New Users And Roles¶
Only the user with Admin role can create user accounts and assign Roles to Users.
Exception-My Data Accounts
Anyone registering online for an event or giving online can check a box to create his own My Data user account. This type of account does not have any roles associated with it. The System Admin can also create these accounts for individuals by selecting My Data when adding a new user account for an individual. If you do not want these types of users to view their own Profile tab you can add the Administrative Setting HideMemberStatusFromMyData = true.
Every TouchPoint user with access to the system must have a people record with a valid email address and a user account. They must also be assigned one or more roles to be able to do anything other than view / edit their own record. These roles depend on their responsibilities within the church. Remember, a My Data user will have an account, but no roles.
Only an Admin who also has Finance role can assign the Finance role to another user. If your System Admin does not have this role, send a support request asking one of our TouchPoint Support Team members to add that role for the user.
If you do not see some of the roles listed below in your list of roles on your church’s database, that means that it is a newer role that was added after your database was created. You, as the Admin, can add these new roles. Be careful to name the role exactly as you see it listed.
We also have a help article with some helpful hints (best practices) when adding and removing new users.
This page is accessed under Administration > Manage > Misc > Users and can be used to quickly see which users have a specific role. You can even filter for those with specific roles. In the list, the person’s name is a link to their people record. The management of users themselves, including the creation of new users, is done on the System > User Account tab of the people record.
There is also a SQL Report named User Roles your Admin can add to your database.
This training video demonstrates how to create a new user and assign roles.
Create a New User¶
- Go to the person’s record.
- Make sure they have a good email address.
- Click on the System > User Account tab.
- Click + Add User button.
- Select the necessary roles.
- Be sure to check the Send Welcome email? box so that they will be sent an email that will contain their username and a link to set their password.
- Click Save
By default, MyData is checked. If you are creating an account for a Leader (not a staff member), just click OrgLeadersOnly(limiting role). This will automatically select the Access role which is required for this type of user. For staff users, be sure to click one of more of the Basic Level 1 roles. Access is required for all staff members.
- Delete a User Account
- You do not have to delete user accounts, when staff members leave. You can just click My Data and leave the account as a My Data account.
- Go to the person’s record.
- Click on the System > User Account tab.
- Click Actions > Delete User Account, then answer Yes to the prompt.
If the person has more than one user account, first click either the username for the account you want to delete, or click the Edit button for that account.
Adjust roles for an existing user¶
Do not add a new user account for users if you just need to assign them more roles. Follow the instructions below.
- Go to the person’s record, choose System > User Account tab.
- Click on the username (or the Edit button) which will open a dialog box.
- Check the boxes for the roles they need and then click Save.
If you need to send the User Welcome, be sure to check that box before you click Save. By default that box is not checked.
You can change their password here, too; if, for some reason, you need to change it for the user. Otherwise, sending the Welcome email will allow the user to reset their own password. See below for a discussion of the various roles.
Add a New Role¶
How to create new roles in your database.
- Go to Admin > Setup > Lookups
- Select Roles
- Click the Add Role button
- Click on the Role Name - which will be NEW and type the name of the role.
- Click the blue checkbox to save the role.
The only roles you should add that are not listed below are those you will use as security roles. These would be roles assigned to limit visibility of Contacts, Organizations, Extra Values, Email Templates, etc. so only users with that role can view them.
There are three roles that should be mentioned on the front end: Access, Admin and OrgLeadersOnly.
- Access Role
The one role that is common to all users (except My Data users) is the Access role. This gives the user the ability to log in to and see information in your database. This role must assigned to everyone who has a user account on TouchPoint, regardless of whether they are Staff or Laity. The exception is the My Data user. These users are not assigned any roles other than the pseudo role named My Data. The system will actually prevent you from assigning a role without selecting Access. If you deselect Access, the system will revert the user to a My Data user.
Exception re Access Role
Checkin is the only user role that can be assigned without selecting Access. This allows the user to only log into Check-In.
See Access role below for a complete explanation of the permissions assigned with this role.
- Admin Role
This role should be assigned to the person(s) who will serve as the System Administrator for your church’s TouchPoint database. This role is not the role to give to someone whose position at the church is Administrative Assistant, for example. Admin in TouchPoint’s use case means the administrator of your data.
You should only assign this role to no more than 3 users, as it allows privileges that can result in problems if the user does not fully understand the database. This user can view all sent emails, except those regarding contributions, unless he also has Finance role. This user should always have Access and Edit roles in addition to Admin.
See Admin role below for a more complete explanation of the permissions assigned with the Admin role.
- OrgLeadersOnly Role
This role is assigned (in addition to the Access role) to all non-staff TouchPoint users. These are normally the lay leaders in the church, such as Teachers, Deacons, In-Reach Leaders, etc. Unlike other roles which give privileges, this role actually limits the user’s privileges. The OrgLeadersOnly user can access (view) only the records for those people who are enrolled in organizations over which this user is a leader.
