What are permissions in Procore and how do they work?
Background
Each individual user's access to Procore is determined by their assigned permissions. Permissions are assigned for each user at two (2) levels:
- Company Level Permissions. Permissions to Company level tools.
Company level tool permissions are managed separately from Project level tool permissions because they allow users to interact with tools that are not specific to a given project. There is only one of each company level tool available in a company's Procore account.
Some company level tools are repeated at the project level for different purposes. For example, the Company level Directory tool is used to manage all user accounts, regardless of which projects those users are working on. The Project level Directory tool allows you to manage which users have access to a specific project and its tools.
- Project Level Permissions. Permissions to Project level tools.
A project level tool helps users manage project-specific data and processes. Each project will have its own unique set of project tools.
For example, you might use the RFIs tool on several projects, but since each project's RFIs list is unique, each project will have its own unique RFIs tool. As a best practice, you'll give access to a project's RFIs tool to only the users who are working on RFIs for that project.
Both project level and company level tool permissions are managed by using Permission Templates. When you license Procore and start setting up your company's account, you'll see a set of default permission templates available to assign to users in your account. You can use these templates as they are, or you can modify them to fit the needs of your team.
When configuring permissions it's usually best to give users just enough access to accomplish their work, but not more. This approach helps minimize the potential for errors, and maximize the security and integrity of your project data.
Answer
There are many types of configurations you can achieve when managing permissions in Procore. The way permissions work at both the company and project level is very similar. Permissions are layered using three (3) components:
General Permission Levels
General permissions levels are the basic permission levels available for each tool in Procore. They are:
- None. No permissions to the tool at all. If a user has 'None' permissions to a tool, it will not be visible in their tool menu.
- Read Only. Generally speaking, this level allows users to see information in a tool, but not interact with it.
- Standard. Generally speaking, this level allows users to see information, and interact with it, but not manage certain things like configuration settings or other administrative actions.
- Admin. This level of access allows users full access to a tool, its configurations, and capabilities.
With few exceptions, users will be granted one of these general permission levels on all tools, both company and project level, across their company's Procore account. Then, additional permission layers like granular permissions can be added to enhance a user's capabilities in a more granular way.
Granular Permissions
There are other permissions that can be used to refine the capabilities of a user, in combination with a general permission level (like 'Read Only', or 'Standard'). These are called 'granular permissions.' You can think of granular permissions like an extra layer on top of the general permission levels. They allows users just a little bit more access to a specific part of a tool, without moving them up an entire general permission level.
This extra permission layer isn't applicable to users with 'None' permissions, because when assigned 'None' permissions on a tool, users have no access that tool at all. This extra layer also doesn't apply to users with 'Admin' level permissions because those users already have the ability to do everything that's possible in a tool.
This permission layer is primarily used to give a user the ability to perform a specific task in a tool that the general permission level they're assigned doesn't allow for alone. For example, a user with 'Standard' level permissions to the Directory tool (either project or company level) can't add a new user to the Directory. However, if that user is given the granular permission 'Create and edit users', they can then take that specific action in addition to the actions they can take with 'Standard' level permissions alone.
To learn more about the granular permissions that are available in Procore, and how to assign them, explore these resources:
Role-Based Privileges
In some less common situations, there might be a third layer of permissions to assign a user to allow them to accomplish a task. This layer, called 'Role-based privileges', is only applicable to a few tools.
For example, if your company licenses the ERP Integrations tool to manage an integration with your ERP system, you will need to assign at least one user the role of 'Accounting Approver'. This role assignment is NOT managed in permission templates. The way you assign a role-based privilege depends on the specific privilege you're assigning.
Using the example of the 'Accounting Approver' role, you can assign this privilege to a user directly from their Company level Directory record. This particular role option is located just above the space where you can see their assigned permission templates, but is not part of a permission template or considered a granular permission. It is not visible in the Permissions tool, or in any permission templates.
To learn more about the role-based 'Accounting Approver' privilege, see Grant Accounting Approver Privileges.
Summary
Procore has two levels of tools, Project level and Company level. Users are assigned permissions to these tools using permission templates.
All users are given a general permission level for each tool, like 'Standard', or 'Read Only'. You can choose to assign an extra layer of more granular capabilities using granular permissions.
Some less common scenarios might require a user to be given a role-based permission in addition to a general permission level, or a general permission level with added granular permissions, to be able to accomplish certain tasks.
Explore the User Permission Matrix to review the permissions required to perform any task in any Procore tool on the web, and the Mobile User Permission Matrix to review permission requirements for tasks specific to the iOS and Android Procore applications.