Company Logo

Roles

Managing team roles and permissions in Zermmi.

Overview

The Roles tab is where you define what team members can see and do within your practice. Roles control access to features, patient data, clinical functions, and administrative settings.

Access: Organisation Settings > Roles tab

What you can configure:

  • Role names and descriptions
  • Role categories (Admin vs Practitioner)
  • Granular permissions across 8 workflow groups
  • Practice-specific customizations of global role templates

Quick Reference

| Concept | Description | |---------|-------------| | Role | A named collection of permissions assigned to team members | | Permission | Specific access to create, read, update, or delete data in a workflow | | Global Role | System-provided template (read-only) | | Practice Role | Custom role created for your practice (editable) | | Category | Classification as Admin or Practitioner | | Workflow Group | Organized set of related permissions (e.g., Patient Records, Financial) |

Understanding Roles

What is a Role?

A role is a collection of permissions that determines:

  • What features a user can access
  • What data they can view
  • What actions they can perform
  • What settings they can modify

Role Categories

Zermmi uses two main categories:

1. Admin Roles

Purpose: Administrative and operational staff

Typical roles:

  • Receptionist / Front Desk
  • Office Manager
  • Practice Administrator
  • Billing Coordinator

Common access:

  • Patient scheduling and records
  • Appointment management
  • Billing and payments
  • Communication and recalls
  • Practice settings (for managers)

Typical restrictions:

  • Limited or no access to clinical charting
  • No access to lab orders or diagnostics
  • Read-only access to procedures

2. Practitioner Roles

Purpose: Clinical staff providing treatment

Typical roles:

  • Dentist / General Practitioner
  • Dental Hygienist
  • Specialist (Orthodontist, Endodontist, etc.)
  • Dental Assistant

Common access:

  • Full patient records
  • Clinical charting and tooth notes
  • Procedure documentation
  • Lab orders and appliances
  • Treatment planning

Typical restrictions:

  • Limited access to practice administration
  • Limited access to financial settings
  • Read-only access to team management

Role Structure

Basic Information

| Field | Type | Required | Constraints | |-------|------|----------|-------------| | Code (Name) | Text | Yes | Max 50 characters, alphanumeric + spaces/-/_ only, must be unique per practice | | Description | Text | No | Max 500 characters, describes role purpose and typical users | | Category | Dropdown | Yes | "Admin" or "Practitioner" |

Permissions

Permissions are organized into 8 Workflow Groups, each containing specific capabilities:

  1. Reception & Scheduling
  2. Patient Records & Intake
  3. Clinical & Diagnostics
  4. Lab & Appliances
  5. Patient Communication & Recalls
  6. Financial & Treatment Codes
  7. Practice Administration
  8. Team & Role Management

Each workflow contains multiple permissions with 4 action types (CRUD):

  • Create - Add new records
  • Read - View existing records
  • Update - Modify existing records
  • Delete - Remove records

Example permissions:

  • appointments:create
    - Can create new appointments
  • patients:read
    - Can view patient records
  • procedures:update
    - Can modify procedure details
  • roles:delete
    - Can delete roles

The 8 Workflow Groups

1. Reception & Scheduling

What it controls: Appointment booking, calendar access, and schedule management

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

appointments:create
| Book new appointments | | 
appointments:read
| View appointments on calendar | | 
appointments:update
| Modify appointment details, reschedule | | 
appointments:delete
| Cancel/remove appointments | | 
practitioner_availability:read
| View practitioner schedules | | 
practitioner_availability:update
| Edit practitioner working hours | | 
practice_closures:create
| Add practice holidays/closures |

Who needs this:

  • ✓ Receptionists (full access)
  • ✓ Dentists (read, create for follow-ups)
  • ✓ Office Managers (full access)
  • ✗ Billing staff (read-only or none)

2. Patient Records & Intake

What it controls: Patient demographics, medical history, intake forms

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

patients:create
| Add new patients to system | | 
patients:read
| View patient profiles | | 
patients:update
| Edit patient information | | 
patients:delete
| Remove patient records | | 
allergies:create/read/update
| Manage patient allergies | | 
medications:create/read/update
| Manage patient medications | | 
medical_forms:read
| View completed intake forms |

Who needs this:

  • ✓ Receptionists (create, read, update)
  • ✓ Dentists (full access)
  • ✓ Hygienists (read, limited update)
  • ✗ Some billing staff (read-only)

Important: Patient data is sensitive. Grant minimum necessary access.

