Skip to main content

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is the system used to manage what users can see and do within the platform. Its primary purpose is to ensure users only have access to the information and tools necessary for their roles, enhancing security and simplifying user management.

Think of it like a modern office keycard system ๐Ÿ”‘. Your job title (your Role) determines which doors (the Resources) your keycard (your Permissions) can open.

Here is how our pre-existing roles work as an example:

The Admin Role (Full Access)
  • The default Admin role is designed for full access. To achieve this, it must be granted a separate Permission for every available resource in the system (e.g., participants.*, journeys.*, webhooks.*, etc.).
  • Result: Users assigned the Admin role have unrestricted access to every feature, all data, and every configuration setting across the entire platform.
The Coach Role (Restricted Access)
  • The default Coach role is pre-configured for typical coaching duties. It has Permissions that grant it access to essential resources like participants.*, journeys.*, and groups.*.
  • It is deliberately not given permissions for advanced configuration resources like webhooks.* or extras.*.
  • Result: Users assigned the Coach role can fully manage their participants and programs but are restricted from accessing sensitive system settings that are not relevant to their day-to-day work.

The RBAC system is built on three simple but powerful concepts that work together to grant access.

Resources (The What)โ€‹

Resources are the features, data, or areas of the platform that you want to control access to. A resource is a clearly defined part of the system, such as webhooks.*, journeys.*, or participants.read.

Roles (The Who)โ€‹

Roles are like job titles that represent a group of users with similar access needs. Instead of assigning permissions to each person one by one, you assign them a Role, like the built-in 'Admin' or 'Coach'. A user can have multiple roles.

Permissions are the crucial link that connects a Role to a Resource. Creating a permission is the action of granting a specific role access to a specific resource. Permissions can also have an expiry date (Valid Until) for granting temporary access.

How RBAC Works in Practiceโ€‹

The typical workflow for managing access is a straightforward process:

  1. Define your Resources: First, ensure all the features and data areas you want to control are defined as resources.
  2. Create Custom Roles: If needed, create new roles that match the distinct job functions of your users.
  3. Grant Permissions: Connect your roles (both custom and built-in) to the resources they need by creating permissions.

Once set up, you can manage a user's access simply by assigning or removing roles from their profile, and the system will handle the rest.