Skip to main content

Access Permissions Admin Screen

This screen gives security administrators the ability to control which admin screens may be accessed by other administrators and to control their level of access. It also allows administrators to select which buttons and functions appear for users in the Chrome River, including Expense Management, Delegate, Emburse Card, Invoice Management, and Purchase Order Management settings.

By default, this screen is turned off for all but one or two Super Admin users. If those users leave the organization and no one is designated to replace them as a Super Admin, the Access Permissions admin screen may not be visible to anyone in your organization. Contact the Chrome River Configuration Team by opening a Help Desk case to have one or more Super Admins designated.

For complete details on Super Admins, see Customize Access Permissions for Admin Teams.

View Access Permissions

Click the MENU button in the upper left corner, then ADMIN SETTINGS.

Click SECURITY > ACCESS PERMISSIONS.

If you do not see Access Permissions in the Security menu, please review Access Permissions Best Practices, below, and then open a case in the Help Desk Service Portal with a list of the Chrome River users who should have access to create policies and grants.

You will see a summary of recent enhancements to the Access Permissions screen on the right.

Access is controlled at three levels:

  • Permissions are individual actions that may be taken on each admin screen, such as View, Edit or Delete.
  • Policies are groups of permissions—for example, you could have a Read-Only policy that disables some or all actions and an Edit policy that allows users to access some or all actions.
  • Grants allow you to assign each policy to groups of users to determine which permissions they have—for example, all C-Level employees could be granted access to just the Read-Only policy. The same user may have multiple grants as long as he or she has multiple roles.

1. Create a Policy

Creating new policies is a multi-step process with several essential prerequisites and is only recommended in certain situations. Before you begin creating any new policies, review the information in Customize Access Permissions for Admin Teams.

If your organization has decided to proceed with implementation of a new policy, the process requires four steps:

  1. Create a new policy containing the desired permissions.
  2. Add a corresponding entity to your organization's Rules Group Exception (RGE) entity type.
  3. Assign that entity to specific users via the RGE.
  4. Create a grant that activates the policy for those users.

For complete details and best practices for customizing access permissions, see Customize Access Permissions for Admin Teams.

1. To create a new policy, click the POLICIES tab, then click the PLUS button.

2. Give the policy a name and, if desired, a description.

3. Scroll through the list of permissions and check the ones you wish to enable for that policy. Uncheck the ones you wish to disable.

Use the SELECT and DESELECT buttons to select all or deselect all permissions.

4. When you are finished, click SAVE. The new policy will appear in the Policies list.

2. Add a Policy Entity to the Rules Group Exception (RGE) Entity Type

In order to assign any policy you create to specific users via a grant, you must first add an entity that corresponds with that policy to the Rules Group Exception (RGE) entity type via the Entities Admin Screen.

Navigate to MASTER DATA > ENTITIES, select the Rules Group Exception entity type, scroll down to the Entities section, and click PLUS.

If the Rules Group Exception entity type no longer exists for your organization, your Chrome River Implementation Team contact will be able to help you re-create it.

CAPAT - Add to RGE.png

Give the new entity a name and code and click SAVE.

AP - Sample New Entity.png

For complete details on creating new entities, see "Create a New Entity" in Entities Admin Screen.

3. Assign the Policy Entity to the Appropriate Users

Next, you'll need to assign the policy entity you created in Step 2 to the users who should have access to that policy. Navigate to MASTER DATA > PEOPLE and select the first user.

Click RELATIONSHIP ATTRIBUTES and then click ADD RELATIONSHIP ATTRIBUTE.

AP - Assign Policy Entity.png

Select the following for the new relationship attribute:

  • Role: Part Of
  • Entity Type: Rules Group Exception
  • Entity: [Name of Policy]

Click SAVE.

AP - Relat Att.png

Repeat these steps for any other users who should be assigned this policy.

  • In addition to giving them the Full Admin relationship attribute, be sure each user has the Admin check box selected under Permissions.

AP - Admin Access.png

4. Create a Grant

Grants allow you to activate policies for groups of users to determine which permissions they have. Each grant must be assigned to a unique entity, but the same user may have multiple grants as long they have multiple roles.

Create a New Grant

1. To create a new grant, click the GRANTS tab, then click the PLUS button.

2. Give the grant a name and, if desired, a description.

3. Use the Relationship Attributes drop-down boxes to select the policy entity to which you wish to assign this grant. Anyone who has been assigned this entity in their Person record will be granted the permissions allowed by the policies associated with this grant.

4. Select the desired policy from the Policy drop-down box. You may grant the selected role multiple policies, if needed.

5. Click SAVE.

 

Clone an Existing Grant

You may copy an existing grant and edit it to create a new grant by clicking the CLONE button in the upper left corner of the desired grant.

Once you select a different relationship attribute for the new grant, it may be saved as a separate grant.

