# User permissions

The [**Profile** tab on the user account page](https://docs.phocassoftware.com/administration/users/user-account-page#profile-tab) is where you control what the user can do in Phocas, from a functionality perspective.

<details>

<summary>Dashboards permissions</summary>

The **Dashboards** user permissions govern access to the Phocas dashboards and the actions users can take within those dashboards. The more permissions a user has, the more functions they see on a dashboard page.

* **Dashboards** (main permission): Access the Dashboards module and view dashboards\*. This permission gives users view-only access to dashboards.
* **Analyse Widgets**: Analyze dashboard data in the underlying database.
* **Manage Dashboards**: Access functions to [manage the dashboards](https://app.gitbook.com/s/7pj8v25BOyqZTdG5mdD1/dashboards/manage-dashboards) that you and others created. As permission to manage dashboards requires permission to save dashboards, if the **Save Dashboard** permission is not already selected, it is selected automatically for you when you select the **Manage Dashboards** permission. Therefore, you get all the functions associated with the **Save Dashboard** permission (see below), along with some extra functionality as follows:
  * Create new dashboards from scratch, clone a dashboard, or add a query or chart to a dashboard. You can assign the owner of these dashboards.
  * Edit a dashboard’s name, description or owner.
  * Customize the dashboards: Add new lines and widgets to dashboards, and customize those lines and widgets (delete, clone, edit and resize).
  * Delete your own dashboards and remove other dashboards from your list of dashboards, so you can no longer access them.
* **Run As**: View the dashboard as someone else.
* **Save Dashboard**: Access functions to create and manage your own (personal) dashboards, which include the following actions:
  * Create new dashboards from scratch, clone a dashboard, or add a query or chart to a dashboard.
  * Edit the name or description of your dashboards.
  * Customize your dashboards: Add new lines and widgets to the dashboard, and customize those lines and widgets (delete, clone, edit and resize).
  * Delete your dashboards.
* **Timed Refresh**: Schedule a dashboard to be refreshed at regular intervals. Without this permission, users can manually refresh the dashboard.
* **Subscribe**: Subscribe to a dashboard to receive scheduled updates delivered via email in a range of file formats.
* **Manage Subscriptions**: Manage subscriptions to dashboards. This permission is only available if users have the above **Subscribe** permission.

***

#### Related user permissions <a href="#dashboardspermissions-relateduserpermissions" id="dashboardspermissions-relateduserpermissions"></a>

* \*In addition to the main **Dashboards** permission above, users need database access to access the underlying data, otherwise, no data will display in the dashboard widget.

  <div align="left"><figure><img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/vNYPbH382zMKAglCsix2/3153395739.png" alt="" width="442"><figcaption></figcaption></figure></div>
* In addition to the above dashboard permissions, the **Collaboration** permissions allow users to share dashboards.
* In addition to the **Subscribe** permission, users need permission to export data in one or more formats. These formats display in the **Type** dropdown list in the subscription settings. You select these formats in the **Query** > **Export** permission.
* The **Favorites** permissions typically go hand-in-hand with the dashboard permissions. If you give users permission to save favorites, it makes sense to also give them the **Save Dashboard** permission. Similarly, if you give users the **Manage Dashboards** permission, you should allow them to save favorites.

***

#### Related administration permissions and Phocas settings <a href="#dashboardspermissions-relatedadministrationpermissionsandphocassettings" id="dashboardspermissions-relatedadministrationpermissionsandphocassettings"></a>

* **Administration** > **Dashboards**: Manage (share and delete) all the dashboards in your organization’s Phocas site.
* **Administration** > **Subscriptions**: Manage subscriptions to all dashboards.
* **Administration** > **Folders**: Manage the folders in which dashboards can be stored.
* For users to receive subscriptions via email, your site needs to have email settings configured. This is usually carried out by administrators with special permissions. See [Configure SMTP settings to send emails](https://docs.phocassoftware.com/administration/configuration#smtp).

</details>

<details>

<summary>Favorites permissions</summary>

The **Favorites** user permissions govern access to the Phocas favorites and the actions users can take within those favorites.