3. Clinical & Diagnostics

What it controls: Clinical documentation, charting, procedures, tooth notes

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

procedures:create
| Document procedures performed | | 
procedures:read
| View procedure history | | 
procedures:update
| Edit procedure records | | 
charting:create/update
| Use dental charting tools (odontogram) | | 
tooth_notes:create/read/update
| Add/view notes on specific teeth |

Who needs this:

  • ✓ Dentists (full access)
  • ✓ Hygienists (full access)
  • ✓ Dental Assistants (read, limited create)
  • ✗ Receptionists (read-only at most)
  • ✗ Billing staff (read-only for coding)

Clinical staff only: This is the core clinical documentation area.

4. Lab & Appliances

What it controls: Lab orders, dental appliance tracking

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

lab_orders:create
| Order lab work (crowns, bridges, etc.) | | 
lab_orders:read
| View lab order status | | 
lab_orders:update
| Update lab order details | | 
appliances:create/read/update
| Track dental appliances (retainers, dentures) |

Who needs this:

  • ✓ Dentists (full access)
  • ✓ Lab Coordinators (full access)
  • ✓ Dental Assistants (read, limited create)
  • ✗ Receptionists (read-only for scheduling)

5. Patient Communication & Recalls

What it controls: Recall reminders, patient communications, follow-up tracking

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

recalls:create
| Set up patient recalls (6-month checkup reminders) | | 
recalls:read
| View recall lists | | 
recalls:update
| Modify recall schedules | | 
patient_communications:send
| Send messages to patients |

Who needs this:

  • ✓ Receptionists (full access)
  • ✓ Hygienists (create, read)
  • ✓ Office Managers (full access)
  • ✗ Dentists (read-only, usually)

Recall management: Critical for preventive care and patient retention.

6. Financial & Treatment Codes

What it controls: Billing, treatment codes, pricing, fee overrides

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

billing:create
| Generate invoices | | 
billing:read
| View billing records | | 
billing:update
| Modify invoices | | 
treatment_codes:read
| View procedure codes and prices | | 
treatment_codes:update
| Modify treatment codes/pricing | | 
fee_overrides:create
| Apply discounts or price adjustments |

Who needs this:

  • ✓ Billing Staff (full access)
  • ✓ Office Managers (full access)
  • ✓ Receptionists (create, read)
  • ✗ Dentists (read-only)
  • ✗ Hygienists (read-only or none)

Sensitive area: Control who can modify pricing and fees.

7. Practice Administration

What it controls: Practice settings, form templates, system configuration

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

practice_settings:read
| View practice configuration | | 
practice_settings:update
| Modify practice settings (hours, contact, etc.) | | 
form_templates:create/update
| Design patient intake forms | | 
audit_logs:read
| View system activity logs | | 
reports:run
| Generate practice reports |

Who needs this:

  • ✓ Practice Administrators (full access)
  • ✓ Office Managers (full access)
  • ✗ Dentists (read-only)
  • ✗ Receptionists (none or read-only)
  • ✗ Billing staff (read-only for reports)

Admin-only: Most staff should NOT have access to practice settings.

8. Team & Role Management

What it controls: Managing staff, users, roles, and permissions

Key permissions:

| Permission | Allows User To | |-----------|---------------| | 

users:create
| Add new users to the system | | 
users:read
| View user list | | 
users:update
| Edit user details and roles | | 
users:delete
| Remove users | | 
roles:create
| Create new roles | | 
roles:read
| View roles and permissions | | 
roles:update
| Modify role permissions | | 
roles:delete
| Remove roles |

Who needs this:

  • ✓ System Administrators (full access)
  • ✓ Practice Owners (full access)
  • ✗ Everyone else (none)

Most restricted area: Only top-level admins should manage roles and users.

Global vs Practice Roles

Global Roles (Templates)

What they are:

  • Pre-built role templates provided by Zermmi
  • Based on common dental practice roles
  • Read-only (cannot be edited directly)
  • Available to all practices

Examples:

  • Dentist
  • Hygienist
  • Receptionist
  • Office Manager
  • Billing Coordinator

How to use:

  1. Browse global roles to find a template close to your needs
  2. Click Customize for this practice to create a practice-specific copy
  3. Modify the copy to fit your exact requirements

Benefits:

  • Quick setup with sensible defaults
  • Best-practice permission sets
  • Starting point for customization

Practice Roles (Custom)

What they are:

  • Custom roles created specifically for your practice
  • Fully editable
  • Only visible within your practice
  • Can be created from scratch or from global templates

Examples:

  • "Downtown Receptionist" (global Receptionist + specific customizations)
  • "Senior Dentist" (Dentist template + admin permissions)
  • "Treatment Coordinator" (custom role unique to your workflow)

How to create:

