Appearance
Application vs project vs user roles
Consult's authorisation model has four layers that operate independently and compose at runtime. Misunderstanding the layers is the most common source of "why can't this user see X" questions.
| Layer | Scope | Assigned where | Example role |
|---|---|---|---|
| Application role | Whole app, for one user | User profile | Administrator, Employee |
| Project role | One project, for one user | Project resources view | Project Manager (PM) |
| Resource role | One user, by another user | User profile > Managers tab | Resource Manager (RM) |
| Client role | One client, across all their projects | Client profile | Client Account Lead (CAL) |
Application roles
Application roles define broad capabilities across the entire Consult application. Each role is a configurable bag of abilities, assigned to each user. For the list of abilities and how to configure roles, see Manage application roles.
Typical default roles are:
- Administrator: Full access across the entire app.
- Employee: Partial access across the app, with more access given when project, resource, or client roles are assigned.
- Consultant: Very limited access, with exceptions where project, resource, or client roles are assigned.
Some actions explicitly bypass global admin rights. For example, resource allocation requests still require resource manager approval.
Project-level roles (PM)
Project-level roles define what a user can do within a specific project. For most users, this will be limited to seeing basic project information and submitting time for that project.
When a project director assigns the PM role to a user on the project Resources view, that user gains additional privileges, such as seeing the schedule or creating invoices.
The PM role splits into three independent toggles per user per project:
- Project Manager: The parent flag. Unlocks the schedule, invoicing, and other PM-only actions for this project.
- View Financials: Controls visibility of rates, internal costs, margin, and sensitive project documents.
- Email notifications: Whether this PM gets emailed project updates. Lets a project director delegate without spamming themselves.
Currently, the only project-specific role in Consult is the PM role.
Resource-level roles (RM)
Resource manager roles are scoped to an individual user and give the RM access to that user's details. RMs are also required to perform managerial tasks such as approving time on projects and leave requests.
For each direct report, the resource manager gets:
- Access to the report's profile page, excluding financial information.
- Visibility of the report's leave types on the company calendar.
- Visibility of the report's projects and the ability to edit hours across all of them.
- Approval rights for timesheets, leave requests, and resource allocation requests.
Resource managers operate across projects, unlike project managers who are scoped to a single project.
Client-level roles (CAL)
On the client level, a Client Account Lead (CAL) can be configured. The CAL gets project manager-level access, including financials, on every project belonging to that client.
WARNING
CALs see sensitive financial information, such as project rates and margin. Ensure you assign the right user before saving the client record.
How these roles interact
- Global override: Application administrators usually bypass project-level restrictions, except where explicit resource manager approval is required.
- Project vs resource roles: Project managers manage project-specific tasks and budgets, while resource managers manage individual people across projects.
INFO
Although a user might have "Project Manager" as their job title or default rate card, this is not the same as a project manager assigned at project level. That user does not automatically have project manager access to projects.