Roles
Zenskar employs a mix of role-based access control (RBAC) and permission-based access control for authorization. People often get confused between authentication and authorization. It is important to remember that authorization is not the same as authentication:
Authentication | Authorization |
---|---|
Are you who you claim to be? | Are you allowed to do what you are trying to do? |
You are challenged to validate your credentials through mechanisms such as password verification, fingerprint matching, facial recognition. | You are provided access to a resource through policies and rules created by an administrator. |
Generally governed by the OpenID Connect (OIDC) protocol. | Generally governed by the OAuth 2.0 framework. |
In summary, access to a resource is protected by both authentication and authorization: you have to prove your identity and possess appropriate permissions to interact with resources
Important concepts are summarized in the table below:
Authorization object | Description |
---|---|
Permissions | Sets of permitted verbs (or actions) on a set of resources. In Zenskar, Read , Write , Delete , and Approve are the verbs available. |
Roles | Collections of permissions. You can bind (or assign) users to a role. |
Bindings | Associations of a user with a role. |
How to add a new role?
- Click on the named drop-up menu located at the bottom of the side panel, and click on Roles.
- Click on the + ADD NEW ROLE button.
- Enter the new role name.
- Grant required permissions to the role by selecting permissions from the AVAILABLE PERMISSIONS list and adding them to the GRANTED PERMISSIONS list.
- Click ADD ROLE.
Choose all permissions
The option to choose all permissions must be used with caution. The user attains unlimited power.
Available permissions
The permissions are of the form:
Can Read
Can Write
Can Delete
Can Approve permission
There is also a Can Approve permission applicable only to invoices.
Resource |
---|
Accounting |
Aggregate |
Analytics |
Contract |
Credit Notes |
Customer |
Data Sources |
Integrations |
Invoices |
Jobs |
Monitors |
Payments |
Payment Methods |
Product |
Raw Metric |
Roles |
Template |
Triggers |
User |
How to update a role?
- Click on the named drop-up menu located at the bottom of the side panel, and click on Roles.
- From the roles listed on the page, click on the role you wish to edit.
- Make the necessary edits and click the UPDATE ROLE button.
How to delete a role?
- Click on the named drop-up menu located at the bottom of the side panel, and click on Roles.
- Each row on the Roles page has a kebab menu. Clicking on the kebab menu will display the option to delete a role.
Caution
A user can be granted more permissions than allowed by a role. Deleting a role will revoke the permissions granted to user by the role. However, the user will retain the extra permissions.
Updated 18 days ago