# Roles & privileges Roles and Privileges in PBMS have been organized into three tiers 1. High level groups 2. High level groups - mapping to - Low level groups 3. Low level groups - mapping to - Odoo models & buttons ### High level groups These groups are organized based on business functions. From an end-user perspective, department users (staff members) are assigned to the high-level groups. Each high-level group is internally linked to one or more low-level groups. These low-level groups define the RUCD (Read, Update, Create, Delete) permissions for various Odoo models. **The high-level groups available for user mapping are as follows**
High level groupDescription
Program AdministrationEdit programs, add benefit codes, view service providers and geography, create enrolment and disbursement cycles and view lists inside them
Enrolment OperationView & Create Enrolment Cycles
Create Beneficiary lists (enrolment lists) inside Enrolment Cycles
Enrolment VerificationVerify Enrolment lists and add observations (upload documents to support their observations)
Enrolment ApprovalApprove a beneficiary list (enrolment list) as final list under an enrolment cycle
Disbursement OperationView & Create Disbursement Cycles
Create Beneficiary lists (disbursement lists) inside Disbursement Cycles
Disbursement VerificationVerify Disbursement lists and add observations (upload documents to support their observations)
Disbursement ApprovalApprove a beneficiary list (disbursement list) as final list under an enrolment cycle
Service Provider OperationView and Create Agencies and Warehouses
Associate Benefit codes to Agencies and Warehouses
Associate Geographies to Agencies and Warehouses
Geography OperationView and Create Administrative Areas (Large & Small)
Audit OperationView Access to the entire PBMS application
Program Super AdministrationEdit programs, add benefit codes, view service providers and geography, create enrolment and disbursement cycles and view lists inside them — BUT NOT RESTRICTED by PROGRAM ACCESS. This role has access to all the programs defined in PBMS.
**PBMS uses Keycloak for user identity management, authentication, and authorization. In Keycloak, the high-level groups described above must be defined as roles and associated to users.** ### High level groups to Low level groups - mapping
High Level GroupLow Level Groups
Program Administrationgroup_abstract_model_viewer
group_agency_viewer
group_warehouse_viewer
group_geography_viewer
group_beneficiary_list_viewer
group_benefit_codes_editor
group_program_editor
group_program_viewer
group_enrolment_editor
group_disbursement_editor
group_priority_rules_viewer
Enrolment Operationgroup_beneficiary_list_editor
group_beneficiary_list_viewer
group_enrolment_editor
group_program_viewer
group_benefit_codes_viewer
group_disbursement_viewer
Enrolment Verificationgroup_beneficiary_list_verifier
group_beneficiary_list_viewer
group_enrolment_viewer
group_program_viewer
group_benefit_codes_viewer
group_disbursement_viewer
Enrolment Approvalgroup_enrolment_approver
group_beneficiary_list_viewer
group_enrolment_viewer
group_program_viewer
group_benefit_codes_viewer
group_disbursement_viewer
Disbursement Operationgroup_beneficiary_list_editor
group_beneficiary_list_viewer
group_disbursement_editor
group_priority_rules_editor
group_program_viewer
group_benefit_codes_viewer
group_enrolment_viewer
Disbursement Verificationgroup_disbursement_viewer
group_beneficiary_list_verifier
group_beneficiary_list_viewer
group_priority_rules_viewer
group_program_viewer
group_benefit_codes_viewer
group_enrolment_viewer
Disbursement Approvalgroup_disbursement_viewer
group_disbursement_approver
group_beneficiary_list_viewer
group_priority_rules_viewer
group_program_viewer
group_benefit_codes_viewer
group_enrolment_viewer
Service Provider Operationgroup_agency_editor
group_agency_viewer
group_warehouse_editor
group_warehouse_viewer
group_program_viewer
group_benefit_codes_viewer
Geography Operationgroup_geography_editor
