Grado’s Role-Based Access Control (RBAC) system allows administrators to fine-tune access by enabling or disabling specific actions within modules.
This ensures that each user only performs tasks appropriate to their role — for example, an Assistant Registrar may create student records but only a Registrar can edit them.
Â
Restricting access reduces errors, protects sensitive data, and supports clear segregation of duties.
Access control settings are managed in Setup > Roles (or in Setup > Permissions for direct permissions).
Â
Â
Each role lists all Grado modules, with checkboxes representing available actions (e.g., View, Edit, Approve).
Admins can check or uncheck permissions as needed to restrict access to specific functions.
Â
💡 Tip: Always review permissions from the role level, not individual user profiles, to ensure consistent access across the same function or department.
Each module in Grado includes one or more action-based permissions.
Â
| Action | Description | Common Use Case |
|---|---|---|
| List All | Allows viewing of the record's index | Â |
| View | Allows read-only access to data and reports. | Faculty viewing student lists or grades. |
| Add / Create | Enables creation of new records. | Registrar adding new students or classes. |
| Edit / Update | Allows modification of existing data. | Cashier updating payment details. |
| Delete / Archive | Permits record removal or archival. | System Admin cleaning inactive records. |
| Approve / Publish | Grants authority to finalize or publish data. | Registrar approving enrollment status. |
| Configure / Manage Settings | Access to setup or configuration modules. | System Admin modifying institution settings. |
Â
💡 Note: Not all modules support every action type — high-level permissions like Configure or Approve appear only in administrative areas.
| Scenario | Restriction Setup | Result |
|---|---|---|
| Assistant Principal should view grades but not edit them. | Uncheck Edit Grades under the Grade Book module | Assistant Principal can view Grade Book but cannot modify entries. |
| Registrar should manage student data but not access payments. | Uncheck access to Payments, Fees, Fee Categories, and Refunds. | Registrar cannot open finance-related menus or reports. |
| Assessor should edit assessments but not edit tuition and fees setup. |
|
Assessors can edit and vet applicable fees and transactions but not change base setup. |
| Finance staff should create payment records but not delete them. | Uncheck Invalidate. | Prevents accidental removal of payment history. |
Â
When users have multiple roles:
Permissions are merged across all assigned roles.
If one role allows Edit and another allows only View, the user retains Edit access.
💡 Tip: For users with overlapping roles (e.g., Cashier + Registrar), review combined permissions regularly to ensure they don’t grant unintended privileges.
To enforce stricter limits, create a dedicated restricted role instead of combining broad ones.
Grado supports two ways to manage permissions under its role-based access system:
Role-Based Management (Recommended)
Create roles (e.g., Registrar, Cashier, IT Staff).
Attach permissions to those roles.
Assign the roles to users.
Ideal for larger schools where multiple users share the same responsibilities.
Direct Permission Management
Open a user’s profile and go to View/Edit Permissions.
Select or deselect specific permissions directly.
Useful for one-off access configurations or testing new modules.
💡 Note: Applying a role template and editing permissions manually both work. When both are used, manual permission edits take precedence and are saved per user, even if their role template changes later.
To prevent a Role from seeing a module:
Go to Setup > Roles -> Edit Role.
Locate the module in the list.
Uncheck View permission.
The module and all related menu items will become inaccessible to the user and the 401 message appears when user accesses that module:
Â
This is useful when a user’s role doesn’t require that area (e.g., hiding Finance from Academic staff).
💡 Note: Some modules are interdependent. Removing access to Students may also affect access to Classes or Reports.
After updating role permissions:
Ask a test user to verify visibility.
Adjust permissions as needed and click Save Changes.
Regular access testing helps prevent accidental exposure of confidential data.
Start with minimum permissions and grant additional ones only as needed.
Create separate roles for data entry and approval to maintain checks and balances.
Document all permission changes for audit tracking.
Review access settings whenever new modules or updates are deployed.
💡 Security Tip: For temporary access needs (e.g., replacement staff), assign a role with limited duration and remove it after the period ends.
Access restrictions in Grado are managed through role-based permissions that define exactly what users can view, edit, or approve.
By carefully adjusting module actions under Setup > Permissions, administrators ensure secure, role-appropriate access for all users.