  1. From template:
    • Select a global role
    • Click Customize for this practice
    • Adjust name, description, permissions
    • Save
  2. From scratch:
    • Click Add Role
    • Enter name, description, category
    • Select permissions manually
    • Save

Benefits:

  • Tailored to your exact workflow
  • Can modify anytime as needs change
  • Reflects your practice structure

Viewing Roles

Role List

The left side of the Roles tab shows all available roles:

Organization:

  • Global roles listed first (with "Global" badge)
  • Practice roles listed below
  • Alphabetically sorted within each group

Information shown:

  • Role name (code)
  • Category (Admin or Practitioner)
  • Description (if provided)
  • Number of users assigned (for practice roles)

Selecting a role:

  • Click any role to view details on the right side
  • Details show:
    • Full description
    • Category
    • Assigned users (who has this role)
    • Complete permission matrix

Permission Matrix

When viewing a role, the permission matrix shows all permissions across the 8 workflow groups.

Layout:

  • Rows: Individual permissions (e.g., "Appointments", "Patients")
  • Columns: Actions (Create, Read, Update, Delete)
  • Checkboxes: Indicate granted permissions

Color coding:

  • ✓ Checked = Permission granted
  • ☐ Unchecked = Permission denied

Filtering:

  • Toggle workflow groups to focus on specific areas
  • All groups shown by default
  • Collapse/expand groups for easier navigation

Creating and Editing Roles

Creating a Practice Role from Global Template

Step-by-step:

  1. Navigate to Organisation Settings > Roles
  2. Click a global role that's close to your needs (e.g., "Dentist")
  3. Review the permissions in the detail view
  4. Click Customize for this practice button
  5. Dialog opens with:
    • Code (Name): Suggest a unique name (e.g., "Senior Dentist")
    • Description: Describe how this role differs from template
    • Category: Pre-filled from global role (can change)
  6. Click Create
  7. New practice role is created with same permissions as template
  8. You can now edit permissions as needed

Use when:

  • Starting fresh with a new practice
  • Adding a new staff position similar to existing roles
  • Want sensible defaults before customizing

Creating a New Practice Role from Scratch

Step-by-step:

  1. Navigate to Organisation Settings > Roles
  2. Click Add Role button
  3. Fill in:
    • Code (Name): Unique role name (e.g., "Treatment Coordinator")
    • Description: Purpose and typical users
    • Category: Admin or Practitioner
  4. Click Create
  5. Role is created with NO permissions
  6. Click Edit to add permissions
  7. Select permissions from the matrix
  8. Click Save permissions

Use when:

  • Your practice has unique roles not covered by templates
  • You want complete control over permissions from the start
  • Building specialized roles for specific workflows

Editing a Practice Role

Step-by-step:

  1. Click the practice role in the list
  2. Click Edit button
  3. You can modify:
    • Name (code)
    • Description
    • Category
    • Permissions (via checkbox matrix)
  4. Make changes to permissions:
    • Check boxes to grant permissions
    • Uncheck boxes to revoke permissions
    • Toggle entire workflow groups on/off
  5. Click Save permissions

Important notes:

  • Changes affect all users with this role immediately
  • No confirmation prompt for permission changes
  • Cannot edit global roles (must create practice copy first)
  • If users are currently assigned, consider impact before making major changes

Deleting a Practice Role

Step-by-step:

  1. Click the practice role in the list
  2. Click Delete button
  3. System checks if users are assigned:
    • If users assigned: Error message, cannot delete
    • If no users: Confirmation dialog appears
  4. Confirm deletion
  5. Role is permanently removed

Before deleting:

  • ✓ Check assigned users count
  • ✓ Reassign users to other roles first (in Team Hub)
  • ✓ Document why role is no longer needed
  • ✓ Consider deactivating instead if you might need it again

Cannot delete:

  • Global roles (not owned by your practice)
  • Roles with active user assignments

Assigning Roles to Users

Roles are assigned in the Team Hub page, not in Organisation Settings.

Process:

  1. Navigate to Team Hub
  2. Select a team member
  3. Click Edit or Assign Role
  4. Choose role(s) from dropdown
  5. Save

Users can have:

  • One primary role (typical)
  • Multiple roles (if permissions need to combine)
  • Different roles at different practices (for multi-location staff)

See: Team Hub documentation for detailed role assignment instructions.

