KAOS uses role based access controls to determine what people can or cannot do in the application. These roles are associated with active directory groups (specifically in the ad.EC domain) managed through NetAccount.
The active directory groups are in the sit domain (ie. in NetAccount they can be found in sit.auckland.ac.nz), and comprise a mixture of automatic and manual provisioning.
SITFMAdmin.sitFull access -manage database, user access, scripts, schedules, etc
This group is intended for people who run the system itself.
Full access to end user functions -create and delete records, modify content
These groups are for department managers (or equivalent), finance staff and PCard holders respectively. They all enjoy the same level of access, which is pretty broad -these are the power users of the system.
Data entry and some ability to delete.