Part of setting up your security settings is creating users and roles. A user is an employee who uses agrē. A role is a general job role, such as AR Clerk, that has specific security settings.

In agrē, each user that you create can be assigned to one or more roles. Users do not have security settings until you assign them to roles; they acquire the security rights of the roles they are assigned to. For example, the user “Pat Malone” does not have any security settings until they are assigned to one or more roles, like “Agronomist”, "Blend Shed", or "Front Counter".

When you customize your roles, you can choose to allow or deny various actions (e.g., viewing reports). Selecting “allow” permits the users in the role to perform the action. Selecting “deny” prevents the users in the role from performing the action. Since users can be assigned to one or more roles, it’s possible that some security settings are contradictory. For example, one role “allows” the adding of invoices while another role “denies” it. When this occurs, a “deny” settings always overrides any other settings (deny trumps all).

You can also leave an action blank (null). This is considered a “don’t allow” setting which differs from a “deny” setting. This setting tells agrē to “deny” the action unless that action is "allowed" by another role the user is assigned to.

The following charts summarize how the allow, deny, and null settings work in agrē. A red box indicates the action is not allowed (i.e., the action cannot be performed). A green box indicates the action is allowed (i.e., the action can be performed). The first chart shows a user that belongs to one role. The second chart shows a user that belongs to 2 roles. (The roles and actions are listed as 1, 2, 3, etc. in order to keep the example generic.)