* **Favorites** (main permission): Access the Favorites module and view favorites. This permission gives users view-only access to favorites.
* **Manage Favorites**: Access functions to manage the favorites that you and others created. As permission to manage favorites requires permission to save dashboards, if the **Save Favorite** permission is not already selected, it is selected automatically for you when you select the **Manage Favorites** permission. Therefore, you get all the functions associated with the **Save Favorite** permission (see below), along with some extra functionality as follows:
  * Save favorites: Either save the changes you make to a favorite or save a favorite as a new favorite (make a copy of the favorite).
  * Create alerts.
  * Edit a favorite’s name, description or owner.
  * Delete (or remove) favorites.
* **Save Favorite**:
  * Save favorites: If it’s your own favorite, you can either save the changes you make to that original favorite or save the favorite as a new favorite (make a copy of the favorite). If it’s a favorite that has been shared with you, you can save it as a new personal favorite.
  * Create alerts.
  * Edit the name or description of your favorites and alerts.
  * Set the favorite as your default view.
  * Delete your own favorites and remove your access to favorites that were shared with you.
* **Subscribe:**
  * Subscribe to a favorite to receive scheduled updates delivered via email in a range of file formats.
  * Set the favorite as your default view.
* **Manage Subscriptions**: Manage subscriptions to favorites. This permission is only available if users have the above **Subscribe** permission.

***

#### Related user permissions <a href="#favoritespermissions-relateduserpermissions" id="favoritespermissions-relateduserpermissions"></a>

* In addition to the main **Favorites** permission:
  * Users need database access to access the underlying data, otherwise, no data will display when the favorite is opened.

    <figure><img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/Hl9ir50jUPUTZZQo5x3n/3154510060.png" alt="" width="442"><figcaption></figcaption></figure>
  * Users need multiple **Query** permissions to get the typical view of the Phocas grid with all the functions, so they can work with the data.

    <figure><img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/3FTxguB3GKN24JnCKsez/3154444579.png" alt="" width="442"><figcaption></figcaption></figure>
* In addition to the **Save Favorite** permission, the **Collaboration** permissions allow users to share favorites.
* In addition to the **Subscribe** permission, users need permission to export data in one or more formats. These formats display in the **Type** dropdown list in the subscription settings. You select these formats in the **Query** > **Export** permission.
* The favorites permissions typically go hand-in-hand with the dashboard permissions. If you give users permission to save favorites, it makes sense to also give them the **Save Dashboard** permission. Similarly, if you give users the **Manage Dashboards** permission, you should allow them to save favorites.

***

#### Related administration permissions and Phocas settings <a href="#favoritespermissions-relatedadministrationpermissionsandphocassettings" id="favoritespermissions-relatedadministrationpermissionsandphocassettings"></a>

* **Administration** > **Favorites**: Manage (share and delete) all the favorites in your organization’s Phocas site.
* **Administration** > **Subscriptions**: Manage subscriptions to all favorites.
* **Administration** > **Folders**: Manage the folders in which favorites can be stored.
* For users to be able to receive subscriptions via email, your site needs to have email settings configured. This is usually carried out by administrators with special permissions. See [Configure SMTP settings to send emails](https://docs.phocassoftware.com/administration/configuration#smtp).

</details>

<details>

<summary>Databases permissions</summary>

The main **Databases** user permission governs access to the **Databases** section in both the Phocas menu and homepage.

* This general **Databases** permission on the **Profile** tab is different from the user’s specific database permissions and restrictions that are managed on the **Databases** tab. See [Overview of access to data ](https://docs.phocassoftware.com/administration/overview-of-access-to-data)and [Manage a user's database access and restrictions for more information](https://docs.phocassoftware.com/administration/users/manage-a-users-database-access-and-restrictions).

  <figure><img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/y6eQLFhdyZSudsVfaMin/3163619473.png" alt="" width="566"><figcaption></figcaption></figure>
* Even when users have the **Databases** permission, they can only view the specific databases they have been given access to.
* On the other hand, if users have been given access to a specific database but do not have the **Databases** permission, they will be able to view that database via any dashboards or favorites that have been shared with them. They cannot open a database directly.

The **Default Period** user permission is available when the main **Databases** user permission is selected. It allows users to set their own default period (timeframe) for each database.

</details>

<details>

<summary>Collaboration (sharing) permissions for dashboards and favorites</summary>

The **Collaboration** permissions allow users to work together in different ways throughout Phocas. In particular, the sharing of dashboards and favorites is a common requirement for Phocas users.&#x20;

The main **Collaboration** permission activates these collaboration permissions:

* **Share with Folders**: Share dashboards and favorites by placing them in a folder that can be accessed by other users.&#x20;
* **Share with Users**: Share dashboards and favorites directly to selected users.&#x20;

***

#### Related user permissions <a href="#collaboration-sharing-permissionsfordashboardsandfavorites-relateduserpermissions" id="collaboration-sharing-permissionsfordashboardsandfavorites-relateduserpermissions"></a>

* These collaboration permissions are designed to work alongside the dashboards and favorites permissions.
* Even when an item is shared, other users can only see the data they have permission to see. For example, a user can't share a dashboard containing data about Branch X with someone who only has permission to view Branch Y.

