Four-eye control on User Privileges

Created by Erik Åkerlund, Modified on Mon, 20 Feb 2023 at 02:28 PM by Erik Åkerlund

This article covers the fundamentals of four-eye control on user privileges.

Here's how it works:

New Roles

“Create User” - a user with this Role can create a new user, change user roles and menu privileges.

“Approve User” - Approve new users and changes made on users.


You can never approve your own changes so there has to be two persons involved.

New Button

In the view User Identities tab User detail there is two new buttons.

The button "Approve User" is used to approve a new user and other changes made on the user in the User detail tab.

The other button will show either “View Privileges” or “Not Approved privileges exists”. This button will take you to the tab Approve/View privileges.

New Tab 

Summary of privileges and privileges that should be approved. Default the view shows all privileges that needs to be approved. The search functionality works the same way as in the rest of the system. The function key F7 and F8.


Normal Case
Create user will update or create a new user. The button “View Privileges” will change to “Not Approved privileges exists”. When the user presses the button the user will be directed to the tab Approve/View privileges.

In that tab you will see:

  • User id - the user id or profile that has been altered
  • Application - if it is a Role that has been altered or in which Application the Menu privileges has been added/ changed.
  • Menu -which menu that has been affected, empty if it is a Role
  • Form- the view that has been affected
  • Security- Read if it is a read only privilege or update if it is update allowed. Empty if it is a Role.
  • Status- Not approved if it has not been approved. Approve if it has been approved.
  • Change Id - Who has done the changes
  • Change Date - When the changes have been done
  • Approve id - Who has approved
  • Approve Date - When it was approved

The user that has the role Approve user can chose to approve all changes. Approve one by one by changing the status from Not Approve to Approve and press save.

Note that a user with both roles can never approve their own changes.

As default the Approve/View privileges tab shows all not approved privileges. By using the search functions F7 you can search in all the different fields and get an overview. For example, all the roles and menus for a certain user if they are approved or not.

If you would like to have a list of all privileges use the print icon and you get a list in Excel.

Special case
First time in a new database; CRM needs to give appointed users the create- and approve roles.

If the password will be changed the user will change status to Not Approved. The user must be approved.

Email address
If the email address is changed the User id will change status to not approved. The new email address must be approved.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article