System Permissions
  • 25 Apr 2024
  • 16 minute read
  • Dark
  • PDF

System Permissions

  • Dark
  • PDF

Article Summary

Authored by Carnegie, powered by Underscore

The term “system permissions” refers to the levels of access and control for Slate features and functions. These permissions are granted to your users based on their roles and responsibilities throughout the organization, but the permissions can be customized to suit the needs of different user groups, and they can be updated as needed to reflect changes in organizational structure or business requirements.

Overall Recommendations

  • Be Conservative. Keep permissions conservative and use more granular permission settings in the modules themselves (granting permissions on event templates, deliver templates, tabs, queries, and so on).

  • Documentation. As you start grants permissions at a more granular level, keep an ongoing document of where these permissions have been added. Slate does not have a way to query where permissions have been granted, so it may be easy to lose track without documenting the changes. You can however, query the users who have certain permissions, roles, and realms.

  • Consolidate. Consolidate program-specific custom permissions and use population permissions instead.

  • Avoid the “edit all users" setting. Non power users should not be granted a permission with the “(edit all users)” feature included. Remove these permissions in favor of the similar permission setting that does not include “(edit all users).”

Permission Descriptions



Active Scheduler Administrator

Enables creating and editing active scheduler blocks for other users.

  • Recommendation: Give access to the event coordinator or manager of active scheduler users to permit schedule adjustments should someone be out-of-office or cannot access Slate.

Application Decide

Enables adding, confirming, assigning letters, and releasing decisions individually from the application record. Also grants access to Decision Management if the user has read access for a query.

  • Must have access to application lookup. Allows for individual decisioning or decisioning through the query tool.

  • Recommendation: Use rules as much as possible to add initial decisions and use the Release Decisions tool (and permission) to release decisions in bulk.

Application Decisions (View)

Enables the user to see decisions and the decision section on an applicant’s record. If given query access, decisions can still be queried.

Application Lookup

Enables read access to view all data on an application tab on the student record.

  • This permission allows a user to view the entire person record as well, even if there is no application record. However, they would not have access to the person query base unless specifically given to them in the query permissions.

Application Lookup (Active Period Only)

Grants read access to view all data on an application tab on the student record if the application is associated with an active application period.

  • This permission allows a user to view the person record ONLY if an application record exists in an active period.

Application Review Forms

Grants access to view an application's submitted review forms.

  • This allows you to see the completed review forms on an applicant’s application record. However, if the review forms have been added to a reader tab group, then they can be viewed there if a user has reader access.

Application Update

Grants write access to application data, including updating the application round, application scoped fields, submission status, activities, and checklist items.

  • This is a powerful permission. It enables deleting apps, cloning apps, changing rounds, and more. This permission also enables users to add checklists and materials directly from an applicant’s record.

  • If materials need to be added, a user can do so with the Person Update permission (see UN for cautions with person update permission) or through the Batch Acquire tool.

  • If custom app fields need to be edited, they can be edited through forms and custom tabs.

  • This permission also enables access to the “Edit Bin/Queue” functionality in Workflows.

Audit Log

Grants access to view the Audit Log for a person record.

  • A great tool that enables users to see all activity history on a record. It’s not necessary for everyone to have access.

Batch Acquire

Grants access to upload documents and associate them with a record within Batch Acquire.

  • Due to the additional training required to add materials appropriately, this permission should be given to only the few people who will be processing documents.

Bin Management

Grants access to the Bin Management tool to batch assign reader bins and queues for applications included in a query. The user must also have read access to the query.

  • A user with this permission can perform the following:

    • Move an application to different bins

    • Clear bins

    • Assign users from the query tool

    • Edit workflow tool in the reader

Consolidate Records

Grants full access to the Consolidate Records tool, including the compare tool and the ability to merge records that appear as potential matches.

  • This permission should only be given to a couple of individuals who are very detail oriented.

  • Since duplicate applications cannot be merged through the Consolidate Records tool, this user should also have Application Update permissions to allow deleting the duplicate app, or you should have a process in place where an admin is notified of duplicate applications to be deleted.

Custom SQL

Grants the ability to view and edit the SQL tab in the Form Builder, to create and edit custom SQL queries, and to create and edit individual custom SQL exports and filters in the Query Builder tool.

Custom SQL is not necessary to use Slate. The use of custom SQL is discouraged. Slate has evolved to empower users with self-service tools that require zero knowledge of SQL. This permissions should only be given to advanced users who are comfortable with SQL.


Enables access to all Database items, Ping, Decision Letters, Application Editor, and Standard Query Library.

Dataset Lookup 

Grants read access to dataset record data.