Common Role Configurations

Receptionist / Front Desk

Category: Admin

Typical permissions:

| Workflow Group | Create | Read | Update | Delete | |---------------|--------|------|--------|--------| | Appointments | ✓ | ✓ | ✓ | ✓ | | Patients | ✓ | ✓ | ✓ | ✗ | | Patient Communication | ✓ | ✓ | ✓ | ✗ | | Billing | ✓ | ✓ | Limited | ✗ | | Clinical | ✗ | Limited | ✗ | ✗ | | Practice Admin | ✗ | Limited | ✗ | ✗ |

Rationale:

  • Full scheduling control
  • Can manage patient demographics
  • Handle recalls and communications
  • Process payments
  • Limited clinical access (only what's needed for scheduling)

Dentist / General Practitioner

Category: Practitioner

Typical permissions:

| Workflow Group | Create | Read | Update | Delete | |---------------|--------|------|--------|--------| | Appointments | ✓ | ✓ | ✓ | Limited | | Patients | ✓ | ✓ | ✓ | ✗ | | Clinical & Diagnostics | ✓ | ✓ | ✓ | ✓ | | Lab & Appliances | ✓ | ✓ | ✓ | ✗ | | Billing | ✗ | ✓ | ✗ | ✗ | | Practice Admin | ✗ | Limited | ✗ | ✗ |

Rationale:

  • Full clinical documentation
  • Can schedule and manage own appointments
  • Full patient record access
  • Can order lab work
  • Read-only billing (for reference)
  • Limited admin access

Dental Hygienist

Category: Practitioner

Typical permissions:

| Workflow Group | Create | Read | Update | Delete | |---------------|--------|------|--------|--------| | Appointments | Limited | ✓ | Limited | ✗ | | Patients | ✗ | ✓ | Limited | ✗ | | Clinical & Diagnostics | ✓ | ✓ | ✓ | Limited | | Lab & Appliances | ✗ | ✓ | ✗ | ✗ | | Patient Communication | ✓ | ✓ | ✓ | ✗ | | Billing | ✗ | Limited | ✗ | ✗ |

Rationale:

  • Can document cleanings and hygiene procedures
  • Full patient record read access
  • Can create recalls for follow-ups
  • Limited appointment management (book hygiene visits)
  • No lab orders (typically dentist-only)

Office Manager

Category: Admin

Typical permissions:

| Workflow Group | Create | Read | Update | Delete | |---------------|--------|------|--------|--------| | Appointments | ✓ | ✓ | ✓ | ✓ | | Patients | ✓ | ✓ | ✓ | ✓ | | Clinical & Diagnostics | ✗ | ✓ | ✗ | ✗ | | Billing | ✓ | ✓ | ✓ | Limited | | Practice Admin | ✓ | ✓ | ✓ | Limited | | Team & Role Management | Limited | ✓ | Limited | ✗ |

Rationale:

  • Oversees operations
  • Can configure practice settings
  • Manages schedules and closures
  • Full billing access
  • Can view (not necessarily edit) clinical records
  • Limited user/role management (may vary)

Billing Coordinator

Category: Admin

Typical permissions:

| Workflow Group | Create | Read | Update | Delete | |---------------|--------|------|--------|--------| | Appointments | ✗ | ✓ | ✗ | ✗ | | Patients | ✗ | ✓ | Limited | ✗ | | Clinical & Diagnostics | ✗ | ✓ | ✗ | ✗ | | Billing | ✓ | ✓ | ✓ | Limited | | Reports | ✗ | ✓ | ✗ | ✗ |

Rationale:

  • Focused on financial operations
  • Can view patient/appointment info for billing context
  • Can view clinical procedures for coding
  • Full billing control
  • No scheduling or clinical modification

Permission Best Practices

Principle of Least Privilege

Rule: Grant only the minimum permissions needed to perform job duties.

Why:

  • Reduces risk of accidental data changes
  • Protects sensitive patient information
  • Simplifies training (fewer options to learn)
  • Improves compliance (audit trails are clearer)

Example:

  • Receptionist needs 
    patients:read
    to look up records
  • Receptionist probably doesn't need 
    patients:delete
  • Dentist needs 
    charting:update
    to document treatment
  • Dentist doesn't need 
    roles:update
    to manage permissions

Regular Permission Reviews

Frequency: Quarterly or when staff roles change

Review process:

  1. List all active roles
  2. For each role:
    • Who has this role?
    • What are their actual job duties?
    • Do permissions match duties?
    • Are there unused permissions?
  3. Adjust as needed
  4. Document changes

Triggers for review:

  • Staff member changes positions
  • New workflow or feature adopted
  • Compliance audit findings
  • Security incident or concern

Separation of Duties

Concept: Divide critical functions among multiple people

Examples:

  • Billing: One person enters charges, another approves invoices
  • Patient records: Clinical staff document, admin staff handle demographics
  • System admin: One person manages users, another manages roles

