====== Admin — Users, Groups, Permissions & Notifications ======
**Section:** Admin\\
**Updated:** 2026-05-05

----

===== 1) Overview =====

The **Admin** section is restricted to administrators. It contains:

  * **Users & Groups** — team member accounts and group membership (on one combined page)
  * **Object Access** — central view of all per-record access grants
  * **Permissions** — module-level RBAC permission assignments per user/group
  * **Notifications** — push notifications sent to users or groups

Navigate to **Admin** in the sidebar to see the sub-items.

> **[[ SCREENSHOT: Admin section in the sidebar — Users & Groups, Object Access, Permissions, Notifications links ]]**

----

===== 2) Users & Groups =====

Navigate to **Admin → Users & Groups**.

This single page shows both the **Users** list and the **Groups** list side by side (or in sections).

> **[[ SCREENSHOT: Users & Groups page — two sections: Users list on top, Groups list below (or side by side) ]]**

==== Users List ====

Shows all system user accounts.

> **[[ SCREENSHOT: Users list section — columns: Name, Email, Status (Active/Inactive), Last Login, Groups, Action buttons ]]**

**Actions per user row:**

  * **Edit** — update name, email, and other account details
  * **Manage Groups** — assign or remove this user from groups
  * **Manage Widgets** — configure which dashboard widgets appear on this user's home screen
  * **Activate / Deactivate** — enable or disable login access
  * **Delete** — remove the account (only if no policy restriction)

> **[[ SCREENSHOT: User row — action buttons (Edit, Groups, Widgets, Deactivate, Delete) ]]**

==== Creating a User ====

  - Click **"Add User"** (or equivalent button in the Users section).
  - Enter First Name, Last Name, Email Address, and an initial password.
  - Assign the user to one or more Groups.
  - Save.

The user can then log in with their email and password.

> **[[ SCREENSHOT: Add User form — first name, last name, email, password, group selector ]]**

==== Deactivating a User ====

To remove access without deleting the account:

  - Click **Deactivate** on the user row.
  - The user can no longer log in. All records they created remain intact.

Reactivate with the **Activate** button when needed.

> **[[ SCREENSHOT: User row — Deactivate button; and another example row showing Activate button for an inactive user ]]**

==== Dashboard Widget Configuration ====

Each user can have up to four dashboard widgets. An administrator can set these centrally:

  - Click **Manage Widgets** on the user row.
  - Select up to four widgets from the available list.
  - Save.

If no widgets are configured, the system shows the first four widgets the user has permission to access.

> **[[ SCREENSHOT: Manage Widgets modal — list of available widgets, up to 4 selectable ]]**

==== Groups List ====

Groups are named sets of users. Permissions are typically assigned to groups so that everyone in the group automatically inherits the same access.

> **[[ SCREENSHOT: Groups list section — group name, member count, description, action buttons ]]**

**Actions per group row:**

  * **Edit** — update the group name and description
  * **Manage Access** — assign permission shortcodes to this group
  * **Delete** — remove the group

==== Creating a Group ====

  - Click **"Add Group"** in the Groups section.
  - Enter a Group Name and optional Description.
  - Save.
  - Then assign users to it via **Manage Groups** on the user rows, and assign permissions via **Manage Access** on the group row.

> **[[ SCREENSHOT: Add Group form — name, description fields ]]**

----

===== 3) Permissions (Access Permissions) =====

Navigate to **Admin → Permissions**.

This page manages **module-level access** via a hierarchical permission shortcode system. Each module and action has a unique shortcode (e.g. ''finance:vendor-bills'', ''dms:queue'', ''leads:own'').

> **[[ SCREENSHOT: Access Permissions page — permission tree or grid showing modules as rows/nodes, user/group selector, checkboxes or toggle per permission ]]**

==== How the Permission System Works ====

  * Permissions are assigned to **Users** or **Groups**.
  * A **wildcard** shortcode (e.g. ''finance:*'') grants access to all sub-permissions under that prefix automatically.
  * Permissions are **additive** — there is no "deny" rule. Having a shortcode means access is granted.
  * Users can hold permissions both directly and via group membership. If either grants access, they have access.