<img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/CnV7rbXKgSw3OC9KEj7N/3159523446.png" alt="" data-size="original">

</details>

<details>

<summary>Query permissions</summary>

The **Query** user permissions determine what users can do with the Analytics grid, such as perform queries, switch modes, select and set periods, change properties, search for data, and so on. Even if users have access to a database (for example, via a shared favorite), if they do not have query permissions, they cannot do anything except view the data.

Here's an example of what it is like when a user has the Sales database permission but no query permissions

<img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/6F3FFo8DeshLBBvp79Yi/3155264076.png" alt="" data-size="original">

Most users, even those with a Basic profile, can perform standard queries and use basic functionality. The more query permissions a user has, the more options they have and actions they can take. Several commonly used query permissions are enabled by default in most system user profiles but these can be manually removed from an individual user's profile. Similarly, some permissions are restricted by default and need to be enabled manually. The following image shows the query permissions that correspond to the Analytics elements.

<img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/GlrfNPvpahxoIpCvw4rD/3168109861.png" alt="" data-size="original">

The **Query** section on a user’s **Profile** tab has multiple permissions, which can be organized into three types (as identified by the colors in the image above):

1. Permissions that enable the menu items: **Mode** (range of modes to enable), **Change Properties**, **Change Measures** (more options with **Format Measures**), **Change Stream**, **Change Activity Filter**, **Format** (**Actual**, **% Share** and **Daily Average**).
   * When any of the above menus are enabled, the **Period** menu becomes available.
   * Add-on permissions for the **Period** menu are: **Apply Custom Period**, **Save User Defined Period** and **Month To Date** (see below for details).
2. Permissions that enable other options for working with the data: **Kind** (**Grid** or **Chart**), **Change Options** (more options with **Hide Total**, **Show Average** and **Show Others**), **Lock Selection**, **Export** (range of formats to enable) and **Search**.
3. Permissions that enable the key analysis tools: **Change Dimension**, and **Focus and Reset**.

***

#### Period permissions <a href="#querypermissions-periodpermissions" id="querypermissions-periodpermissions"></a>

<img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/PahAxNeKSiu6j5OCEkSu/3239673857.png" alt="" data-size="original">

The following period-related **Query** permissions apply to Analytics only.

* **Apply Custom Period**: Enables the **Custom** option that allows users to apply a temporary date range.
* **Save User Defined Period**: Enables the **Add** option that allows users to add user-defined periods. Applicable only when the **Apply Custom Period** permission is also applied.
* **Month To Date**: Enables the **Month To Date** option in the **Options** menu that allows users to compare data for the current month with the corresponding number of days in a comparison month. This option only works when the [period is defined in the database](https://docs.phocassoftware.com/administration/databases-administration#set-defined-periods-for-a-database).

***

#### Export and copy permissions <a href="#querypermissions-exportandcopypermissions" id="querypermissions-exportandcopypermissions"></a>

<img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/DW1Usth2tT5mv6K4e5S7/3159818242.png" alt="" data-size="original">

The **Query** > **Export** permissions determine if users can export and copy data from the grid, charts and dashboards.

The exportable file formats are **CSV**, **Email**\*, **KML** (applicable for map charts only), **PDF**, **Print** (opens in a new browser tab) and **XLSX** (Microsoft Excel). Note there are some limits on the [size of the dataset](https://app.gitbook.com/s/itAvDF3MljQXV0rjHRP7/copy-or-export-data) that a user can export.

The **Clipboard** option allows users to copy data directly from the grid to paste into another application, such as Microsoft Excel. Even though this is a simple copy-and-paste function for the user, it is handled by Phocas as an export function.&#x20;

***

#### Related user permissions and Phocas settings <a href="#querypermissions-relateduserpermissionsandphocassettings" id="querypermissions-relateduserpermissionsandphocassettings"></a>

* In addition to the query permissions above, users need database access to access the underlying data, otherwise, no data will display in the grid.
* These query permissions complement the favorites and dashboards permissions, allowing users to analyze the data they see in dashboard widgets and favorites.
* \*For users to be able to export to email, your site needs to have email settings configured. This is usually carried out by administrators with special permissions. See [Configure SMTP settings to send emails](https://docs.phocassoftware.com/administration/configuration#smtp).

</details>

<details>

<summary>File upload permission</summary>

The main **File Upload** permission activates the **Allow File Upload** permission. For these permissions to apply, you must also enable the main **Databases** permission.