  • Permits searching records in different datasets.

  • For a user to search for a dataset record, the user must also have read permission for the associated query base. This will enable the user to search within the dataset using record lookup, and it will include records from the dataset in the search results using the global search bar.

Dataset Update 

Enables write access to dataset record data.

  • This permission should only be given to a select few users. Internal processes should be established for requesting new records to be added to a dataset.


Enables creating Deliver messages and editing Deliver messages associated with the user account. Grants access to the Email Gateway Inbox to view emails sent by this user.

  • Enables a user to create their own mailing. This does not permit the user to send mailings, or to view other users' mailings. The user must have the Query permission to create a recipient list.

  • Recommendation: Grant this permission to any user who should be able to create bulk emails but not necessarily have access to other mailings or be able to send them.

Deliver (edit all users)

Enables creating Deliver messages and editing any Deliver message, regardless of the user. Grants access to the SMS Inbox and the Email Gateway Inbox to view messages sent by any user.

  • Enables a user to access, view, and edit all users' mailings.

  • If a mailing is assigned to a Realm that a user does not have access to, the user will not have access to that mailing even if this permission is granted.

  • The user must have the Query or Query (edit all users) permission to create or edit recipient lists.

  • Most users do not need this permission. Grant this permission only to specific marketing and communications teams and admins.

  • The user must also have Deliver permission.

Deliver Content Blocks (previously called “Snippets”)

Enables creating and editing existing Mailing Content Blocks.

  • This is provides creation and edit access specifically. Limit this permission to specific marketing and communications teams and admins. All users can use the content blocks created.

Deliver Outbox

Enables placing a Deliver message in the Outbox.

  • Recommendation: Use this permission or use the Ready for Review status.

  • Users without Deliver Send permission can send emails to Outbox or Ready for Review to be reviewed by an advanced user. The user with Deliver Send can then send the email or return it to the original user for further edits.

  • A user must have this permission and Deliver (Edit All Users) permission to access emails in Outbox to review.

Deliver Send

Send or stop Deliver messages.

  • Enables a user to send mailings.

  • This permission can be combined with Deliver or Deliver (edit all users) to for a user to send just their own mailing or to send other users' mailings.

  • When a message is marked as Ready for Review, the Send button is disabled for everyone, including users with the Deliver Send permission. The Ready for Review checkbox needs to be cleared to re-enable the Send button.

  • Recommendation: Grant this permission to marketing, communications, or admin staff, so that emails can be filtered and reviewed before sending in bulk.


Deprecated version of Deliver

Engage (All Access)

Deprecated version of Deliver


Enables creating, accessing, and editing events associated with the user account. (Note: this only applies to user1, and not user2)

  • Recommendation: Grant this permission to anyone who needs to access events and event lists.

  • Grant specific access to Event Templates to allow users to create events from a preapproved template. Users will also be able to view all events tied to that template.

  • If a user needs to edit events from a certain template, this permission can be granted at the template level. They will not have access to create their own templates.

Events (edit all users)

Enables creating, accessing, and editing any event, regardless of the user.

  • Grant this permission to users who will be making templates and who may need to create, adjust, or edit events for all other users.

  • Users with this permission must also have the Events permission.

Events (

Enables creating, accessing, and editing events.

  • Recommendation: Use this permission the same way regular Slate Events are permissioned.

File Editor

Grants access to the File Editor.

  • Because the entire database's branding and the base of the Slate applications are managed here and can be easily edited, the power of this permission should be given only to admins.

Financial Aid

Grants access to the Financial Aid checklist and the Financial Aid query folder.

  • Because very secure information can be included in Financial Aid details, this permission should be granted only to higher-level administrative staff and those who will be managing Financial Aid packages.


Enables creating, access, and editing forms associated with the user account.

  • Enables users to create any type of form.

  • Recommendation: Because forms are one of the primary methods of getting records and data into Slate, grant this permission conservatively.

  • If this permission is granted, a best practice is to create foundational form templates for users to build from, ensuring that all pertinent information is included on the form.

Forms (edit all users)

Enables creating, accessing, and editing forms, regardless of the user.

  • This permission should be granted to any super users and

Giving Lookup

Grants read access to the Giving tab. 

  • Slate for Advancement only.

Giving Update

Grants write access to the Giving tab. 

  • Slate for Advancement only.

Giving Update - Change Gifts

Enables editing a gift without requiring a reversal. 

  • Slate for Advancement only.

Giving Update - Opportunities

Enables creating and updating Opportunities. 

  • Slate for Advancement only.


Grants access to import files using Upload Dataset.

  • Recommendation: Grant this permission to data processing and admins or highly trained departmental staff.

