Lower User Roles not allowed to create higher Role

Ive bought this up before. and what better time to ask, than when one of my clients till has been wrecked by Staff completely the fault of the owner. Luckily it uploads backups to me so I can fix the problem, but we need to prevent it in the first place.

The Owner of the bar has decided to just share his RFID fob with the staff rather than create their own, for reasons I have no idea. Im set up as an Admin on their till, but id like to be able to not allow the owner to give himself Admin rights. I really need to restrict what they can do.

I really feel for the interest of security, that a role that has been given access to the ‘Create User’ Navigation AMC cannot create a role that is higher than their own. Or at least only allow 1 Admin role, or even create a higher role called Super Admin with only 1 assigned Super Admin allowed.

Not everyone uses Entities, and for my situation I feel using the original Users and User Role system works best for me.



Definitely agree this needs to be implemented

This also leads on to a more flexible way of prmitting parts of manage section.
We can link to a specific page of managment with custom menu nav button but would be much cleaner to have permissions for viewing the subsections of admin as a user roll feature than just mapping a button for a specific page.

1 Like

Ah yeah mapping out the area where they could change the role types would work well!

But user roll is same screen as creating/editing user so that wouldnt work for that senario…

Ok… I thought of a solution, not sure how @emre feels about this?

Add User Action where you can pre determine the role.

A rule with AMC and action [?User Name] and the role already pre selected in the action in my case it would be ‘Employee’.


You could just use SQL to create users.

You could… if u know how :stuck_out_tongue:

Would that be a case of just dumping info into a table?

Found this

I’ll look into that tomorrow

I just need to know how to make a pop up to allow me to set the user name… and pin

Creating users via SQL is super simple. I mean only 3 fields you need to create. PinCode, Name, UserRole_id Just find the role id that matches the role you want for the user and then insert that with the new user.

I can see how it’s done using sql with the post above. But how do I make it set the name and pin with a field?


INSERT INTO [Users] ([PinCode], [Name], [UserRole_Id]) VALUES (000000, 'A Name', 4)

Obviously if I set these to

INSERT INTO [Users] ([PinCode], [Name], [UserRole_Id]) VALUES ([?Pin], '[?UserName]', 4)

That’s not gonna work right?

No you would use a {CALL:X} tag to call your SQL function and feed the variables into the script from that… Or just use the SQL Helper tags directly.

So before I just got busy, I was playing with Update Program Setting.

Am I on the right path here?

You should be able to pass parameters directly into the script. I have done many times but only with the SQL within the JScript not directly into the SQL using handlers. However not tried [?prompt] inside a {CALL:X}…

However have a slight concern in that username and pin must be unique… @Jesse will the insert just not happen if there are duplicate values? Is the uniqueness a column parameter?

yes they need to be unique so you would need to check that first

1 Like

So I would personally look to do a JScript which will be more manageable to do a couple of selects to check user and pin are not already used and then to the insert if all is ok.

SQL in script is fairly simple…
Here is a sample for getting a program setting;

function getValue(settingName) {
  var qry = "SELECT [Value] FROM [ProgramSettingValues] WHERE [Name]='"+settingName+"'";
  var r = sql.Query(qry).First;
  return r;

the query is a string and then the ++ wrap the variables you want to put inline.

This update program setting maybe shows more into how you might do the unique user/pin verification;

function updateValue(settingName,settingValue) {
	var qry = "SELECT count([Name]) as CT FROM [ProgramSettingValues] WHERE [Name]='"+settingName+"'";				//--check if the ProgramSetting EXISTS
	var r = sql.Query(qry).First;
	if (r==0) 
		qry = "INSERT INTO [ProgramSettingValues] ([Name], [Value]) VALUES ('"+settingName+"','"+settingValue+"')";	//--if ProgramSetting does NOT exist, insert a row
		} else {
		qry = "UPDATE [ProgramSettingValues] SET [Value]='"+settingValue+"' WHERE [Name]='"+settingName+"'";		//--if ProgramSetting DOES exist, update the value

I lost you at ‘fairly simple…’ lol

Joking, ill read into this when home cos I think thisll take me a while to get my head around it.