# Configuring User Role Constraints

This feature supports large or global implementations of Dynamic Access Control, specifically where an organization wants to delegate maintenance of User Role Setup records to local users. In organizations without this setup, we recommend using [Dynamic Access Control](/en/lr/33946/) and Matching Sharing Rules without User Role Constraints.

User role constraints are a way to prevent accidentally assigning a user an incorrect role on a document or object. The _User Role Constraint_ object restricts role assignments by defining a list of roles allowed for a user. Users are allowed, but not automatically assigned, these roles.

## How to Enable User Role Constraints

The User Role Constraints feature can be enabled in one of two ways, depending on the scope in which you need to use it:

* The **Enable user role constraints** setting in **Admin > Settings > Security Settings** turns this feature on for the whole Vault. As of the 20R3.5 release, if this setting is disabled in your Vault, you will not be able to re-enable it. Any future enablement for the User Role Constraints feature must be performed with the _Enforce Role Constraints field_ as described below.
* To enable User Role Constraints on a role-by-role basis, set the _Enforce Role Constraints_ field value to _Yes_ on each relevant _Application Role_ record. Note that you cannot set this field to _Yes_ if there are [active _User Role_ records](/en/lr/69197/) for the _Application Role_.

Once enabled, no users will be able to create _User Role Setup_ records for an application role until _User Role Constraint_ records exist for that application role.

## How to Configure User Role Constraints {#Configuring-a-User-Role-Constraint}

  1. Navigate to **Business Admin > Objects > User Role Constraints**.
  2. Click **Create**.
  3. Select a **User** and a **Role** that the user is allowed.
  4. Click **Save**.
  5. You will need to create additional records for each allowable user and role combination.

## Impact on the User Role Setup Object

After creating a _User Role Constraint_ record, you can only save _User Role Setup_ records that have user/role combinations included in _User Role Constraint_ records. If a role or user is invalid, you will receive an "Error saving 'User Role Setup'" error. This error means that this user/role combination is not allowed by the _User Role Constraint(s)_ related to that user.

### Deleting a _User Role Constraint_

If a _User Role Constraint_ record is deleted, any _User Role Setup_ record with the same user and role combination is set to _Inactive_.