Admin Roles and Permissions

Understanding how permissions work is essential for maintaining data security while ensuring your team has the tools they need. In Finalsite Enrollment, access is determined by a user’s account type combined with their granular permissions. Admin accounts can be created and edited on your Admin Portal Accounts page (Settings > Portal > Admin Portal Accounts).

Account Types

Every admin user is assigned one of the following account types. This sets their baseline access level to the system and settings.

Type	Access Level	Key Restrictions & Notes
System Admin	Full Access: Complete control over all student data and all backend system settings.	Only role that can manage other admin accounts, permissions, and financial payment/dispute settings. Recommended limit: 3 per school.
Admin	Power User: Access to all student data and most settings pages.	Cannot manage other admin accounts or high-level system configurations (OAuth/MFA).
User	Standard Access: Access to all student records and basic tools.	No access to the Settings menu. Cannot delete contact records.
Limited User	Restricted Access: View-only or task-specific access based on assigned modules.	Can only see specific students (Counselors) or assigned applications (Readers). No access to other system pages.

System Admin

The System Admin is the highest level of access and should be granted sparingly.

Exclusive controls: This is the only account type capable of creating/updating other admin accounts and managing system permissions.
Financial & privacy management: Only System Admins can access the Payments and Disputes pages (Settings > Financial) and manage sensitive data retention settings for reviews and checklists.
Best practice: To maintain high security, we recommend limiting your school to no more than three System Admin accounts.

Admin

Admin accounts are designed for power users who manage day-to-day operations and configurations.

Broad access: Admins have access to all system pages and fields, including the Settings menu.
Permission-based: While they have broad access by default, their visibility can still be restricted using the granular permissions (e.g., Financial or Medical) listed below.

User

User accounts are ideal for staff members who need to manage student data but should not be altering system-wide configurations.

Settings restriction: Users can access all standard functional pages, but cannot access the Settings menu.
Data protection: For security reasons, User accounts cannot delete contacts from the system.
Online review: If your school uses the Online Review module, Users have specific limitations; please refer to our “Reader Permissions” article for more details.

Limited User

This role is specifically designed for external contributors or staff with a very narrow scope of work.

Reader access: When assigned the Reader permission, these users can only access the Review Module to evaluate candidates assigned to them. They cannot see other reviewers' feedback or access any other part of the system.
Counselor access: When assigned the Counselor permission, these users can only see their assigned students. They can update checklists and view activity for those specific records but are blocked from viewing the rest of the student body.

Permissions

Permissions control which fields and pages the admin/user can view throughout the system.

Important Notes on How Permissions Work

Permissions in Finalsite Enrollment do not necessarily "hide" a student record from existence; rather, they control what data is visible within that record.

Student contact records: If an admin lacks Enrollment permissions, they can still find a student via search. However, they will not see the Enrollment tab, enrollment-specific field groupings, or uploaded enrollment forms.
Search & Reports: Admins can pull lists of all contacts, but they cannot add columns or filter by fields they do not have permission to view.
Granular item permissions: You can further restrict access within Email Templates and Checklist Items to control who can view or edit specific items.

Granular Permission Definitions

Assign these specific permissions to customize a user's access to different modules.

Permission	Description & Capabilities
Admissions	Manage admissions data, prospect lists, applications, and checklists. Admins/System Admins can access admissions settings.
Enrollment	Access enrollment lists, checklists, and contact record data. Admins/System Admins can manage enrollment settings. Access to tuition/fees requires Financial permissions.
Scheduling	Access the Scheduling tab to manage calendars and appointment slots. Admins/System Admins can create new calendars.
Communication	Enables sending emails and text messages. Without this, users are limited to letter/label templates and password reset emails (admins only).
Medical	View sensitive medical data and notes. Requires Enrollment permissions to view this data on contact records.
Secure	Access highly sensitive data (e.g., SSNs) and related secure notes, activities, or emails.
Financial	Access tuition/fees, contracts, and billing tools (if the Billing module is enabled). Admins/System Admins can manage financial settings, and Users can view financial data on contact records.
Data	Manage ID fields, contact layouts, custom statuses, data imports/exports, and system configurations.
Reader	Participate in the application review process within the Review Module. Admins see all reviews; Users and Limited Users see only assigned reviews. Enables daily review summary emails, which can be disabled under User Notifications.
Counselor	Allows assigned counselors to assist with checklist completion and uploads for their specific students. To ensure proper access control, Counselors should be set up as Limited Users* with only the Counselor granular permission enabled.*
Impersonate	Allows admins to view the Parent Portal exactly as a parent would for troubleshooting.

Permission Groups and Explorers

Managing permissions for a large team can be streamlined using the following tools:

Permission Groups

Instead of checking individual boxes for every new hire, System Admins can create pre-defined groups (e.g., Finance Office or Admissions Team) under Settings > Portal > Admin Permission Groups. When creating a new account, simply assign the user to a group to apply all relevant permissions instantly.

Learn more about Admin Permission Groups in the following articles:

Admin Permission Groups (This article is for independent schools that are not part of a multi-site group such as Supersites and Subsites within a District or Diocese.)
Managing Admin Permissions Across Multiple Sites (This article is for schools that are part of a multi-site group such as Supersites and Subsites within a District or Diocese.)
Managing Admin Permission Groups: Creating New Groups and Adding Users to Them (This article is for everyone, whether you are managing a single school or are part of a larger group of schools.)

Permissions Explorer

The Permissions Explorer is a downloadable tool (Excel or Google Sheets) that allows you to simulate different account and permission levels to see exactly what a user would see on their screen.