Roles and Permission Groups

About assigning roles and permission groups to CLM users

Role and Permission Group management helps administrators configure security on the Conga Platform. A role represents a profile (for example, system admin, contract facilitator, general user, and so on). Administrators can create user roles that contain a set of permissions with specific access to objects, records, pages, and administrative functions in applications built on the Conga Platform. You can use the User Interface or REST APIs per your business needs. The following topics are covered in role and permission group management.

The following topics are covered in role and permission group management. For more information, see Roles and Permission Groups.

Role-Based Access Control (RBAC): Conga supports role-based access control (RBAC) to grant or restrict access to various applications and data within the Conga Revenue Lifecycle Platform. Conga RBAC supports data access primarily through mechanisms such as object permissions, permission groups, roles, and so on.
Permission Groups: A permission group is a group of object permissions. Permission groups can be assigned to individual users or roles.
Roles: A role is assigned to users performing similar tasks and consists of a set of permissions. As an administrator, you can assign roles to the existing users or create a new user and edit the user details to assign roles
User groups: User Groups enable administrators to create groups of individual users with specific roles and permissions.

Object Permissions

Object permissions define the level of access or restriction a user has to a specific object. These permissions are usually granted through permission groups. The Modify All and View All permissions grant users access to all records of an object.

Note: There is no need to control the parent object (Agreement) and child objects (for example, AgreementLineItem) separately with different conditions. It is recommended to manage user access on the Agreement object. By enabling the ViewAll permission for all other CLM objects (like AgreementLineItem), you ensure that the users can view all records of these objects without needing specific access controls for each one. OwnerScope must be enabled exclusively for the Agreement object, with no need to enable it for any other objects.

A few examples of granting permissions for users are:

Granting ModifyAll or ViewAll permissions on the Account or Contact object enables users to view or edit all records in the Account list page or Contact list page. To allow users to create, update, and delete records without needing Modify All or View All permissions, you can assign CRUD (Create, Read, Update, and Delete) permissions independently.

Granting ViewAll permissions on the Menu object allows users to view the following submenus in the Contract, Account, and Contact pages. You must add the permission group of the user in Admin Console > Object Data Explorer > Platform > Menu


Menu	Submenus
Contracts	My Contracts All Contracts Recently Viewed Search
Accounts	My Accounts Recently Viewed All Accounts
Contacts	My Contacts Recently Viewed All Contacts

The following table lists the permission levels that can be assigned to a CLM user for various objects.


Permission Level
Object	Read	Create	Update	Delete
Agreement	Displays the My Contracts, Recently Viewed, and Search tabs in the LINKS panel.	Create new contract records from My Contracts or Recently Viewed tabs. Create a new contract record from the account details page	Edit a contract record. Bulk edit contract records	Delete a contract record using the kebab menu or custom actions. Bulk delete contract records Delete a contract associated with an account or a contact.
AgreementLineItem	Displays the Line Items tab in the LINKS panel.	Add a new line item for a contract record. Clone a line item for a contract record.	Edit a contract record's line item.	Delete a contract's line item.
ContractRequest	Displays the My Requests, All Requests, and Incoming Requests sub-menus in the Manage Requests menu	Create a new contract request.	Edit a contract request	NA
AgreementClause	Displays the Clauses tab in the LINKS panel.	Create a new clause record. Clone a clause record on the Clause Details page.	Edit a clause record.	Delete a clause on the Clause Details page.
DocumentMetadata	Displays the Documents tab in the LINKS panel.	Upload a document	NA	Delete a document using the kebab menu.
RelatedAgreement	Displaysthe Related Contracts and Relationships tabs in the LINKS panel.	Create a new relationship with other contracts.	NA	Delete a related agreement. Remove a relationship type with other contracts by selecting the Unlink icon () in the Actions column.
AgreementInsight	Displays the Insights tab in the LINKS panel.	NA	NA	NA
RelatedItems	Displays the Related Items tab in the LINKS panel	Add objects and their records linked to a contract.	Edit objects and their records linked to a contract.	Delete objects and their records linked to a contract.
Account	Displays the Accounts List page in Accounts Apps	Create a new account.	Edit an account.	Delete an account.
Contact	Displays the Contact List page in Contact Apps.	Create a new contact.	Edit a contact.	Delete an existing contact. Delete a contact associated with an account.
AgreementObligation	Displays the Obligation List page in Contract Apps.	Create a new obligation.	Edit an obligation.	Delete an existing obligation.
AgreementObligationFulfillment	Displays the list of contracts for obligation fulfillmentList in Obligation Fulfillment page	NA	Edit an obligation in fulfillment	NA

