Create Configured Groups and Define the Associated Permissions
After you define the requirements for the custom roles, create the groups, and define the permissions:
1. Create a group directory for the custom roles. The custom roles in this example are both configured administrator roles. Create one directory for the Configured Admins group, and then create sub-directories for the User Admins group and VPE Currency Admins group.
6.1. Open the System Admin Toolset. From the aPriori Professional menu bar, select Tools > System Admin Toolset.
6.2. Open the System Administrator. In the System Admin Toolset window, click the System Administrator, 
, button.
, button. 6.3. Open the Groups tab. In the System Administrator window, click Groups.
6.4. Create a group. Under the Groups list, select the Add Group, 
, button.
, button.6.5. In the Add Group window, for:
6.5.1. Group Name – Enter Configured Admins.
6.5.2. Group Membership – Select None.
6.5.3. Click OK.
The new Configured Admins group directory appears in the Groups list.
6.6. Create sub-groups for the User Admin and VPE Currency Admin roles. Select the Configured Admins group directory and select the Add Sub-Group, 
, button. for:
, button. for:6.6.1. Group Name – Enter User Admins.
6.6.2. Group Membership – Select Manual.
6.6.3. Click OK.
6.6.4. Select the Add Sub-Group, , button.
, button.6.6.5. For Group Name, enter VPE Currency Admins.
6.6.6. For Group Membership, select Manual.
6.6.7. Click OK.
7. Define one of the four permissions that are required for the User Admins Group. The first permission denies the right to Update any admin groups including any configured admins group.
7.1. Open the Permissions tab. In the System Administrator window, click Permissions.
7.2. In the Permissions tab, create and configure the new permission:
7.2.1. Under the permissions list, select the Add, 
, button.
, button.7.2.2. In the Input tab, for Permission Name enter CA.Group.Update.NotAdmins. and then click OK.
7.3. In the Permissions tab, for:
7.3.1. Description – Enter Deny User Admins the right to add users to admin groups and the right to update admin groups.
7.3.2. Resource – From the dropdown menu, select Group.
7.3.3. Action – Select Use, Update, and When this rule is true.
7.3.4. Rule – Click Edit and enter:
(1 != (index(group.path, 'administrators/'))) && (group.name!='administrators') &&_
(1 != (index(group.path, 'vpe_administrators/'))) && (group.name!='vpe_administrators') &&_
(1 != (index(group.path, 'Configured Admins/'))) && (group.name!='Configured Admins')
7.3.5. Click Edit again.
7.3.6. Grant – Select Normal: Actions are permitted unless blocked by a Strong Deny permission.
7.3.7. Deny – Select Normal: Actions are blocked unless permitted by another permission.
For this rule, the table fields update automatically to:
7.4. To save your changes, in the System Administrator toolbar, click the Publish, 
, button.
, button.7.5. Add the newly defined permission to the User Admins Group.
7.5.1. In the Groups tab, in the groups list, select User Admins [Manual] group directory.
7.5.2. In Associated Permissions, select the Add Permissions to Group, , button.
, button.7.5.3. In the Search Permissions window, for Name, enter CA.Group.Update.NotAdmins and then click Find.
The CA.Group.Update.NotAdmins permission appears in the list of Available Permissions.
7.5.4. In the Available Permissions list, select the CA.Group.Update.NotAdmins permission and then click OK.
The CA.Group.Update.NotAdmins permission appears in the list of Associated Permissions for the User Admins group.
8. Define the second permission that is required for the User Admins Group. The second permission grants the right to Open and Edit group membership for users.
8.1. In the Permissions tab, create and configure the new permission:
8.1.1. Click the Add, , button.
, button.8.1.2. For Permission Name, enter CA.SystemAdmin.GroupMembers.OE and then click OK.
8.1.3. For Description, enter Grant User Admins the right to open and edit user group memberships.
8.1.4. For Resource, from the dropdown menu, select System Admin.
8.1.5. Action – Select Use, Open, Edit, and When this rule is true. For:
8.1.5.1. Subject – Select uiElement.
8.1.5.2. Property – name is the only option.
8.1.5.3. Operator – Select ==.
8.1.5.4. Subject – Select uiElementValue.
8.1.5.5. Property – Select groupMembers
8.1.6. Grant – Select Normal: Actions are permitted unless blocked by a Strong Deny permission.
8.1.7. Deny – Select Normal: Actions are blocked unless permitted by another permission.
For this configuration, the generated rule is
uiElement.name==uiElementValue.groupMembers
8.1.8. To save your changes, in the System Administrator toolbar, click the Publish, , button.
, button.8.2. Add the newly defined permission to the User Admins Group.
8.2.1. In the Groups tab, in the groups list, select User Admins group directory.
8.2.2. In Associated Permissions, select the Add Permissions to Group, , button.
, button.8.2.3. In the Search Permissions window, for Name, enter CA.SystemAdmin.GroupMembers.OE and then click Find.