group_geography_viewer
Audit Operationgroup_abstract_model_viewer
group_benefit_codes_viewer
group_agency_viewer
group_beneficiary_list_viewer
group_disbursement_viewer
group_enrolment_viewer
group_geography_viewer
group_priority_rules_viewer
group_program_viewer
group_warehouse_viewer
Program Super Administrationgroup_agency_viewer
group_benefit_code_editor
group_program_editor
group_warehouse_viewer
group_geography_viewer
group_beneficiary_list_editor
group_beneficiary_list_verifier
group_enrolment_editor
group_enrolment_approver
group_disbursement_editor
group_disbursement_approver
group_priority_rules_editor
### Low level groups to Odoo models - mapping #### **Models with 1,1,1,1 (R,W,C,D) - access rights**
model name1,1,1,1 - R,W,C,D - access rights
g2p_agencygroup_agency_editor
g2p_warehousegroup_warehouse_editor
g2p_benefit_codesgroup_benefit_codes_editor
g2p_agency_program_benefit_codesgroup_benefit_codes_editor
g2p_warehouse_program_benefit_codesgroup_warehouse_editor
g2p_administrative_area_smallgroup_geography_editor
g2p_administrative_area_largegroup_geography_editor
g2p_program_definitiongroup_program_editor
g2p_program_benefit_codesgroup_benefit_codes_editor
g2p_eligibility_rule_definitiongroup_program_editor
g2p_beneficiary_listgroup_beneficiary_list_editor
g2p_enrollment_cyclegroup_enrolment_editor
g2p_bgtask_summary_wizardgroup_enrolment_editor
g2p_api_summary_linegroup_program_editor
g2p_api_disbursement_envelope_linegroup_program_editor
g2p_api_disbursement_batch_linegroup_program_editor
g2p_entitlement_rule_definitiongroup_program_editor
g2p_disbursement_cyclegroup_disbursement_editor
g2p_priority_rule_definitiongroup_priority_rules_editor
g2p_disbursement_envelope_summary_wizardgroup_disbursement_editor
g2p_disbursement_envelope_summary_geogroup_disbursement_editor
g2p_disbursement_batch_summary_wizardgroup_disbursement_editor
g2p_disbursement_batch_summary_geogroup_disbursement_editor
#### Models with 1,0,0,0 (R,W,C,D) - access rights
model name1,0,0,0 - R,W,C,D - access rights
g2p_agencygroup_agency_viewer
g2p_warehousegroup_warehouse_viewer
g2p_benefit_codesgroup_benefit_codes_viewer
g2p_agency_program_benefit_codesgroup_benefit_codes_viewer
g2p_warehouse_program_benefit_codesgroup_warehouse_viewer
g2p_administrative_area_smallgroup_geography_viewer
g2p_administrative_area_largegroup_geography_viewer
g2p_program_definitiongroup_program_viewer
g2p_program_benefit_codesgroup_benefit_codes_viewer
g2p_eligibility_rule_definitiongroup_program_viewer
g2p_beneficiary_listgroup_beneficiary_list_viewer
g2p_enrollment_cyclegroup_enrolment_viewer
g2p_bgtask_summary_wizard
g2p_api_summary_linegroup_program_viewer
g2p_api_disbursement_envelope_linegroup_program_viewer
g2p_api_disbursement_batch_linegroup_program_viewer
g2p_entitlement_rule_definitiongroup_program_viewer
g2p_disbursement_cyclegroup_disbursement_viewer
g2p_priority_rule_definitiongroup_priority_rules_viewer
g2p_disbursement_envelope_summary_wizard
g2p_disbursement_envelope_summary_geogroup_disbursement_viewer
g2p_disbursement_batch_summary_wizard
g2p_disbursement_batch_summary_geogroup_disbursement_viewer
#### Models with 1,1,1,0 (R,W,C,D) - access rights
model name1,1,1,0 - R,W,C,D - access rights
g2p_bgtask_summary_wizardgroup_enrolment_viewer
g2p_disbursement_envelope_summary_wizardgroup_disbursement_viewer
g2p_disbursement_batch_summary_wizardgroup_disbursement_viewer
#### Buttons with access rights
action buttonslow level group having access
Verification Buttongroup_beneficiary_list_verifier
Approve Enrolment Buttongroup_enrolment_approver
Approve Disbursement Buttongroup_disbursement_approver
Create Benefit Codegroup_benefit_code_editor
Create L/S Areagroup_geography_editor
Create Service Providersgroup_warehouse_editor,
group_agency_editor
Create Programgroup_program_super_administration
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openg2p.org/products/pbms/design/roles-and-privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.