Action Permissions

In addition to the standard CRUD operations, you can assign custom object-specific actions that can be set for CLM users. The following table lists a few of the action permissions (for example, such as Clone, Share, and so on)


Object	Action Permissions	Functionality
Agreement	Clone	To clone a contract record.
	Share	To share a record with any user or user group.
	Preview & Submit	To display the Preview & Submit button under Approvals.
	My Approvals	To display the My Approvals button under Approvals.
	Co-Pilot	To grant a user access to Copilot.
	Redline AI	To grant a user access to Redline AI.
	Change Owner	To allow users to reassign ownership of a contract record to a user, user group, or to themselves.
	Adobe Sign Tracking	To display Adobe Sign icon in the contract's right panel to track Adobe Sign related audit trail.
ActivityHistory	ViewCLMActionPanel	To display the Activity option in the right panel on the Contract Details page.
ReviewCycle	ViewCLMActionPanel	To display the Review Cycle option in the right panel on the Contract Details page.
ContractRequest	Cancel Request	Allows the requester to cancel a contract request listed in My Requests or All Requests sub-menus.
	Submit for Approval	Allows the requester to submit a contract request for approval.
	Approve & Reject	Allows an approver to approve or reject a contract request from the Incoming Requests sub-menu.
	Withdraw	Allows the requester to withdraw a submitted contract request listed in My Requests or All Requests sub-menu and return it to Draft status.
AgreementObligationFulfillment	Edit Fulfillment	To edit obligation fulfillment after activation.

Field Permissions

In addition to the object permission, you can define and enforce access permissions at the field level for different user roles. The following table lists some of the field-level permissions (for example, RecordOwner, RecordType, and so on) that can be set on Agreement or ContractRequest object for users.


Object	Field Permissions	Read	Edit
Agreement	RecordOwner	View the Owner field on the Contract Details page but cannot edit.	Modify the Owner field on the Contract Details page.
Agreement	RecordType	View the Contract Type field on the Contract Details page but cannot edit.	Modify the Contract Type field on the Contract Details page.
ContractRequest	Requester	View the Requester field in the My Requests > Parties but cannot edit.	Modify the Requester field in the My Requests > Parties.
ContractRequest	Owner	View the Owner field in the My Requests > Parties section but cannot edit.	Modify the Owner field in the My Requests > Parties section.

Record Type Permissions

A record type permission allows administrators to define and enforce access permissions at the record type level for different user roles. This ensures that users have access to specific record types when creating records. For instance, if an Agreement or ContractRequest object contains two record types—Non-Disclosure Agreement (NDA) and Master Services Agreement (MSA), an administrator can configure the system so that:

All users can create records using the NDA record type.
Only users with specific roles (for example, legal team or contract managers) can create records using the MSA record type.

Record Type level access control is managed through Permission Groups > Object Permissions. By default, all record types within an object are accessible to all users who have access to the object. However, administrators can customize these permissions as needed.

Roles

A role is assigned to users performing similar tasks and consists of a set of permissions. As an administrator, you can assign roles to the existing users or create a new user and edit the user details to assign roles. You can also assign multiple permissions and permission groups to a user to grant access to all the assigned role permissions. For example, with the CongaCLMReadOnlyUser role, a user can view all records they have permission to see when navigating to the Search tab on the Contract Details page.

As an administrator, you can create roles to restrict access to data for certain users based on their functional roles and responsibilities. For instance, if a user is assigned the CongaCLMReadOnlyUser role and navigates to the Contact page, the options Create Contact, Edit, Delete, or Create Contract on the Details page are not displayed for that user.

Conga Product Documentation

Welcome to the new doc site. Some of your old bookmarks will no longer work. Please use the search bar to find your desired topic.