Skip to content

Understanding Permission Levels

This page explains how to grant Record Administrator rights. For an overview of how permission levels work together (System Admin, Record Admin, and User), see Understanding User Permission Levels.

Granting Record Administrator Rights

Record Administrators have super-user access scoped to specific record types, without full system-wide configuration rights. They can manage records, documents, workflows, and roles for those records, but they do not gain access to the Admin Panel or global configuration unless they are also System Administrators.

For a detailed description of Record Administrator capabilities and how they differ from other permission levels, see the Record Administrator section in Understanding User Permission Levels.

How Users Become Record Administrators

A user is considered a Record Administrator for specific records when:

  1. They are a System Administrator (System Administrators are automatically Record Administrators for all records), or
  2. They have an Admin permission set assigned via a Role Assignment that targets:
  3. Specific record types (Content Type Scope), and optionally
  4. Organisations, stages, or field conditions.

This configuration is managed through the Admin Panel → Configuration Manager → Role Assignments.

Granting Record Administrator Rights via Admin Panel

Prerequisites

  • You must already have System Administrator access to open the Admin Panel.
  • An Admin permission set must exist in configuration so it can be selected in Role Assignments.
  • The row key/name must be exactly Admin (case-sensitive).
  • If it doesn’t exist, create a new permission set named Admin in the Permission Sets tab – you don’t need to enable any specific permissions for it to work as the Record Administrator permission set.
  • You should know which record types (Content Types) and groups/users need Record Admin rights.

Step 1: Open Role Assignments

  1. Sign in to Brief Connect as a System Administrator.
  2. Navigate to the Admin Panel (/#/adminPanel).
  3. Go to Configuration Manager → Role Assignments.
  4. If you are not familiar with Role Assignments, see Role Assignments for a full walkthrough.

Step 2: Create a Record Admin Role Assignment

To grant Record Administrator rights for one or more record types:

  1. Select Add Assignment.

  2. Configure the following fields:

  3. Content Type Scope:

    • Choose the record type(s) for which users should become Record Administrators (for example, Cabinet Submission).
    • Do not use All for Record Admin assignments. When the Admin permission set is combined with Content Type Scope = All, users are treated as System Administrators instead of Record Administrators.
  4. Unique Identifier:
    • Provide a meaningful name, e.g. Cabinet Submission Record Admins.
  5. Description:
    • Describe the purpose, e.g. Grants Admin permission set to Entra group for Cabinet Submission records.
  6. Permission Set:
    • Select the Admin permission set.
  7. AAD Group Name (recommended):
    • Enter one or more Azure AD (Entra ID) group display names whose members should be Record Admins for the chosen record types (e.g. BC - Cabinet Submissions - Record Admins).

  8. User ID (optional):

    • Add individual users (using Graph User ID or UPN) if needed for targeted or temporary Record Admin access.

  9. Optionally configure additional targeting:

  10. Organisation:

    • Restrict Record Admin rights to specific organisational units if required.
  11. Stage:
    • Limit rights to certain workflow stages if you only want Record Admin control at particular points in the process.

  12. Field:

    • Apply conditional rules (for example, only grant Record Admin rights when a classification field has a specific value).

  13. Select Save to create the role assignment.

Once saved, any user who matches this role assignment with the Admin permission set becomes a Record Administrator for records that meet the assignment criteria.

Validating Record Administrator Access

To check whether a user has Record Admin rights:

  1. Confirm that:
  2. They are a member of the targeted AAD group(s) used in the Record Admin role assignment, or
  3. They are explicitly configured in the User ID field, and
  4. The record they are accessing matches the Content Type Scope and any Organisation/Stage/Field conditions on the assignment.
  5. Ask the user to sign out and sign back in to Brief Connect to refresh permissions.
  6. On matching records, they should be able to:
  7. View and edit all record metadata.
  8. Manage documents, including upload, edit, delete, and export.
  9. Reassign roles and act as proxy for any user on the record where allowed.
  10. Use admin-level workflow actions where enabled (for example, admin overrides on stuck workflows).

They will not be able to:

  • Access the Admin Panel (unless they are also a System Administrator).
  • Configure global system settings or other record types that are outside the scope of the assignment.

For more detail on effective permissions and examples, see Understanding User Permission Levels.

Example: Business Unit Record Administrators

Scenario: A business unit manager needs super-user access to all Cabinet Submission records, but should not be a System Administrator.

Configuration steps:

  1. Create an Entra ID security group, e.g. BC - Cabinet Submissions - Record Admins.
  2. Add the manager (and any other required users) to this group.

  3. In Admin Panel → Configuration Manager → Role Assignments, create a new assignment:

  4. Content Type Scope: Cabinet Submission

  5. Permission Set: Admin

  6. AAD Group Name: BC - Cabinet Submissions - Record Admins

  7. Save the assignment.

Members of this group will now act as Record Administrators for all Cabinet Submission records, with the capabilities described in Understanding User Permission Levels, but without full System Administrator privileges.