In Zermmi:

  • Create separate roles for different functions
  • Don't give 
    *:delete
    permissions widely
  • Restrict 
    practice_settings:update
    to specific managers
  • Limit 
    roles:update
    to system administrators only

Testing New Roles

Before deploying:

  1. Create test user account
  2. Assign new role to test user
  3. Log in as test user
  4. Walk through typical workflows
  5. Verify access is as expected
  6. Adjust permissions if needed
  7. Deploy to real users

Common issues caught in testing:

  • Missing read permission (can't see data at all)
  • Update without read (can save but can't view)
  • Delete without update (dangerous, usually unintended)

Troubleshooting

"Cannot create role with duplicate name"

Cause: Role name already exists in this practice Solution: Use a unique name. Try adding location, seniority, or specialty (e.g., "Dentist - Downtown", "Senior Dentist")

"Cannot delete role: users are assigned"

Cause: One or more users currently have this role Solution:

  1. Check "Assigned Users" count in role detail view
  2. Navigate to Team Hub
  3. Reassign those users to a different role
  4. Return to Roles tab and try delete again

"Edit button is missing"

Cause: You're viewing a global role (read-only) Solution: Click Customize for this practice to create an editable copy

"Changes not taking effect for users"

Possible causes:

  1. Users haven't refreshed their session (still using cached permissions)
  2. Wrong role was edited (check assigned roles in Team Hub)
  3. Other role assignment is granting permission (users with multiple roles)

Solutions:

  1. Ask affected users to log out and back in
  2. Verify role assignment in Team Hub
  3. Check all roles assigned to user for conflicting permissions

"User can access more than expected"

Cause: User has multiple roles with overlapping permissions Solution:

  • Permissions are additive (any role granting access = user has access)
  • Review all roles assigned to that user
  • Consolidate into a single role if possible
  • Remove unnecessary role assignments

"User can't access expected feature"

Cause: Missing permission in assigned role Solution:

  1. Identify which permission controls that feature
  2. Check user's assigned role(s)
  3. Add missing permission to role
  4. User may need to refresh session

Security Considerations

Sensitive Permissions

High-risk permissions to control carefully:

| Permission | Risk | Who Should Have | |-----------|------|----------------| | 

users:create/update/delete
| Can add/remove staff access | Admins only | | 
roles:update
| Can grant themselves more permissions | Admins only | | 
practice_settings:update
| Can change critical config | Managers/admins only | | 
billing:update
| Can alter financial records | Billing staff + managers | | 
patients:delete
| Permanent data loss | Very limited or none | | 
audit_logs:read
| Can see all system activity | Admins + compliance officers |

Audit Trail

What's logged:

  • Role creation, modification, deletion
  • Permission changes
  • User-role assignments
  • Role-based access attempts (successful and denied)

Accessing logs:

  • Requires 
    audit_logs:read
    permission
  • Navigate to audit log section (if available in your version)
  • Filter by date, user, action type

Use for:

  • Compliance reporting
  • Security investigations
  • Troubleshooting permission issues
  • Change tracking

Compliance (HIPAA, GDPR, etc.)

Role management helps compliance:

  • Access control: Limit PHI/PII to those who need it
  • Audit trails: Document who accessed what data
  • Least privilege: Minimize risk surface
  • Separation of duties: Prevent insider threats

Best practices:

  • Document role definitions and permission rationale
  • Review access quarterly
  • Remove access immediately when staff leave
  • Maintain logs for required retention period (varies by regulation)

Related Documentation

Quick Reference

Role Creation Workflow

  1. Decide role name and category
  2. Choose starting point (global template or from scratch)
  3. Define permissions across 8 workflow groups
  4. Save role
  5. Assign to users in Team Hub
  6. Test with test user
  7. Deploy to real users

Permission Grant Checklist

Ask for each permission:

  • [ ] Is this needed for the job?
  • [ ] Is read-only sufficient, or do they need create/update/delete?
  • [ ] Does this grant access to sensitive data?
  • [ ] Have we documented why this permission is granted?
  • [ ] When should we review this again?

Common Role Templates

  • Receptionist: Appointments, Patients, Communication (full); Billing (limited); Clinical (read-only)
  • Dentist: Clinical (full); Patients (full); Appointments (full); Billing (read-only)
  • Hygienist: Clinical (limited); Patients (read); Communication (full); Appointments (limited)
  • Office Manager: Appointments, Patients, Billing, Practice Admin (full); Team Management (limited)
  • Billing: Billing (full); Patients, Appointments, Clinical (read-only for context)