Roles Overview

A role is a named access profile that can be assigned to users. DeskDox uses roles to grant administrative capabilities, workflow administration, lifecycle management, document-related capabilities, and other permissions where the permission is implemented.
DeskDox includes built-in/protected role identities in system service/app/services/role_identity.py for system_admin, edms_admin, edms_auditor, edms_user, task_admin, workflow_admin, manager, approver, and department_head. The same source also defines demo_admin as a demo administrator role and admin as a legacy compatibility role. Built-in, protected, and system roles are locked for metadata and permission assignment changes in the current custom-role lifecycle.
Custom roles can be created from /app/admin/roles by users with mutation permission. Custom role names must be lowercase machine names that start with a letter and use lowercase letters, numbers, and underscores.
Roles affect access in two ways: they can make menus and buttons visible in the UI, and they can be checked by system service authorization. A role alone may not grant folder or document access; document and folder permissions, ownership, department membership, workflow assignment, and lifecycle configuration can still limit access.
