup completion notices, system errors
- Typically enabled for technology administrators only
Support Emails
- Check this box if administrators with this role should receive support ticket notification emails
- Works in conjunction with department assignments (configured per administrator)
- Typically enabled for help desk and support staff
Common Use Cases
Scenario 1: Creating a "Building Secretary" Role
Building secretaries need to check out devices and manage basic user information:
- Click Add Role
- Enter information:
- Name:
Building Secretary - Description:
Device checkout and basic user management
- Name:
- Check permissions:
- Users: View Users, Edit Users, Checkout Device
- Devices: View Devices
- Carts: View Carts
- Leave System Emails and Support Emails unchecked
- Click Add
Result: Building secretaries can see users and devices, check out devices/carts, but cannot modify device inventory or access sensitive data.
Scenario 2: Creating a "Help Desk Support" Role
Help desk staff need ticket access but shouldn't see device inventory or student data:
- Click Add Role
- Enter information:
- Name:
Help Desk Support - Description:
Support ticket access only
- Name:
- Check permissions:
- Tickets: View Support Tickets
- Optionally: View Users (if they need to look up user information)
- Check Support Emails
- Click Add
Result: Help desk staff can view and respond to tickets, receive ticket notifications, but cannot access devices, incidents, or invoices.
Scenario 3: Creating a "Repair Technician" Role
IT technicians need full incident and device access:
- Click Add Role
- Enter information:
- Name:
Repair Technician - Description:
Full incident and device management
- Name:
- Check permissions:
- Users: View Users
- Devices: View Devices, Edit Devices, Add Devices
- Incident: View Incidents, Create Incidents, Edit Incidents, Add Incident Log, Add Photos
- Settings: View Reports (for repair statistics)
- Leave sensitive permissions unchecked (View Passwords, Delete capabilities)
- Click Add
Result: Technicians can manage devices and incidents, but cannot delete records or access confidential data.
Scenario 4: Creating a "Billing Clerk" Role
Accounts payable staff need invoice access only:
- Click Add Role
- Enter information:
- Name:
Billing Clerk - Description:
Invoice and payment management
- Name:
- Check permissions:
- Invoice: View Invoices, Add Invoices, Edit Invoices, Process Payments
- Optionally: Users: View Users (to look up user information for billing)
- Click Add
Result: Billing staff can manage invoices and payments without accessing devices, incidents, or system settings.
Scenario 5: Creating a "Read-Only Auditor" Role
District auditors need to see data but not modify anything:
- Click Add Role
- Enter information:
- Name:
Read-Only Auditor - Description:
View-only access for compliance reviews
- Name:
- Check permissions:
- Users: View Users
- Devices: View Devices
- Incident: View Incidents
- Invoice: View Invoices
- Settings: View Reports, View Activity Log
- Do NOT check any Add, Edit, Delete, or Manage permissions
- Click Add
Result: Auditors can review all data but cannot make any changes.
Editing Roles
The Edit Role page uses the same form as Add Role.
To edit a role:
- Go to
Administrators > Manage Roles - Find the role in the table
- Click Edit next to the role name
- Modify name, description, or permissions
- Click Save
Changes to role permissions immediately affect all administrators assigned to that role. They don't need to log out and back in.
Common role edits:
- Add new permissions when job duties expand
- Remove permissions that are no longer needed
- Update description for clarity
- Enable/disable email notifications
Deleting Roles
Only Super Administrators can delete roles. Regular administrators cannot permanently delete roles.
When you CAN delete:
- Role was just created by mistake
- No administrators are currently assigned to this role
When you CANNOT delete:
- Any administrators are assigned to this role
- Default system roles (cannot be deleted)
What to do instead: If administrators are assigned to the role:
- Edit each administrator and change them to a different role
- Once no administrators use the role, you can delete it
Or simply leave the unused role in the system - it doesn't cause any harm.
Best Practices for Role Design
Follow Job Functions
Design roles around actual job responsibilities:
✅ Good role design:
- "Building Secretary" - checkout and basic user management
- "Repair Technician" - incidents and devices
- "Help Desk Support" - tickets only
- "Billing Clerk" - invoices and payments
❌ Poor role design:
- "Full Access" - everyone gets everything
- "Bob's Custom Role" - specific to one person instead of a job function
- "Temporary Access" - inconsistent or undefined permissions
Principle of Least Privilege
Grant only the minimum permissions needed:
✅ Do:
- Start with minimal permissions and add more as needed
- Review what staff actually do day-to-day
- Remove permissions that aren't being used
- Separate sensitive permissions (delete, confidential data) from routine ones
❌ Don't:
- Give everyone the same broad role "just in case"
- Grant delete permissions unless absolutely necessary
- Provide access to confidential data unless required
- Create "super user" roles for convenience
Reusable and Scalable
Design roles that can be assigned to multiple people:
✅ Good approach:
- Create "Building Secretary" role once
- Assign it to all building secretaries
- Update the role when job duties change for all secretaries
❌ Poor approach:
- Create "Lincoln Secretary" and "Roosevelt Secretary" roles (separate per building)
- Create custom roles for each individual person
- Mix permissions from unrelated job functions
Regular Review
Periodically review roles to ensure they still match job responsibilities:
Review questions:
- Are these permissions still appropriate for this job function?