Together, these permissions allow a user to upload CSV, XLXS and other file types as a source for database design, without requiring administration privileges. They do not grant access to Designer or Sync, or allow the user to see any Sync sources or items. The file upload process takes place outside of the Designer module and the uploaded files display in the file list in the Designer data sources panel.

Giving users the ability to upload files is useful when you want to delegate the responsibility of uploading new versions of a file. For example, if you upload a budget file for the current financial year into Designer, any users with permission to upload files can replace (overwrite) that file as required, such as for the next financial year.

See [Upload a file](https://app.gitbook.com/s/7pj8v25BOyqZTdG5mdD1/other-tools/upload-a-file).&#x20;

</details>

<details>

<summary>CRM permissions</summary>

When a user has a [CRM license](https://docs.phocassoftware.com/administration/users/user-account-page#crm-license), the **CRM** user permissions govern access to the CRM module and the actions users can take there.

* **CRM** (main permission): Access the CRM module, view and update the accounts and contacts, and add and delete activities.
* **Create Account**: Create new accounts.
* **Create Campaign**: Manage campaigns.
* **Delete Account**: Delete accounts.

[CRM user restrictions](https://docs.phocassoftware.com/administration/users/user-account-page#usermaintenanceform-favoritestab) control the type of CRM-related data the user can access.

</details>

<details>

<summary>Rebates permissions</summary>

When a user has a [Rebates license](https://docs.phocassoftware.com/administration/users/user-account-page#rebates-license), the **Rebates** user permission governs access to the Rebates module.&#x20;

</details>

<details>

<summary>Financial Statements permissions</summary>

There are two Financial Statements permissions that are available when the Financial Statements module has been enabled for your Phocas site. Typically, these permissions would be requested by someone in your Finance team.

* **Manage Custom Statements**: Make changes to the financial statements, such as create new statements and customize the layout and content of statements.
* **Access Restricted Account Transactions**: Access accounts that have been restricted.
  * It is common for finance teams to restrict access to accounts that have sensitive information (such as payroll) within financial statements, so users can see the total amount but not drill into transactional detail.
  * Users with permission to manage custom statements (above) can restrict other users from accessing specific accounts. Administrators can override this restriction, to allow one or more users to access the restricted accounts.
* **Data Entry**: Manually enter data, such as intercompany journals.&#x20;

***

#### Related user permissions <a href="#financialstatementspermissions-relateduserpermissions" id="financialstatementspermissions-relateduserpermissions"></a>

Other factors impact a user’s ability to access and use the Financial Statements module, see [Overview of access to financial statements](https://app.gitbook.com/s/KhoFIsurMPEjkuBz9YkN/getting-started/overview-of-access-to-financial-statements).

In particular, users need access to the data that forms the baseline of the statements.

</details>

<details>

<summary>Budgets and Forecasts permissions</summary>

The Budgets & Forecasts permissions are available when the Budgets & Forecasts module is enabled for your Phocas site. There are two user permissions relating to Budgets & Forecasts:

* **Budgets & Forecasts**: Gives users access to the Budgets & Forecasts module (it becomes available in the Phocas menu) and enables them to be assigned tasks in a budget workflow. This permission is for users who need to contribute to the budgets and forecasts.
* **Manage Budgets & Forecasts**: Allows users to create and manage budget and forecast workbooks. Such users are known as budget owners. Typically, this permission would be requested by someone in your Finance team.

Users with a Viewer license can be granted access to the Budgets & Forecasts module (first permission above), but they CANNOT be given access to manage budgets and forecasts (second permission above), which means that they cannot create their own workbooks or be made an owner of a workbook.

***

#### Related user permissions <a href="#budgetsandforecastspermissions-relateduserpermissions" id="budgetsandforecastspermissions-relateduserpermissions"></a>

In addition to the above user permissions, users need access to the data that forms the baseline of budgets and forecasts. Even with database access, the data users can see within the Budgets & Forecasts module is controlled by database restrictions. For more information, see Budgets & Forecasts > [Overview of users and data access](https://app.gitbook.com/s/aNH5UMuZXBHuAbFF7nI2/getting-started/overview-of-key-terms-and-concepts/overview-of-users-and-data-access).

</details>

<details>

<summary>Administration permissions</summary>

The actions that administrators can perform in the Administration module are governed by the permissions (settings) in the **Administration** section of the **Profile** tab.&#x20;

For example, your organization might want to:

* Set up an [Administration profile](https://docs.phocassoftware.com/administration/profiles) that allows the administrator to set user access to different databases, but not be able to make any changes to the databases or the Phocas environment.
* Restrict an individual administrator from accessing certain functionality.