This type of user can view current and previous members of an org he leads, as well as guests. You can read more about this role and the privileges it gives to lay leaders in the Lay Leader help article listed below.
When you select OrgLeadersOnly, the Access role will automatically get checked, as Access role is required in addition to OrgLeadersOnly role. Also, the person’s Member Type in the org(s) must one that is flagged as a leader in order view for him to view members of the organization.
Some organizations may have a setting that allows only users with a specific role to view the org. This means that users without that role cannot access the members of those orgs. That is true for OrgLeadersOnly users, even if they are a member or a leader in that org themselves. This is setting is for orgs that are confidential in nature - like Overcoming Abuse or Dealing with the Death of a Child.
All user roles except Checkin and MyData require the user to also have Access.
This is the key role that is required for your staff and lay leaders. See important note above. This gives ‘view only’ access to the most basic information on all people records and organizations. This role is all that is needed by most ministers who may not need or want to edit records or record attendance. Most other staff members will need additional roles in order to perform their jobs.
Toolbar - Access users can use the blue Toolbar to send email, and generate reports and exports for the set of records they can access.
Contacts & Tasks - Access role also allows users to add and edit Contacts and assign, accept, and complete Tasks. This user can also access Reports in the Main Menu and run any that are not blocked with another role.
Search Builder & Tags - This role also gives users rights to Search Builder where they can create, save, and run their own and any public searches. Users with Access can also create and share Tags.
Add a new person - Without Edit or Attendance role, a user with only Access role would not be able to add a new person to the database except in the following cases: 1) When adding a Contactee while recording a Contact if the person is not in the database; 2) From the Main Menu > Manage People > Add Person, but only if the church allows that feature to be used. There is a setting that can disable use of Add Person from the Main Menu, and we recommend you add it to your database so new records get added in context.
Confidential information such as Contributions and Volunteer Approval Forms require special roles and are not accessible by users with only Access role.
The Admin role gives rights to create users and assign roles; manage database Settings, and perform several admin functions that are under the gear icon on the blue Toolbar on the Org > Search. These are Drop all Members and Make Org Inactive, Move all Pending Members to Members, and Repair Transactions, which is sometimes required after a conversion.
The Admin role also gives privileges to manage Programs and Divisions, and set up and finalize Promotion, view all emails, except those relating to contributions (unless he also has Finance role), and view the SMS log.
The Admin user can perform all the batch actions listed on the Admin menu and access the reports listed there.
In addition to the Admin role, we recommend that your System Admin have the following roles:
Basic Level 1: Access, Edit, Attendance, and Manage Groups
Basic Level 2: Coupon. The other roles in this level are granted automatically with Admin role.
Special Purpose: Checkin (for testing purposes)
None of the roles under Special Purpose are automatically assigned when you give a user the Admin role. However, in order to trouble-shoot for other users, he should probably have all of these roles except OrgLeadersOnly. Do not assign that role to an Admin users.
Financial: Finance - If the Admin user will not be assigned the Finance role he will need Manage Transactions. If he is assigned Finance role he does not need Manage Transactions or Finance Admin.
Advanced Roles: Admin (of course), OrgTagger and others as needed. You do not have to assign Manager and Manager2 roles because those functions are available when you have the Admin role.
- Gives user rights to upload and view the volunteer form on the volunteer tab of a person’s record. Users with this role can also view and edit the notes on that tab. User must also have Access role.
- Gives user rights to record attendance for organizations, add guests to a meeting, create new people records for new guests, and join guests to the organization. User must also have Access role.
Allows the user to request background checks from Protect My Ministry. Must also have ApplicationReview role and Access.
Only users with Checkin role will be able to log into the checkin software. Those users do not need Access role, just Checkin.
Create a people record for check-in, giving it a name such as Children’s Ministry and assign the role Checkin without any other roles. This is the user you should log on as when starting up check-in.
This role allows a user without the Edit role to edit the special Members Only page for an organization. Giving an OrgLeadersOnly user the ContentEdit role will allow him to edit the Members Only page, but not have rights to edit anything else. A user with Edit role can also edit that page if they are a leader in the org without needing ContentEdit role. Access role is also required.
Gives users rights to create Coupons to be used for those who make cash or check payments for on-line registrations (see on-line registrations article for further explanation). Access role is also required.
- Allows a person with both Coupon and Coupon2 to create a multi-use coupon. That is one that can be re-used. Access role is also required.
Allows the user to request credit checks from Protect My Ministry. Must also have ApplicationReview and BackgroundCheck roles. Access role is also required.
Allows a user with the Admin role to delete people records and organizations when one is created by mistake. Access role is also required.
For an Admin to be given the Delete role, he must submit a Support Request and ask for it.