- Are there unused permissions that can be removed?
- Have job duties changed requiring different permissions?
- Are sensitive permissions properly restricted?
- Do new features require updating roles?
Tips for Managing Roles
✅ Do:
- Use descriptive role names that reflect job functions
- Write clear descriptions explaining the role's purpose
- Start with minimal permissions and add more as needed
- Test roles by assigning them to test accounts
- Document why specific permissions were granted
- Review roles annually or when job duties change
- Use the "Toggle All" button carefully - review what it selects
❌ Don't:
- Create a new role for every individual person
- Grant permissions "just in case they might need it"
- Give everyone delete capabilities
- Assign sensitive permissions (passwords, confidential data) broadly
- Forget that role changes affect all assigned administrators immediately
- Create roles with conflicting permission combinations
Understanding Permission Dependencies
Some features require multiple permissions to work properly:
Device Management:
- View Devices - Required to see devices
- Edit Devices - Allows modifications
- Together they provide full device management
Incident Workflow:
- View Incidents - Required base permission
- Add Incident Log - Allows adding notes to incidents
- Add Photos - Allows uploading incident photos
- All three work together for complete incident management
User Checkout Process:
- View Users - Required to see users
- View Devices - Required to see devices
- Checkout Device - Required to perform checkout
- All three needed for the checkout workflow
Device Profile Tabs:
- View Devices - Grants access to device profile
- View Activity Log - Required to see Activity Log tab on device profile
- View Incidents - Required to see Incident History tab on device profile
When troubleshooting "why can't they do X?", check if they have ALL required permissions for that workflow, not just one.
Common Questions
Q: What happens if I change a role that's assigned to many administrators? All administrators with that role immediately inherit the new permissions. Changes are instant and don't require logout/login.
Q: Can one administrator have multiple roles? No, each administrator is assigned exactly one role. If they need permissions from multiple roles, create a new combined role or modify their existing role.
Q: What's the difference between "Manage Administrators" and "Assign Roles" permissions?
- Manage Administrators - Can create, edit, and manage administrator accounts
- Assign Roles - Can modify which role is assigned to administrators Some districts use both, some use only Manage Administrators. Check your district's permission structure.
Q: Why can't I delete a role? Either you're not a Super Administrator, or the role is currently assigned to one or more administrators. Reassign those administrators to different roles first, then delete.
Q: Should I enable System Emails for every role? No. System emails are technical notifications (low inventory, errors, backup status). Only technology administrators typically need these.
Q: Should I enable Support Emails for roles that don't work help desk? No. Support Emails send ticket notifications. Only enable for roles that actively work support tickets (Help Desk, Technology Support, etc.).
Q: What does "Toggle All" do? It checks all permission checkboxes on the page. Use with caution! This creates a role with full system access. Only appropriate for technology administrators.
Q: Can I rename the "name" field after creating a role? Yes, when editing a role you can change the display name. This won't affect administrators already assigned to the role.
Q: How do I know which permissions a specific administrator has? Edit the administrator and note their role, then view that role to see the complete permission list.
Q: Are there default roles I can use? Some installations include default roles like "Administrator" or "Building Admin". You can use these as-is or create your own. Default roles can be edited but some cannot be deleted.
Q: What's the "superadmin" role? That's the system-level Super Administrator role reserved for Manage1to1 support and district Point of Contact. It cannot be assigned by regular administrators and should not be modified.
Security Considerations
Sensitive Permissions:
These permissions grant access to sensitive data or destructive actions. Assign carefully:
- Delete capabilities (users, devices, incidents, invoices, tickets) - Permanent removal
- View Passwords / Edit Passwords - Access to stored device passwords
- View Confidential Data / Edit Confidential Data - Access to sensitive incident details
- Manage Administrators - Can create new admins and modify access
- Manage Settings - Can change system-wide configuration
Principle of Least Privilege:
- Grant only permissions needed for actual job duties
- Review and remove unused permissions
- Separate routine permissions from sensitive ones
- Require approval for roles with destructive permissions
Regular Audits:
- Review role permissions annually
- Check which administrators are assigned to each role
- Remove permissions that aren't being used
- Update roles when job duties change
- Document why sensitive permissions were granted
Next Steps
- To assign roles to administrators: See Add Administrator
- To review who has what access: See View Administrators
- To audit administrator actions: Check the Activity Log
Well-designed roles aligned with job functions make administrator access management efficient, secure, and maintainable.