Understanding User Permission Levels in Brief Connect
Brief Connect uses a flexible permission model that provides different levels of access across the system. This guide explains the three main user permission levels and how they work together to control access to features and records.
Overview
There are three primary permission levels in Brief Connect:
- System Administrator - Full system-wide administrative access
- Record Administrator - Super-user access scoped to specific record types
- User - Standard access based on assigned permissions
These levels work together to provide both broad system management capabilities and granular record-level security.
Key Permission Principles
Brief Connect follows a deny-by-default security model:
- Entry Requirement: Users must be added to the configured "All Users" Azure AD (Entra ID) group to access Brief Connect at all
- No Inherited Access: Users don't automatically get access to any records - access must be explicitly granted
- Explicit Assignment: Users receive record access primarily through Permission Sets assigned via Role Assignments that match specific criteria
- Granular Control: Access is granted based on user identity, group membership, record roles, organisational units, stages, and field conditions
Permission Level Details
1. System Administrator
System Administrators have elevated privileges across the entire Brief Connect system. They can manage system configuration, access all administrative features, and have full control over all records.
How Users Become System Administrators
A user is granted System Administrator status in one of two ways:
-
Via Permission Set (Recommended): Assigned an "Admin" permission set through a Role Assignment
-
Best practice: Use an Azure AD (Entra ID) security group to target system administrators
- More manageable and auditable than individual user assignments
- Easy to add/remove users by managing group membership
-
Via Environment Variable (Fallback): Listed in the
AdminEntraIdenvironment variable in the Azure Function App settings -
Use this as a backup/emergency access method to prevent lockout
- Useful for break-glass admin accounts
- Requires direct access to Azure Function App configuration
SharePoint Site Access
Granting System Administrator permissions in Brief Connect does not automatically grant access to SharePoint configuration lists or the Admin Panel UI components stored in SharePoint.
Recommended approach: Grant the same Azure AD group used for System Administrators as SharePoint Site Owners on the Brief Connect SharePoint site. This provides full access to configure all aspects of the system.
Fine-grained approach: You can customise SharePoint permissions separately:
- Grant Site Members access to specific users who should only manage certain lists (e.g., Document Templates, Proxy Users)
- Keep Site Owners restricted to full system administrators
- Use out-of-the-box SharePoint permissions to control access to the Term Store and other SharePoint features
For detailed configuration instructions, see Administrator Access Rights.
System Administrator Capabilities
System Administrators automatically receive the following permissions:
| Capability | Description |
|---|---|
| Access Admin Module | Full access to the Admin Panel (/#/adminPanel) to configure system settings |
| View All Records | Can see and access all records regardless of normal permissions |
| Edit Record Metadata | Can modify record information and properties |
| Reassign Roles | Can change user assignments on any record |
| Manage Documents | Full document control (add, edit, delete, upload signed documents) |
| View All Documents | Can access all documents on any record |
| Execute Bulk Updates | Can perform bulk operations across multiple records |
| Export Documents | Can export and download record documents |
| Create Records | Can create new records (v2.3.0+, see below) |
| Cancel Records | Can cancel any record |
| Place Records on Hold | Can place records in hold status |
| Take No Further Action | Can close records with no further action |
| Withdraw Records | Can withdraw records from the workflow |
| Supersede Records | Can mark records as superseded by newer records |
| Workflow Admin Override | When WorkflowAdminOverrideEnabled is enabled, can manually progress stuck workflows |
System Administration Use Cases
- Configuring record types, fields, workflows, and permission sets
- Managing system-wide settings and feature flags
- Troubleshooting stuck workflows or access issues
- Performing data exports and bulk operations
- Managing proxy users and system integrations
- Accessing logs and audit trails
2. Record Administrator
Record Administrators have super-user access scoped to specific record types. This level allows delegated record management with full read/write permissions on those records without granting system-wide configuration access.
How Users Become Record Administrators
A user is considered a Record Administrator for specific records if:
- They are a System Administrator (System Admins are automatically Record Admins for all records)
-
They have an "Admin" permission set assigned through a role assignment with specific targeting:
-
Recommended: Scope by Content Type (record type) to grant super-user access to all records of that type
- Recommended: Use Azure AD (Entra ID) security groups to target Record Administrators for easier management
- Can be further filtered by organisation, stage, or field conditions if needed
The backend uses the isCurrentUserRecordAdmin flag to determine record admin status for each record individually.
Record Administrator Capabilities
Record Administrators have super-user permissions on the records where they have admin rights, including:
- Full read and write access to record metadata and documents
- Ability to reassign any roles on the record
- Ability to proxy for anyone on the record workflow (act on their behalf)
- Access to all workflow actions, including admin overrides (when enabled)
- Complete control over the record lifecycle (cancel, hold, withdraw, supersede)
They do NOT have access to:
- The Admin Module / Admin Panel
- System-wide configuration settings
- Records where they haven't been granted admin permissions (unless they're also System Admins)
When to Use Record Administrators
Record Administrators are ideal when you need to grant super-user access to specific record types without giving full system configuration access. Common use cases:
- Business unit leads who manage specific record types
- Support engineers who need elevated access for specific record types
- Process owners who need full control over their record type workflows
Record Administration Use Cases
- Managing all records of a specific type (e.g., all Cabinet Submissions)
- Providing escalated support for particular record types
- Allowing business unit leads to have admin control over their record types
- Enabling workflow overrides for specific record types when troubleshooting
- Acting as proxy for any user on records of specific types
- Granting temporary elevated access for specific record types without full system access
3. User (Standard User)
Users (also called Standard Users) are regular Brief Connect users whose access is controlled by permission sets assigned through role assignments.