Gives access to create and manage email templates. Without that role, only an Admin can access and edit Templates. Access role is also required.
- Only relevant to the TouchPoint developers.
- Gives user the right to makes changes to the Personal tab, but not the Profile Member tab. Gives the user rights to add and drop members from an Organization, schedule emails, manage Parent/Child Organizations, and edit extra values. Also, a user with Edit, who is a leader in the org, can edit the Members Only page in that org. The user can access the blue Toolbar to send emails, run reports and exports, use Search Builder to create and save searches. A user with Edit can create new orgs, access manage organization members from the main menu. Access role is also required.
If you add this user role to your database and add the Setting EnforceEditCampusRole = true, only those users with EditCampus will be able to edit the Campus on a person’s record. Access role is also required.
If you have the user role EditCampus, the Setting EnforceEditCampusRole = true, and the Setting MyDataCanEditCampus = true, then any user can edit his own Campus. However, only a user with EditCampus role can edit the campus for any other person’s record.
- Gives user rights to view and post individual contributions, run contributions reports, create and manage bundles,and create new Funds. This user can also view all emails under Administration > Communication > Emails. Access role is also required.
- Gives user rights to re-open closed bundles. User must also have Finance role and Access. Without FinanceAdmin role, a user with Finance cannot reopen a closed bundle.
Assign this role as well as Access to a user that just needs to be able to create Bundles and post contributions. They will not be able to view anything else related to contributions.
Contributions - see this section
- This role can be assigned (along with Access and any other roles needed) to a user that needs to view summary financial reports, but not be able to view individual contributions or reports showing individuals’ contributions, or perform any contribution data entry. Do not give this user Finance role, as that will override this one.
- Allows the user to view Administration > Communication > Emails. This user cannot view contribution emails unless he also has Finance role. Access role is also required. This role also allows this user to designate someone to email on behalf of another user.
- Gives user rights to create, rename, and delete sub-groups in organizations. Access role is also required.
- This role allows a user such as a pastor or System Admin to view contacts and contact reports that are protected with a role regardless of what other roles that user has. Access role is also required.
- Allows the user to view the Transactions Log under the Admin menu. Access role is also required.
- Gives user rights to the Merge Controller - to merge basic info. Access role is also required.
- This allows a user with both this role - Manager2 as well as the Manager role to use the Merge/Delete button on the Merge Controller page without having to give the user the Admin role. So, be sure this user has both Manager and Manager2 roles. Access role is also required.
- This allows a user to view the Membership Documents without being able to upload or delete them or make any other edits to Membership. Access role is also required.
- Gives user rights to edit the membership tab of a person’s record as well as to enter/edit the deceased date on a person’s basic tab. Access role is also required.
Allows the user to view reports related to special Mission Trip organizations. Access role is also required.
This is a limiting role. When you add this role to Access role the user can access only the records of enrolled in organizations in which the user is a Leader. Access role is also required.
- Gives user rights to assign main divisions and Org Types on the Organization Search/Manage page on the Management View tab.
- Gives user rights to schedule emails to be run in the future. A user with OrgLeadersOnly can be assigned this role without having Edit and still schedule emails. A user with Edit role does not need this role in order to schedule emails. Access role is also required.
Used with a Twilio account. Allows the user to send text messages Access role is also required.
Roles are added based on the specific job requirements. Remember, all users must have the Access role (except My Data users and a record used to log in to Checkin). Only those who need it to perform their jobs should have the Finance role. Those with Application Review have access to possibly confidential volunteer applications.
Only an Admin with Finance role can assign the Finance role to another user. If your church’s Admin does not have both roles, submit a help request and we can assign the Finance role to the person that needs it.
Job Position Examples¶
Here are some examples of the roles that might be assigned to an individual in a specific job position.
- System Admin
- Manage Groups
- Coupon & Coupon2
- As the System Admin, you can assign yourself any of the other roles that you need in order to help a user troubleshoot.
- Secretary/Administrative Assistant
- Manage Groups
- Financial Secretary/Cashier
- Outside Accountant
- Application Review
- Ministry Assistant
- Application Review
- New People Manager
- Manager (assign the Manager2 role to the Admin)
- Teacher/Lay leader
- Org Leaders Only
- Small Group Leader
- Org Leaders Only
- Discipleship Lay Leader
- Org Leaders Only
- Manage Groups
- Check-In Volunteer
Impersonate a User¶
An Admin user can, when nedded, impersonate a user on TouchPoint and see what that user is seeing, in order to provide assistance to that user. Here is how to do that:
- Go to the user’s people record System > User Account.
- Select the Edit button on the right side of the page from their username.
- Next select Actions > Impersonate User
At that point, you will be viewing the Home Page as that user. You can navigate to anywhere that user has permissions.
Be sure to log out from that user’s account and log back in as yourself.
A user without Finance cannot impersonate another user that has Finance role.