In GemsTracker, every user is assigned to one group. One group is assigned one role. One role has a set of privileges. A role can inherit privileges from another role.
Additionally, a user is assigned to an organization (see adding users), and the user will only be able to access respondents of this organization, unless specific privileges have been granted. There are two ways in which a user can have access to respondents of other organizations:

1. By granting an organization the right to access one or more other organizations (an organization level privilege)
2. By granting the cross-organization privilege in a role, this will grant access to all organizations (a user-group privilege).

There are a few predefined roles: Super¹, admin¹, staff, researcher¹, guest, nologin, physisian, respondent, monitor, security¹.
Also a set of predefined groups is predefined: Super administrators¹, Local admins¹, Staff, Monitors and Respondents.
¹These have cross-organization privileges

The basic level to change rights is add a new group with one of the predefined roles.

Additionally, to create groups with customized privileges you need to:

1. create a new role
2. create a group with this role
3. make sure the group that can create accounts has access to this new role (needs to inherit from the new role you created and needs to be set at group level)

• Go to Roles under Setup - Access¹
• Go to new
• Enter role name, description and select parent roles from which this role will inherit rights
• Select the privileges this role will additionally have
• inherited privileges are shown at the end of the list
• Press 'Save'

¹ You can only see this tab if you have the right to access it

• Go to Groups under Setup - Access¹
• Go to new
• Enter groupname
• Select the role this group will have
• Press 'Save'

¹ You can only see this tab if you have the right to access it