Overview
The Permissions Overview article indicates that “permissions dictate what a user can do in the system.” There are thousands of permissions in SmartCare, and having to grant a user each permission individually would be a huge chore. Instead, user roles are employed to minimize effort and standardize permissions across multiple users.
At its core, a user role is simply a group of permissions that can be assigned to a user. Permissions are granted to a user role, and then the user role is granted to a user. This automatically conveys all of the user role’s permissions to that user.
A user can have more than one user role. User roles are additive, meaning that as long as one of the user’s user roles grants them a permission, then the user will be granted that permission.
Example:
Jenny has the user role “Billing” and the user role “Reception/Front Desk”. The Billing user role grants Jenny access to the “Services (My Office)” list page, even though the Reception/Front Desk user role does not have that permission.
Billing: Services (My Office): Granted
Reception: Services (My Office): Denied
End Result: Jenny is granted permission to the Services (My Office) list page.
CalMHSA User Roles
CalMHSA has created standardize user roles for all counties to use. When a new screen or document is deployed, CalMHSA adds the associated permissions to the appropriate user roles. This change will push down to county affiliate systems, automatically granting permissions to users who have the user roles in question. This lessens the user administration burden for county affiliates.
CalMHSA makes decisions about what permissions to grant which user roles based on State requirements and/or guidance, experience and knowledge from CalMHSA team members, and feedback from county affiliates.
Since user roles are additive, CalMHSA manages both “base user roles” and “add-on user roles”. Base user roles will have basic system functionality, such as the search and client search function, built into them. Every user should have at least one base user role to ensure they can access basic screens and functions.
Add-on user roles are focused on specific use cases, such as specific functionality, specific documents, or specific screens. They should always be used in conjunction with a base user role.
See User Roles for details on the current CalMHSA-managed user roles. This list includes whether the role is considered a base or add-on role and a brief description of the type of user who would be assigned this role.
User Role Syncing
Due to how SmartCare manages both permissioning and the sync between CalMHSA and county affiliate systems, there is some strangeness in how counties can or cannot modify CalMHSA-managed user roles. CalMHSA is working with Streamline to standardize this, but does not have an estimated development timeline.
County affiliates cannot deny a permission granted by CalMHSA in a CalMHSA-managed user role. If a county affiliate attempts to do this, the system will not show that the record wasn’t saved. However, if the county user pulls up the same user role-permission combo again, the system will show that the record wasn’t changed.
Example:
CalMHSA: Billing: Services (My Office): Granted
County Affiliate: Billing: Services (My Office): Changes to Denied and clicks Save
End Result: County Affiliate: Billing: Services (My Office): Granted
County affiliates can grant a permission not granted by CalMHSA in a CalMHSA-managed user role.
Example:
CalMHSA: Billing: Staff/Users (Administration): Denied
County Affiliate: Billing: Staff/Users (Administration): Changes to Granted and clicks Save
End Result: County Affiliate: Billing: Staff/Users (Administration): Granted
A county’s changes may be overwritten if CalMHSA edits that specific user role for that specific permission. However, since this would only currently impact a permission going from denied to granted, this shouldn’t impact county affiliates (as they would have already changed the permission to be granted in their own system).
Because of this idiosyncrasy with user roles, CalMHSA tends to the conservative side, denying permissions when counties differ greatly in their opinions. This allows counties that want the permission denied are able to do so while still using the CalMHSA-managed user role. This also allows counties that want the permission granted to do so by editing the CalMHSA-managed user role.
Custom County User Roles
Counties are also allowed to create their own user roles. These user roles will only exist in their instance of SmartCare and must be wholly managed by the county. When a development item is deployed, the county will need to update their user roles to incorporate the new development.