A permission group is a group of object permissions. Permission groups can be assigned to individual users or roles. A permission group is a label or tag that can be assigned to object permissions rather than a separate physical object. As a result, object permissions with the same permission group label can be assumed to be part of the same permission group. The best practice suggests keeping object permissions granted to a single permission group.

An object permission specifies the various levels of access or restrictions that a user has on a given object. Using object permission, you can allow or restrict a user from viewing or modifying all instances of an object.

If a user is restricted from viewing and modifying object records, you can still grant access to some instances via Scope Permissions. Through Action Permissions, you can further control whether a user has access to perform specific actions (standard actions like create, read, update, delete, or custom actions like generate, activate, and so on). Object permissions include both Scope and Action Permissions.

For any given object, the user’s permissions are considered to access the application as per the steps below:

  1. Object Permissions: To evaluate the user’s permission on any object, View All and Modify All attributes in object permission are used. If these attributes are true, the user has full access to all the instances of the object. If only View All is true, the user can access all the object records but can’t create, update, or delete the records. Modify All can’t be true if View All is false.

  2. Action Permissions: In addition to the standard CRUD actions, you can assign custom object-specific actions. Aside from standard CRUD operations, we have some agreement lifecycle actions like GENERATE, ESIGN, ACTIVATE, AMEND, and so on for Agreement objects. Using the Action Permission option, you can assign any or all of these actions.

    Action permission criteria are only supported for READ action permissions.

  3. Scope Permissions: When both View All and Modify All object permissions are not set, the user cannot access any object records. However, you can grant READ access to some records using scope configurations. The following are the three levels of scope configuration that you can set:

    • Global Scope: Allow users to access object records based on some criteria. For example, you can configure access to all the agreements that are non-confidential.

      Criteria fields must be index fields that are present in the schema.

    • User Scope: Allow users to access a record if the user is tagged as an attribute value on the object. For example, a user can access an agreement if he is the contract facilitator of the agreement. The contract facilitator should be an attribute in the Agreement object.

      The relationship field must be a lookup field that is indexed, and the lookup object name must be the User object.

    • Account Scope: The admin can allow the user (record owner or who created the account record) to access a record if an account is tagged as an attribute value on the object. For example, an Agreement has two fields, PrimaryAccount and SecondaryAccount, both of which have a lookup relationship to the Account object. If you want to consider the PrimaryAccount field for resolving account scope, specify the PrimaryAccount field while setting up the account scope for the Agreement object. Assume there is an Agreement Record (ARecord1) with account1 as the primary account. You can only access ARecord1 if you are the owner of the account1 or created it.

      To use account scope on any object, you must enable the Is Allow Owner Scope toggle for the Account object. For more information on owner scope toggle, see Creating and Managing Objects.

To create a Permission Group

  1. Log in to the Conga Platform as an admin user.
  2. Click the App Launcher () icon from the top-left corner > Admin Console > Users.
  3. Go to the Permission Groups tab and click Add New.

  4. Enter values in the following fields:

    FieldDescription
    Display ValueEnter the display value (name) that is displayed as a name in the list view.
    ValueEnter the unique value (name) for the permission group. You can enter up to 80 characters in this field.
    DescriptionEnter a description of the permission group.
  5. Click Save.

You can see the newly created permission group in the list view.

  • The application automatically adds the View All permission to the AppRegistry object, allowing non-admin users to view the Conga Platform Admin Apps. However, you can change the object permission if necessary.
  • To delete the Permission Group, Click the More () icon at the start of the record and click Delete. If the respective Permission Group is assigned to any User or Role, you will receive the validation message and will be unable to delete it.

To assign Object Permission

  1. Click the permission group name link from the list page, or click the more () icon at the start of the record and click Edit.

  2. On the Object Permissions tab, click the Add Object Permissions button.

    The system automatically generates the "customcode" and "Configuration" object permissions upon the creation of a permission group.

  3. Search and select the required CRUD option for the Object(s).
  4. Click Save Object Permissions.
  5. If needed, click the Set option in the Read Criteria column to add access criteria to any of the specific objects. You can use only indexed fields of the specific object to set the criteria.
  6. If needed, click the Set option in the Action Permissions column to add any custom object-specific actions.

To delete the Object Permissions, select the object(s) from the list and click the Delete Object Permissions button.

To add Scope Permissions

  • Global and User scopes are only applicable when ViewAll/ModifyAll is not set up for the particular object.
  • Only indexed fields are used to set read criteria for all global and user scops.
  1. Click the permission group name link from the list page, or click the more () icon at the start of the record and click Edit.
  2. Go to the Global Scope, User Scope, or Account Scope tab.
  3. Set the criteria and click Apply.