Elevated privilege roles Elevated privilege roles require a user to manually accept the responsibility of using the role before the user can access the features of the role. By default, the system does not allow users to have elevated privilege roles upon login only. They must manually elevate to the privilege of the role. An elevated privilege role only lasts for the duration of the user session. Session timeout or logout removes the role. You can designate any role as an elevated privilege role, and then assign that role to one or more users. You should do this when you want to restrict users from having access to the rights that the role provides right away after login. You can designate the privilege role on the Role form. See Create a role for instructions. To use an elevated role, all these conditions must be met: The role must be assigned to the user. The user must manually elevate roles. The security_admin role In the base system, the security_admin role is the only role that has elevated privileges. This role is automatically assigned to the user who is the default System Administrator (admin) user. It provides access to ACLs and High Security Settings. Figure 1. Roles assigned to the System Administrator (admin) user Note: To see this role, you must actually elevate to the security_admin role first. If you are logged in as the System Administrator (admin) user only, you cannot see the security_admin record in the list of roles. Figure 2. The security_admin role record security_admin roleThe security_admin role is an elevated privilege role provided with High Security Settings that lets users create and change access controls and change High Security Settings.Elevate to a privileged roleThe base system admin can elevate to a privileged role to have access to the features of High Security Settings.Force administrators to manually elevateA property is available to force all users with the administrator role to manually select the role that they want to elevate to.