If you are like the majority of users of Church Secretary for Windows 2021 are single users of the program, meaning they do not have the program shared on a Local Area Network (LAN) and they do all the work themselves. If you fit in that category you do not need to be concerned with Roles or Users or Security.  You can just login as Admin (or an account you created after installation that is also an Administrator account) and do all functions in the program.  

However, if you are using the program on a LAN you may have users you want to have limited permissions, or if you want someone else to be able to login to your computer while you work on other tasks..  You may have someone you only want to be able to Add or Update Attendance records.  Or you may have someone you wan to update the Church Library or Prayer List.  This may be a temporary volunteer and you don't want that person to be able to view member data like contributions, pledge amounts and so on.  For that reason I have provided a few roles with limited permissions.  You as administrator can create additional roles and set permissions for these roles or modify permissions for other roles.  

The list below shows the Roles provided by default.  NOTE:  The Can Edit Model box is not checked for the Administrators Role, but the Is Administrative box is checked.  An Administrator account can by default Edit the Model.  I recommend not giving the Can Edit Model to anyone  In fact, that option is so powerful I recommend you not Edit the Model unless you really need to - and have a back of the Model file just in case.

Next let's look at the Prayer Warrior role.  This is a very limited Role and users assigned to this role have very few options.  I have only created one role and Linked it to this role.  That user name is set as "Pray" and no password has been set.  This role is set with the Change Password On Next Login is unchecked and Is Active checked.  If the Is Active box were not checked nobody could login with that account.  The Default Permission Policy is Deny all by Default.

A user can login with the User name of Pray and no password.

The next two tabs have to do with what screens or view the user can Navigate to (what is shown on the menu) and what permissions the user will have or not have for each type of Data.  The type of data this user is going to deal with is just Prayers.

Click on the Row to Edit as below.  You can say whether a person in the role can Read, Write, Create or Delete.  In the Member Permissions area you can select the items in the table and whether or not the role can Read or Write the Items and you can set criteria using the Filter Editor to set conditions for the permissions.

To Edit Navigation permissions just choose the item from the Drop Down list an select either Allow or Deny from the Navigate drop down.

The Only menu this user will be able to see is the Prayer list.  I denied all by default so I did not have to specifically Deny Navigation permission for Contributions, Attendance and so on.

Next consider the permissions for the Data Type.  For this role we want users in this role to be able to do anything with the Prayers data - Read, Write (edit), Create and even Delete.  So for the Prayers Data Type we set is as below.

The screen to set Data Type permissions is shown below.

Each Data Type (table) has Members (fields) and so we can specify the permissions for any and all items in the table. I can also set a Criteria so that permission can be allowed based on a certain condition.

Let's now login as the user named Prayer. Notice the Menu Navigation is limited to Prayer List.  Now, the tool bar does have show the Show In Report button.  There are reports based on the Prayers data type and they are set as In Place Reports so the user in this role does not need to have Reports in the Navigation menu.  They can select the Prayers in the Grid and click the Show in Report button to show a report for those records.

Now let's look at another provided role, the Library role with a single user named Library as well.  For this role I have given them permission to see reports, they can even modify the reports.  However, notice they only see reports that are related to the job of Librarian.  Read on to see how I did that and you can setup up the Prayer role the same way if you like.

The trick to limiting the reports list is by using a criteria.  First we deny read and write permissions to the Reports at the higher level, but then grant the access at a lower level.

First we set up Navigation permissions.

Next we set up Type Permissions.

Notice for items like Reports I Denied the Read Permission even though I had Allowed Navigation.  Unlike Navigation of a File or Data Type, the Reports Navigation items contain Reports for all the data types.  So In order to limit the Librarian role members to only viewing Library reports I deny this at the Navigation level but Allow it at the Lower Level based on a "Criteria"

Next I set Member permissions to Allow if the Report Data Type Contains the text "Lib".  This way those with the Library permission can view reports for Both the Library Items and Library Loans.

This next screen shows the result of the permissions I set for the Librarian role.