Question:
What is the difference between User Role Setup and the User Role Object in Vault?
Answer:
User Role Setup Object is used for DAC (Dynamic Access Control) or matching sharing rules and DAC does not override Security Profiles and Permission Sets.
User Role Object is a complex join with user and application role as parent objects. It has no dependency on DAC which means it can be used with or without DAC.
Role permissions enable Admins to assign permissions to a specific user without affecting security profiles. This allows an incremental approach to access control that reduces the need for complex security profile configuration and maintenance. This can be particularly useful when users play various roles over time that require access to different combinations of object or application permissions.
Admins can add users with additional permissions without affecting security profiles by following the below steps:
- Navigate to Business Admin --> Application Roles.
- Create an Application Role record and select a permission set in the Permission Set field.
- Navigate to Business Admin --> User Roles
- Create a record that joins the Application Roles with User records.
Related Documentation:
- Managing Permissions with User Roles
- About Dynamic Access Control for Documents
- About Dynamic Access Control for Objects