  • If more users are to be granted this permission, use Source Formats to ensure that mappings are done correctly.


Grants access to Message Inbox.

  • To view messages in an Inbox group, a specific Inbox Role that will be assigned to the Inbox group must be created and granted to the user.

  • This permission also gives access to Inbox Snippets. However, without Inbox Snippets Admin permission, a user can only access their personal snippets, snippets that are shared with them, and signature to edit.

Inbox Live Configuration

Grants access to configuring a chat bot.

Inbox Snippets Admin

Grants admin access to Inbox Snippets.


Grants access to add and update Interactions on the Timeline tab of the person record.

  • This permission must be given for users to read interactions on a person’s timeline.

  • Permissions can be added to specific interactions that a user should be restricted from using.

Interviews (now known as Scheduler)

Enables creating interview slots and accessing and editing interviews associated with the user account.

  • Recommendation: Manage similarly to Events permissions.

Interviews (edit all users)

Enables creating interview slots and accessing and editing any interview, regardless of the user.

  • Recommendation: Manage similarly to Events permissions.

Manage Shared Views

Enables sharing custom views such as schools, jobs, and more.

  • Recommendation: Grant this permission only to administrators.

Payment History

Grants access to the Payment History page.

  • Allows users to see all Payment History recorded and transaction details in Slate.

  • If a user has access to the Slate Template Library (Legacy) Query base, they can query on the Payment History regardless of having this permission.

Payment Interactions

Grants write access to Payment activities and interactions.

  • Must have Application Update or Interaction permissions.

Payment Refund

Grants write access to Payment refunds.

  • Specific to Slate Payments only.

Person Impersonate

Enables impersonating an application record. Impersonation also requires the Application Update and Person Update permissions.

  • While this permission can be helpful to have, it can also enable making edits in an applicant’s application without having the ability to undo the edit. Therefore, this permission should only be given to a select few users.

Person Lookup

Grants read access to view a person record.

  • Gives access to the student record, but if Application Lookup permission is not granted, applications will not appear on a record.

Person Lookup (Active Only)

Grants read access to view a student record that is configured as Active.

  • It’s only possible to activate or inactivate a person record through rules, so unless you’re using this practice, this permission isn’t very useful. Inactivating person records could be a useful practice, though, so it may be worth considering and then giving most users this permission instead of the main Person Lookup permission.

Person Lookup (Unmask Test Optional Scores)

Grants read access to view a student record's optional test scores without masking.

  • If you’re using rules to set tests as Test Optional, this permission would be required to unmask and view masked tests on a person’s record. Test scores would still be visible in the reader if Test Scores were added to an application PDF or dashboard.

Person Update

Grants write access to person data, including the ability to update biographical data, interactions, and person-scoped fields.

  • Recommendation: This permission is very powerful. Carefully consider who is granted this permission.

  • Enables editing standard person-scoped fields such as school, tests (self-reported only), and interests. This permission also allows access to delete records, merge accounts, edit the Slate ID, and access other secure and sensitive information.

Person Update (Verified Scores) 

Grants write access to create and edit verified test scores.

  • Requires Person Update permission. Allows a user to add verified test scores directly onto the person record.



Portal Editor

Grants access to the Portal Editor.

  • This should be given to admin or users who are trained and experienced in portals.


Grants access to Project.

  • Enables creating projects and tasks. A user does not need this permission to have a task assigned to them.


Grants access to the Query module. Enables creating queries and running or editing queries associated with the user account.

  • Most users can have this tool enabled, but it’s a best practice to create useful shared queries to mitigate users pulling inaccurate data.

  • Consider setting permissions to custom fields that might hold sensitive data, otherwise the data would be available through the query tool.

Query (Configurable Joins - Base Access)

Grants access to using Configurable Joins Query Bases to start a query. Enabling the starting a query using Configurable Joins query bases can be granted in masse, or on a base-by-base basis. Bases to which a user has been granted access can also be used as the base of Independent Subqueries.

  • Query permission must also be explicitly granted to allow a user to access the Query tool.

  • Access can be given to individual query-bases. This might be recommended to prevent people from querying sensitive data (for example, the Payments base).

  • Recommendation: Train users heavily on Configurable Joins before allowing them to create their own CJ queries to ensure the most accurate data is being pulled and reported.

Query (Configurable Joins – Join Access)

Grants access to joining to the specified table within a Configurable Joins Query. Access to joining specific tables can be granted in masse, or on a table-by-table basis. Joins to which a user has been granted access can also be used as the base of Independent Sub-Queries.

  • Query (Configurable Joins - Base Access) permissions must be granted to start a query using a Configurable Joins Query Base.