==== Common Permission Shortcodes ====

| **Shortcode** | **What it grants** |
| ''admin:*'' | Full admin access |
| ''finance:*'' | Full Finance module access |
| ''finance:vendor-bills'' | View vendor bills only |
| ''finance:invoices'' | View sales invoices only |
| ''dms:*'' | Full Document Management access |
| ''dms:queue'' | Access to Documents Queue |
| ''dms:documents'' | Access to Documents Storage |
| ''leads'' | View leads (own by default) |
| ''leads:*'' | View all leads across all owners |
| ''leads:own'' | View only own leads |
| ''contracts'' | View contracts |
| ''callmessages:*'' | View all missed call records |
| ''callmessages:own'' | View only calls for the user's own name |
| ''instruments:*'' | Full Financial Instruments access |
| ''banking:*'' | Full Banking access |
| ''master-data:partners'' | View and manage partners |

==== Granting a Permission ====

  - Select the **User** or **Group** from the selector on the page.
  - Find the relevant permission shortcode in the tree.
  - Enable it (checkbox or toggle).
  - Save.

> **[[ SCREENSHOT: Permission assignment — user/group selector dropdown at top, permission tree below with one item being enabled ]]**

----

===== 4) Object Access =====

Navigate to **Admin → Object Access**.

**Object Access** is a central view of all per-record grants in the system. Normally access grants are managed from within the record itself (via the violet lock icon button on any list), but this admin page gives a complete overview.

> **[[ SCREENSHOT: Object Access page — filter by Object Type dropdown at top; grants table showing: Object Type, Object ID, Grant Type (User/Group), Grantee name, Granted By, Date, Delete button ]]**

==== What Object Access Does ====

Module-level permissions (Permissions page) control what sections a user can see. Object-level grants go one step further — they grant access to a **specific record** for a user who would not otherwise have access.

Example: A user has ''leads:own'' (only their own leads), but you want them to see one specific lead owned by someone else. You add an object grant for that lead record directly.

==== Adding a Grant ====

  - Select the **Object Type** (e.g. Lead, Contract, DMS Document).
  - Search for and select the specific record.
  - Choose **Grant Type** (User or Group) and select the grantee.
  - Click **Grant**.

> **[[ SCREENSHOT: Add Grant section — object type selector, object search field, user/group toggle, grantee selector, Grant button ]]**

==== Supported Object Types ====

DMS Documents, DMS Queue Records, DMS Teams Storage Paths, Vendor Bills, Sales Invoices, Payments, Vouchers, Partners, Leads, Contracts, Subscriptions.

==== Removing a Grant ====

Click the **Delete** button on the grant row. The grantee immediately loses the extra access.

----

===== 5) Notifications =====

Navigate to **Admin → Notifications**.

**Push Notifications** appear in the bell icon panel in the top navigation bar for the targeted users. They are useful for system announcements, reminders, or important alerts.

> **[[ SCREENSHOT: Push Notifications list — columns: Recipient (User/Group/All), Title, Message preview, Created date, Important flag, Actions ]]**

==== Creating a Notification ====

  - Click **"Add Notification"** (or equivalent button).
  - Enter the **Title** and **Message** text.
  - Select the **Target** — All Users, a specific User, or a Group.
  - Optionally set an **Expiry Date** (notification disappears after this date).
  - Toggle **Important** if you want the notification shown in red and requiring explicit confirmation to dismiss (instead of a simple dismiss button).
  - Save.

The notification appears immediately in the target users' bell panels.

> **[[ SCREENSHOT: Add Notification form — title, message, target selector (All/User/Group), expiry date, Important toggle ]]**

==== Important vs. Normal Notifications ====

  * **Normal** — appear in the bell panel, user can dismiss with one click.
  * **Important** — shown highlighted in red; user must click **Confirm** before the notification can be dismissed. Use for urgent or compliance-relevant messages.

> **[[ SCREENSHOT: Bell panel open — one normal notification and one Important notification (shown in red with a Confirm button) ]]**

----

===== 6) Common Tasks — Quick Reference =====

| **Task** | **Steps** |
| Create a new user account | Admin → Users & Groups → Add User → fill form → Save |
| Deactivate a user | Users & Groups → user row → Deactivate button |
| Assign a user to a group | Users & Groups → user row → Manage Groups → add group |
| Configure dashboard widgets for a user | Users & Groups → user row → Manage Widgets |
| Create a permission group | Users & Groups → Add Group → fill name → Save |
| Grant a group Finance access | Permissions → select group → enable ''finance:*'' → Save |
| Give one user access to a specific lead | Object Access → Object Type: Lead → search lead → grant user |
| Send an urgent message to all users | Notifications → Add Notification → target All → Important on → Save |