Prerequisites for User Access
Before a user can access Brief Connect at all, they must:
- Be added to the "All Users" Azure AD (Entra ID) group configured in the Brief Connect backend application settings
- This group grants basic "user-level" access to the Brief Connect application
Without membership in this group, users cannot log in to Brief Connect, even if they have permission sets configured.
How User Permissions Work
Once users have basic access, they receive record-specific permissions through:
- Permission Sets: Define what actions users can perform (e.g., view records, edit documents, create records)
-
Role Assignments: Link permission sets to users based on:
-
User identity (specific user IDs or UPNs)
- Azure AD group membership
- Record roles (e.g., Author, Approver, Endorser)
- Organisational units
- Record stages
- Field conditions
Important: Brief Connect follows a deny-by-default model:
- Users don't automatically get access to any records
- Access must be explicitly granted through role assignments that match permission sets to users
- Most commonly, users receive access by matching role assignment rules (e.g., being assigned to a record role like "Author" or "Approver", which in turn grants specific permissions determined by the associated Permission Set)
- Less commonly, users can be granted direct view-only access to individual records without permission set configuration
For configuration details, see:
User Capabilities
User capabilities vary based on their assigned permission sets. Common permissions include:
| Permission | Description |
|---|---|
| View Record | Can view record details |
| View Own Documents | Can see documents they have access to |
| View All Documents | Can see all documents on accessible records |
| Edit Record Metadata | Can modify record information |
| Edit Record Limited Access | Can edit specific fields only (e.g., during approval stages) |
| Add Documents | Can upload new documents to records |
| Edit Documents | Can modify document properties and metadata |
| Delete Documents | Can remove documents from records |
| Upload Signed Documents | Can upload signed versions of documents |
| Edit Supporting Documents | Can manage supplementary documentation |
| Reassign Roles | Can modify People & Roles assignments |
| Cancel Record | Can cancel records |
| Place Record on Hold | Can put records in hold status |
| Withdraw Record | Can withdraw records from workflow |
| Take No Further Action | Can close records |
| Supersede Record | Can mark records as superseded |
| Export Documents | Can export and download documents |
| Execute Bulk Update | Can perform bulk operations |
| Create Record | Can initiate new records (v2.3.0+, configurable by record type) |
| Add Activity Log Comment | Can add comments to the activity log |
Standard User Use Cases
- Creating and submitting records for approval (when granted the "Can Create Record" permission)
- Reviewing and approving records as part of workflows
- Collaborating on documents within assigned records
- Viewing records relevant to their role or department
- Managing their notification preferences and proxy settings
Permission Hierarchy
The permission levels follow this hierarchy:
System Administrator
↓ (has all capabilities)
Record Administrator
↓ (has record-specific capabilities)
User
↓ (has permission set capabilities)
Key principles:
- System Administrators automatically have Record Administrator privileges on all records
- Record Administrators have admin capabilities only for specific records
- Users have granular permissions defined by their permission sets
- Higher-level permissions always include lower-level capabilities
Common Scenarios
Scenario 1: Business Unit Administrator
Need: A business unit manager needs super-user access to all Cabinet Submission records but shouldn't access system-wide settings.
Solution:
- Create an Azure AD group (e.g., "BC - Cabinet Submissions - Record Admins")
- Add the business unit manager to this group
-
Create a Role Assignment:
-
Content Type Scope: Cabinet Submission
- Permission Set: Admin
- AAD Group Name: BC - Cabinet Submissions - Record Admins
- They now have super-user access to all Cabinet Submission records without Admin Panel access
Scenario 2: Support Engineer Troubleshooting
Need: A support engineer needs to resolve a stuck workflow on a specific record.
Solution:
- If they are a System Administrator: They can use the workflow override feature
- If not: Temporarily grant them an "Admin" permission set for that specific record to become a Record Administrator
Scenario 3: Document Collaborator
Need: A team member needs to add and edit documents on specific records but not modify record metadata.
Solution:
- Create a custom permission set with document permissions enabled
- Assign it through a role assignment as a User with the "Collaborator" role
Scenario 4: System Configuration
Need: Someone needs to create new record types, configure workflows, or manage system settings.
Solution:
- Create an Azure AD group (e.g., "BC - System Administrators")
- Add the user to this group
-
Create a Role Assignment:
-
Content Type Scope: All
- Permission Set: Admin
- AAD Group Name: BC - System Administrators
- Grant this Azure AD group Site Owner permissions on the Brief Connect SharePoint site
- Optionally, add a break-glass admin account to the
AdminEntraIdenvironment variable - They now have full system access including the Admin Panel and SharePoint configuration lists
Related Documentation
Configuration Guides
- Administrator Access Rights - How to configure system administrators
- Permission Sets - Creating and managing permission sets
- Role Assignments - Assigning permissions to users
Advanced Topics
- Filtering by Field Values in Role Assignments - Conditional permissions
- Background Permissions Management - How permissions are processed
- Information Security Classification (ISC) - Security classifications
Troubleshooting
- Resolving Stuck Workflows with Admin Override - Using admin capabilities to fix workflows
- Access Caveats Troubleshooting - Resolving access issues
Internal Resources
- Internal Wiki: Inspect record permissions from GetRecord