Roles and permissions define the access levels of users. A single user can be given multiple roles and depending on the permissions given by the roles, the user has access to the system.

Functionality

The functionality for roles and permissions is facilitated through creating:

• Activity
• Permission
• Roles

Activity

An activity is any action performed in the Mifos system. An activity could be changing a particular entity, creating a new entity, or changing the state of an entity from "pending approval" to "approved" Other examples might include, creating a new fee type, waiving a fee, applying a miscellaneous fee to an account, etc. Permissions are defined for all the activities that can be performed in the Mifos system.

Permissions

• Permission can be for a single activity or a group of activities. Critical Mifos system activities are assigned individual permissions while those with minimal criticality are assigned group permissions.
• Permission is granted to a role. All users who have been assigned that role can perform that activity, based on the users’ Data Scope. Permissions are built-in in the system. New permissions cannot be configured. Hence:
  • If an activity is not defined in the system, permission for that activity cannot be granted to a role. There is no UI for adding activities in the system.
  • If an activity is grouped with other activities for permission, the activity cannot be granted an individual permission.
  • Permissions cannot be granted outside a role. To handle the scenario where a user has to be granted extra permissions, the user should be assigned to a role that gives the required permissions, or a new role can be created.

For example, an LO user might be able to save a client in Partial and also move the client to Pending Approval, or Cancelled. But the LO user might not be able to move a client to Active. The LO in this example has permission for the following activities:

• Moving a record from the Partial to Cancel state.
• Moving a record to Pending Approval state

However, the LO user does not have permission for moving a record to Active state.

In version 1.0, read or view permission is granted by default. As per the user’s data scope, user can view the details. Thus, an LO is able to view only the details of the clients assigned to them.

Roles

Roles are groups of permissions managed by the HO. The MFIs create and name the roles, and may or may not match these names to designations (titles) within their organizations. Same roles are applicable to all the users in all the offices under an HO.

Mifos ships with a predefined role, called the “admin”. Admin role has all the permissions and can be used to create other roles. 

• Creation of roles is considered an activity and permissions are associated with the same. There is no limit on the number of roles that can be assigned to a user. Permissions for a user assigned to multiple roles are a union of permissions of the roles. For example, if a user’s current role has “create” activity of a particular screen, and then, an extra role that has “modify” permission is assigned to the user, the user can create and modify the records.
• Permissions associated with a role can be modified. If a role is modified, all the users associated with the role inherit the change. Similarly, a role can be deleted. When a role is deleted, all users assigned with that role have the respective permissions revoked from their next login onwards. However, if the user has the same permission through another role that is still active, the permission remains granted to the user.
• Users are not given any permission outside roles.

Out of Scope for Version 1.0 

• Storing photos of users
• Last login time dependent on if the user has logged off or not
• Exclusion of dictionary words from acceptable passwords
• Need to change passwords periodically
• Mechanism to recover forgotten passwords
• More than two levels of personnel hierarchy
• System checking meeting overlap for a Loan Officer
• Reporting of a user’s performance “Aggregating the performance of all subordinates”