How to use Permission Packages to provision roles

What is a Permission Package?

A Permission Package is a cross-application bundle that groups together all the permissions required for a specific organizational role. Instead of granting individual permissions one by one across multiple applications, an administrator assigns the package to a user and all permissions are provisioned in a single operation.

Where to find it

Open Administration → Permissions Workflow. The landing page lists all existing packages for your organization.

Creating a new package

1. Click New Package.
2. Provide a name and a description that clearly identifies the role this package represents.
3. Select the Structures (departments or the whole organization) for which this package is intended. This is a reference field — it does not restrict assignment, but helps operators understand the package scope.
4. Save. The package is created and you can now add permissions to it.

Adding permissions to a package

1. Open the package and click Add Permission.
2. Select the application, then the specific permission within it.
3. Define the value (access level, scope) for that permission.
4. Repeat for all permissions this role requires.

Assigning a package to users

1. Inside the package, click Add User.
2. Search for the user by personal code or name.
3. The system runs a pre-flight check: if the user already holds any of the package permissions from another source, you can choose to Keep Package (align) or Keep Original (skip that specific permission).
4. Confirm. All permissions are written immediately and a PDF assignment report is generated.

Syncing a permission after a value change

If you update the value of a permission inside a package (e.g., upgrading an access level), existing users do not receive the update automatically. You must Sync it:

1. On the package detail page, find the permission row and click Sync.
2. The sync page shows all active members and their current status (Active, Divergent, Manual, etc.).
3. Choose to Sync or Skip for each user and confirm.

Unassigning a package

Open the user's detail inside the package and click Remove Package Assignment. This deactivates all the app_auth rows that were created by the package. Permissions that were subsequently edited manually are noted as not automatically removed.