  • Access can be given to individual joins.

  • If a user is given access to all joins, they will have access to all bases even if they do not have permission to all Configurable Joins – Bases. If a user is meant to have access to only certain bases, the Joins permissions should match.

Query (edit all users)

Enables creating, running, or editing any query, regardless of the user.

  • Recommendation: Grant this permission to admin and power users.

Query (Slate Template Library)

Grants access to Export and Filter resources in the Slate Template Library (Legacy) while using the Query Builder.

  • This provides access to the library bases. These bases might include sensitive information.

  • Recommendation: Do not grant this permission without clear processes and protocol in place.

Query (System Folder)

Grants access to queries in the System folder.

  • Recommendation: Grant this permission to only admins and super users. The System folder often contains queries that are used across the entire database, such a Merge Public query or Person Custom Dashboards.


Grants access to the Reader.

  • All applicant reviewers should have access to the reader.

  • Granular permissions can be added through bin configurations and population permissions.

  • If users with the Reader permission do not have access to an Enable Reader query base, then the user will still be unable to view any applications within the Reader.

Reader Classify

Grants access to Classify in the Reader.

  • Requires Reader permission.

  • Allows a user to move applications to a bin in a
    “holding pattern.” This is not a commonly used feature, and granting this permission is not recommended.

Record Lookup

Grants access to specific datasets within the Record tool. With the checkbox for Record Lookup cleared, an Expand Permissions link appears. Clicking the link opens a list of all datasets for individual selection.

Reference Impersonate

Enables accessing a recommendation form from the student’s record.

  • Recommendation: Give access to the same users with Person Impersonate.

Relationship Lookup

Enables viewing relationship data on a person record.

  • Unless there’s a university policy in place, there’s no real harm in giving this permission to users to permit viewing a student’s relationships.

Relationship Update

Grants write access to create and edit relationship data on a person record.

  • Grant this permission similarly to Person or Application update.

Release Decisions

Grants access to the Release Decisions module, including the ability to confirm decisions, assign letters, and release decisions in batch.

  • The release decision tool can be accessed without the Application Decide permission. This is recommended for Decision Processors.

  • Recommendation: Grant a couple of users who are well-trained and detail oriented.

Research (Edit Configurations)

Enables editing research configurations.

Research (Edit Data)

Enables editing research data.

Research (Edit Verified Data)

Enables editing verified research data.

Research (View Data)

Enables editing research view data.

Retention Policy Editor

Grants access to the retention policy editor.

  • This powerful tool should be granted only to admins.

Retention Policy Editor - Edit All

Grants access to edit all policies in the retention policy editor.

  • This will grant access to edit other users’ retention policies.

Retention Policy Editor - Execute All

Enables executing all policies in the retention policy editor.

  • This will grant access to execute (thus run and delete rows) any users’ retention policies.

Rules Editor

Grants access to the Rules Editor.

  • Recommendation: Grant this permission only to admins
    and super users.

School Official Impersonate

Grant access to school official impersonation for population-based application permissions.

Service Desk Forums

View the Technolutions Knowledge Base and Community Forums.

  • Recommendation: Grant this permission to all

  • 99.9% of the Knowledge base is publicly accessible.

Service Desk Requests

Enables viewing service desk requests associated with your institution.

  • Grants users access to view the service desk requests that have already been submitted.

Slate Scholar Content

Grants access to customize Slate Scholar content (the lightbulb on the top right corner of most pages). This could be particularly helpful to create documentation for users to review while on specific pages of your database.


Grants access to the Slate Voice Switchboard.

  • Switchboard provides a live overview of all active calls taking place and a list of recent calls. It also lets a user provide audio feedback to the Slate user on the call or take control of the call outright. This permission should be granted to directors or managers who are overseeing calling campaigns.

Workflow Editor

Grants access to the Workflow Editor, which is the all-in-one Reader build tool.

  • This should be given only to admins or super users.

About the Author: Carnegie

For more than 30 years, Carnegie has been a leader and innovator in higher education marketing and enrollment strategy, offering groundbreaking services in Research, Strategy, Digital Marketing, Lead Generation, Slate Optimization, Student Search, Website Development, Financial Aid Optimization and Creative that generate authentic connections. We connect colleges with students through the power of human connection by measuring and then marketing to a student’s unique behaviors and motivators.

Our Slate Optimization team, powered by Underscore, saw the industry need and met it. Now we’re transforming the higher education landscape by leveraging the power of Slate. From custom admissions, student success, and advancement implementations and in-house Student Search to dynamic portals and tailored trainings, our market-leading expertise makes us the Gold Standard in Slate Optimization.

Was this article helpful?