8.2.4. In the Available Permissions list, select the CA.SystemAdmin.GroupMembers.OE permission and then click OK.
The CA.SystemAdmin.GroupMembers.OE permission appears in the list of Associated Permissions for the User Admins group.
9. Define the third and fourth permissions that are required for the User Admins Group. These permission grants the right to Open and Edit groups and users.
9.1. In the Permissions tab, create and configure the new permission:
9.1.1. Select the CA.SystemAdmin.GroupMembers.OE permission that appears in the list of Permissions and then click the Copy, 
, button.
, button.9.1.2. For Permission Name, edit CA.SystemAdmin.GroupMembers.OE Copy to CA.SystemAdmin.Groups.OE and then click OK.
9.1.3. For Description, edit Grant User Admins the right to open and edit user group memberships to Grant User Admins the right to open and edit user groups.
9.1.4. For Action, for the uiElementValue Property, select groups.
9.1.5. Select the CA.SystemAdmin.GroupMembers.OE permission that appears in the list of Permissions and then click the Copy, , button.
, button.9.1.6. For Permission Name, edit CA.SystemAdmin.GroupMembers.OE Copy to CA.SystemAdmin.Users.OE and then click OK.
9.1.7. For Description, edit Grant User Admins the right to open and edit user group memberships to Grant User Admins the right to open and edit users.
9.1.8. For Action, for the uiElementValue Property, select users.
9.1.9. To save your changes, in the System Administrator toolbar, click the Publish, , button.
, button. 9.2. Add the newly defined permissions to the User Admins Group.
9.2.1. In the Groups tab, in the groups list, select User Admins [Manual] group directory.
9.2.2. In Associated Permissions, select the Add Permissions to Group, , button.
, button.9.2.3. In the Search Permissions window, for Name, enter CA.SystemAdmin and then click Find.
9.2.4. In the Available Permissions list, select the CA.SystemAdmin.Groups.OE and the CA.SystemAdmin.Users.OE permissions and then click OK.
The CA.SystemAdmin.Groups.OE and CA.SystemAdmin.Users.OE permissions appear in the list of Associated Permissions for the User Admins group.
10. Define the permissions that are required for the VPE Currency Admins Group. The first permission grants the right to Open and Edit the Deployment Data tab in the VPE toolset. The second permission grants the right to Open and Edit the Currency tab in the VPE toolset.
10.1. In the Permissions tab, create and configure the new permission:
10.1.1. Click the Add, , button.
, button.10.1.2. For Permission Name, enter CA.VPECurrencyAdmin.DeploymentData.OE and then click OK.
10.1.3. For Description, enter Grant VPE Currency Admins the right to open and edit the VPE Toolset Deployment Data tab.
10.1.4. For Resource, from the dropdown menu, select VPE Toolset.
10.1.5. Action – Select Use, Open, Edit, and When this rule is true. For:
10.1.5.1. Subject – Select uiElement.
10.1.5.2. Property – name is the only option.
10.1.5.3. Operator – Select ==.
10.1.5.4. Subject – Select uiElementValue.
10.1.5.5. Property – Select deploymentData
10.1.6. Grant – Select Normal: Actions are permitted unless blocked by a Strong Deny permission.
10.1.7. Deny – Select Normal: Actions are blocked unless permitted by another permission.
For this configuration, the generated rule is
uiElement.name==uiElementValue.deploymentData
10.1.8. Select the CA.VPECurrencyAdmin.DataDeployment.OE permission that appears in the list of Permissions and then click the Copy, , button. 
, button. 10.1.9. For Permission Name, edit CA.VPECurrencyAdmin.DataDeployment.OE Copy to CA.VPECurrencyAdmin.DeploymentDataCurrency.OE and then click OK.
10.1.10. For Description, edit Grant VPE Currency Admins the right to open and edit the VPE Toolset Deployment Data tab to Grant VPE Currency Admins the right to open and edit the VPE Toolset Deployment Data tab Currency tab.
10.1.11. For Action, for the uiElementValue Property, select deploymentDataCurrency.
10.1.12. To save your changes, in the System Administrator toolbar, click the Publish, , button.
, button. 10.2. Add the newly defined permission to the User Admins Group.
10.2.1. In the Groups tab, in the groups list, select VPE Currency Admins group directory.
10.2.2. In Associated Permissions, select the Add Permissions to Group, , button.
, button.10.2.3. In the Search Permissions window, for Name, enter CA.VPE and then click Find.
10.2.4. In the Available Permissions list, select the CA.VPECurrencyAdmin.DataDeployment.OE and the CA.VPECurrencyAdmin.DataDeploymentCurrency.OE permissions and then click OK.
The two new permissions appear in the list of Associated Permissions for the VPE Currency group.
10.3. To save your changes, in the System Administrator toolbar, click the Publish, , button.
, button.