Security roles in Fusion are intentionally flexible to allow schools to create custom roles that suited their specific scenarios. This means, there is no concept of hierarchy, where one role is above or below another. Instead, users are able to perform tasks based on the role(s) they have been assigned. Previously, when a login belonged to a role that had the ‘Edit logins’ permission, when creating or editing logins they would be able to assign any of the existing roles to that login.
While this works for the vast majority of clients, where the school IT staff and/or the kitchen manager would be assigned as administrators and they would manage the logins, some schools wanted other users, such as supervisors, to be able to manage logins too. However, this caused a potential loophole where a user could be part of a role that had fairly limited permissions, but because it has the ‘Edit logins’ permission, they could make any logins an administrator, or even create a new login for themselves and make this account an administrator, circumventing the restrictions in place.
The process of allocating which roles can be assigned is the same as assigning which permissions a role has;
- Select the role from the list of roles
- On the right hand side of the screen, locate the ‘Can allocate these roles’ section
![]()
- Select the roles that this role can allocate when editing/creating logins
Post your comment on this topic.