Here’s a list of administration permissions (in alphabetical order) along with a summary of what they allow you to do or access.

**Configuration**: Access the [**Configuration** page](https://docs.phocassoftware.com/administration/configuration) where you can configure and customize your Phocas site.

**CRM:** Access the [**CRM settings** pages](https://app.gitbook.com/s/1DdwWAKI55yCxN4CVAUT/administration) where you can manage CRM drop-down options (picklists), deleted items, customizations and mappings.

**Dashboards**: Access the [**Dashboards** (administration) page](https://docs.phocassoftware.com/administration/dashboards-administration) where you can manage all the dashboards in your Phocas site. Access the [**Dashboards** tab](https://docs.phocassoftware.com/administration/users/user-account-page#usermaintenanceform-dashboardstab) in the user account page where you can manage the dashboards for a particular user.

**Databases**: Manage the databases for your Phocas site, including:

* Access the [**Databases** page](https://docs.phocassoftware.com/administration/databases-administration) where you can view and manage various aspects of your Phocas databases, such as restrictions and defined periods, and create, clone and delete databases.
* If you also have the **Sync** permission, access [Designer](https://docs.phocassoftware.com/administration/designer) to design, modify and build databases.
* Access the **Connectors** page to run connectors.

**Favorites**: Access the [**Favorites** (administration) page](https://docs.phocassoftware.com/administration/favorites-administration) where you can manage all the favorites in your Phocas site. Access the [**Favorites** tab](https://docs.phocassoftware.com/administration/users/user-account-page#usermaintenanceform-favoritestab-1) in the user account page where you can manage the favorites for a particular user.

**Folders**: Access the [**Folders** (administration) page](https://docs.phocassoftware.com/administration/folders-administration) where you can manage all the folders in your Phocas site.

**Logs**: Access the [**Logs** page](https://docs.phocassoftware.com/administration/logs) where you can view system-wide activity and error logs.

**Period Types**: Access the [**Period Types** page](https://docs.phocassoftware.com/administration/periods-administration/period-types) where you can manage the period types in your Phocas site.

**Connector**: Access the **Connectors** page where you can manage the connectors (third-party data synchronization tools) for your Phocas site.

**Profiles**: Access the [**Profiles** page](https://docs.phocassoftware.com/administration/profiles) where you can manage the user profiles in your Phocas site.

**Sync**: Access the [**Sync Sources** page](https://docs.phocassoftware.com/administration/sync-sources) where you can manage the sync sources (connections to raw data) for your Phocas site. If you also have the **Databases** permission, access [Designer](https://docs.phocassoftware.com/administration/designer) to design, modify and build databases.

**Working Days**: Access the [**Working Days** page](https://docs.phocassoftware.com/administration/periods-administration/working-days) where you can manage the working day calendars in your Phocas site.

**Allow administrators to change a user’s Profile to a higher administration access level**

**Users**:

* **All Users**: Access the user account page for all users.
* **Users In Same Group**: Access the user account page for just those users in the same group as the administrator. Can be used in conjunction with **Users: Users In Same Territory**. Other profile settings also affect what changes you can make in this form.
* **Users In Same Territory**: Access the user account page for just those users in the same territory as the administrator. Can be used in conjunction with **Users: Users In Same Group**. Other profile settings also affect what changes you can make in this form.
* **Users: Database Access**: Access the **Databases** tab on the user account page and **Database** view in the main **Users** page (only the users whom the administrator has permission to administer will be visible). If you do not have any permissions to administer users, you will see an empty table.
* **Users: Profiles**: Access the **Profiles** tab on the user account page and **Profiles** setting in the **Bulk Update** window. If you have **Users: Profiles** but not **Profiles**, you will not be able to assign profiles containing administration privileges. See also [Profiles (Administrator profile)](https://docs.phocassoftware.com/administration/profiles)\ <img src="https://content.gitbook.com/content/vQCmtGTR7MsjcI62Vdki/blobs/BQsMfe74mjMbxJXSHNY3/3233906716.png" alt="" data-size="original">
* **Users: Impersonate**: Impersonate other Phocas users.

</details>

<details>

<summary>API Tokens (beta)</summary>

This feature is still in development.

The MCP (Model Context Protocol) permission gives users the ability to manage API tokens via their account settings page.&#x20;

<div align="left"><figure><img src="https://3446572173-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FvQCmtGTR7MsjcI62Vdki%2Fuploads%2FqrcXKgBrFhwZpa9cSlUW%2Fimage.png?alt=media&#x26;token=11d8ea4a-82a0-4356-a466-64cb004aefe7" alt=""><figcaption></figcaption></figure></div>

</details>