Edit a Policy

1. Select the desired policy in the list and click EDIT.

2. Find the desired group of settings in the list and use the check boxes to select which specific buttons and functions should be available to users and/or admins in the user interface.

You may select or deselect all the options by checking the box next to the section heading.

3. When finished, click SAVE.

Emburse Cards Permissions

Chrome River offers the ability to issue physical and virtual spend cards to users who do not have corporate credit cards. Emburse Cards make it easy for users to spend a pre-approved amount on travel expenses anywhere credit cards are accepted without needing to pay out of pocket. They also make it easy for your organization to control and reconcile user spending.

1. To enable Emburse Card access for users and determine which options appear in the user interface, check the boxes under Emburse Card in the Pre-Approval section of the desired policy.

 

2. Now attach a grant that determines which users will be able to see and use the Emburse Card option.

Help Desk Permissions

This feature allows users to access the Chrome River Help Desk from inside the Chrome River app without having to enter their login credentials. Users must have an active Chrome River Help Desk account under the same email address used to log in to Chrome River, and they must enable pop-ups in their web browser the first time they use this feature. If an administrator requires a Help Desk account, please open a case using the Chrome River Help Desk portal.

This feature is already enabled for customers who use Chrome River's default access permissions. If your organization has custom access permissions, an administrator with Super Admin permissions must follow the steps below to enable Help Desk access within Chrome River.

    • If you see a RESET button in the preview pane for your access permissions policy, your organization has custom access permissions.
    • If there is no RESET button, your organization uses default access permissions.

1. Enable user access via a policy by checking "Authorized Help Desk Ticket Manager" under Help Desk.

2. Now, attach a grant that allows only users with an active Chrome River Help Desk accounts to see the Help Desk link inside Chrome River.

  • Be sure to apply the grant only to individuals with an active Help Desk account.

If the grant is made to users who do not have an active Help Desk Account, they will see the following error message when they click the HELP DESK link.

Note that customers may hold a limited number of Help Desk account licenses.

Enable Enhanced Adjustment Capabilities for Expense Approvers

Your organization may choose to offer extended adjustment capabilities for expense approvers, allowing them to adjust the Expense Type, Date, Description, and any User-Defined Field (UDA) on an expense. An administrator may activate this feature at the user level for all approvers, just a specific group of approvers, or multiple groups of approvers.

1. On the Access Permissions admin screen, select the appropriate policy and click EDIT.

2. Under Expense Approvals, check “Allow adjust on Description, Date & User Defined Attributes during approval” and/or “Allow adjust Expense Type during approval," then click SAVE.

Enable Additional Expense Approvers

Your organization may choose to enable approvers to include an additional approver in the expense routing process. See Include an Additional Expense Approver for complete details.

1. On the Access Permissions admin screen, select the appropriate policy and click EDIT.

2. Under Expense Approvals, check “Allow adding additional approver for a report," then click SAVE.

2 Include Additl Approver.png

 

Enable Unauthorized Users to View Image Links in Approval Emails

Chrome River requires users to log in when they click the “View,” “View Receipts” and "View Images" links from Expense and Invoice Approval Email Notifications, and only the user to whom the expense is assigned may view those images. However, your organization may choose to allow any user who receives the email notification and is logged in to Chrome River to view images via those links.

  • For example, if your organization uses the Watcher feature, approval emails can be sent to additional users who are not the expense approver. Those users may also access images via links in those emails, as long as they are logged in to Chrome River.

1. On the Access Permissions admin screen, select the User Default Access policy and click EDIT.

2. Under User Access, check “Allow Viewing Receipts On Approval Emails Without Authorization,” then click SAVE.

Hide or Show eWallet Ribbon on Dashboard

The eWallet ribbon on the Chrome River Dashboard displays users' count of unused expense items, allowing expense owners and delegates to view the number of their credit card items and receipts at a glance whenever there is at least one unused item. Administrators may activate and deactivate this feature for their organization via the Access Permissions admin screen.

1. Click the POLICIES tab, then select USER DEFAULT ACCESS and click EDIT.

2. In the Permissions section, under General, find the Dashboard section.

3. Check or uncheck SHOW eWALLET PANEL.

Expense Management Dashboard Permissions

Admins may control user access to the Expense Management Dashboard via the Access Permissions admin screen.

  • Note: If your organization would like to determine which expense reports may be viewed by Expense Management Dashboard users based on the roles and entities assigned via the People admin screen, please open a case in the Chrome River Help Desk.

1. Click the POLICIES tab, select the appropriate policy, and click EDIT.

2. In the Permissions section, under General, find the Expense Management section.

3. Check or uncheck Show Expense Management Dashboard.

Recall Exported Reports

Checking Allow recalling exported reports will allow anyone in the selected policy to recall exported expense reports via a button on the Expense Management Dashboard or inside the report.

It is not recommended to grant Recall permission unless your organization uses SAP connectors and has delta export logic incorporated into its ERP.

Was this article helpful?