Manage Roles
Manage Roles is where you define the roles that determine what each user can see and do in Aqualus Water. Each role is a named template covering all 20 permission areas. Assign a role to a user on the Manage Users page and that user inherits every permission level set in the role.
The page lists every active role with the columns Role Group Name, Description, SSO Group Mapping, and an Operations menu.
Default and custom roles
Aqualus Water ships with six default roles. They cover the most common staff functions and can be used as-is or duplicated and adjusted.
Default role | Description |
|---|---|
Billing / Customer Officer | Customer and billing management with public user administration. |
Data Analyst | Read-only access across all modules for reporting and analysis. |
Executive User | High-level read-only access for executive oversight and reporting. |
Field Operator | Field operations with mobile access and read-only reporting. |
System Administrator | Full system access with user management and system configuration. |
Water Systems Officer | Operational access for water systems management without admin privileges. |
Default roles cannot be edited or deleted, which keeps them stable as a baseline reference. They can be viewed and duplicated. Custom roles are roles you have created yourself, normally by duplicating a default role and adjusting the permissions. Custom roles can be edited, deleted, and duplicated.
Viewing a role's permissions
Click Operations next to the role and choose VIEW Permissions. The dialog shows each of the 20 permission areas and the access level set for that role. The view is read-only for default roles. For custom roles, edit through the Edit operation rather than from this dialog.
Duplicating a role
Click Operations next to the role and choose DUPLICATE Role. The Duplicate Role Group dialog opens with the source role pre-filled and a field for the new role name. Enter a name and click Save. The duplicate is created with the same permissions as the source, marked as a custom role, and appears in the role list ready to edit.
Duplicating is the recommended way to create a new role. Start from the default that most closely matches the function you need, give it a meaningful name, then adjust the permissions that should differ.
Creating a role from scratch
Click + Create Role at the top right or bottom right of the page. Enter the role name, description, and permission levels for each of the 20 areas, then save. Use this only when none of the default roles is a useful starting point.
Editing a custom role
Click Operations next to the role and choose EDIT to update its name, description, or permission levels. Saving the change updates every user currently assigned to the role. There is no separate publish step.
Deleting a custom role
Click Operations next to the role and choose DELETE. A custom role can only be deleted if no users are currently assigned to it. Reassign the affected users to a different role before deleting.
SSO group mapping
The SSO Group Mapping column on the role list shows which SSO group, if any, is mapped to each role. When a user signs in via SSO, Aqualus Water reads the groups returned by the identity provider and assigns the matching role automatically. This removes the need to set the role manually for SSO-managed users.
To set an SSO mapping for a role, edit the role and enter the group name exactly as it is configured in the identity provider (Azure AD, Okta, or equivalent). One group maps to one role. If the identity provider returns multiple matching groups for a user, the order configured at the identity provider end determines which role is applied.
The Aqualus Water default System Administrator role ships with the SSO group mapping systemAdministrator. The other defaults ship with no mapping. Set the mappings that match your organisation's SSO configuration before relying on SSO-driven role assignment.
For the full Azure AD / Entra ID setup, see the Single Sign On for Aqualus Water - Azure AD / Entra ID Setup and Implementation knowledgebase article.