Roles
Zenskar employs a mix of role-based access control (RBAC) and permission-based access control for authorization. People often get confused between authentication and authorization. It is important to remember that authorization is not the same as authentication:
| Authentication | Authorization |
|---|---|
| Are you who you claim to be? | Are you allowed to do what you are trying to do? |
| You are challenged to validate your credentials through mechanisms such as password verification, fingerprint matching, facial recognition. | You are provided access to a resource through policies and rules created by an administrator. |
| Generally governed by the OpenID Connect (OIDC) protocol. | Generally governed by the OAuth 2.0 framework. |
In summary, access to a resource is protected by both authentication and authorization: you have to prove your identity and possess appropriate permissions to interact with resources
Important concepts are summarized in the table below:
| Authorization object | Description |
|---|---|
| Permissions | Sets of permitted verbs (or actions) on a set of resources. In Zenskar, Read, Write, Delete, and Approve are the verbs available. |
| Roles | Collections of permissions. You can bind (or assign) users to a role. |
| Bindings | Associations of a user with a role. |
How to add a new role?
- Click on the named drop-up menu located at the bottom of the side panel, and click on Roles.
- Click on the + ADD NEW ROLE button.
- Enter the new role name.
- Grant required permissions to the role by selecting permissions from the AVAILABLE PERMISSIONS list and adding them to the GRANTED PERMISSIONS list.
- Click ADD ROLE.
Choose all permissions
The option to choose all permissions must be used with caution. The user attains unlimited power.
Available permissions
The permissions are of the form:
Can Read
Can Write
Can Delete
Can Approve permission
There is also a Can Approve permission applicable only to invoices.
| Resource |
|---|
| Accounting |
| Aggregate |
| Analytics |
| Contract |
| Credit Notes |
| Customer |
| Data Sources |
| Integrations |
| Invoices |
| Jobs |
| Monitors |
| Payments |
| Payment Methods |
| Product |
| Raw Metric |
| Roles |
| Template |
| Triggers |
| User |
How to update a role?
- Click on the named drop-up menu located at the bottom of the side panel, and click on Roles.
- From the roles listed on the page, click on the role you wish to edit.
- Make the necessary edits and click the UPDATE ROLE button.
How to delete a role?
- Click on the named drop-up menu located at the bottom of the side panel, and click on Roles.
- Each row on the Roles page has a kebab menu. Clicking on the kebab menu will display the option to delete a role.
Caution
A user can be granted more permissions than allowed by a role. Deleting a role will revoke the permissions granted to user by the role. However, the user will retain the extra permissions.
Updated 5 months ago