User access to the various modules and solutions in the system can be controlled through privileges, such as Access the XYZ Module, where "XYZ" stands for any module (Risk, for example). By default, this permission is granted in these privileges for certain profiles. For example, the Organization Module Users profile receives permission in the Access the Organization Module privilege. Thus, any person or group of people in the organization that is included in the Organization Module Users profile may access the module.
Because permissions to access system modules and solutions cannot be granted directly through roles, each user assigned to a role in the "XYZ" module also needs to be included in a profile that gives them permission to access it; otherwise, they will not be able to access it and perform their assigned tasks therein. For example, if John is assigned as leader of a risk project, he must be included in a profile with permission to the Access the Risk Module privilege, or he will not be able to access the module and perform the tasks associated with his role.
It is important to note that if permission to the Access the XYZ Module privilege is revoked or if a user is removed from a profile containing permission to the privilege, they will neither be able to access the module nor its features, even if they have explicit permission to other privileges in the module. The privilege to access a module takes precedence to other more granular privileges, meaning that removing a user from the XYZ Module Users profile is a quick and simple way to block that user's access to the XYZ module, if necessary. Note, however, that the user may continue to inherit the privilege to access the module if they are still included in other profiles with the same permission, given that permissions are inherited cumulatively.
Generally speaking, the Access XYZ Module privilege allows the homepage of the module to be viewed and its functionalities to be browsed until explicit permission to a certain functionality is required. Access to the module's functionalities will then only be allowed if the user has explicit permission to them.