This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Role-Based Access Control

How to manage user roles and permissions

The Role-Based Access Control (RBAC) section enables efficient management of user permissions across your organization by assigning users to groups with predefined roles.

RBAC in the CDM-Server

img.png

As illustrated, Groups act as an intermediary layer between Roles and Users, streamlining the integration of local or external users from sources like LDAP and Azure.
By using groups, you can efficiently manage access for local and/or external users by assigning roles at the group level, reducing the need for individual permission management and ensuring seamless integration with external authentication systems.

Access Control

Users are classified into two categories based on the given rights at the specified level in the organization’s tree:

  • Admin Users: These users have admin rights (write permissions) at the root level of the organization’s hierarchy.
  • Non-Admin Users: These users lack write permissions on the root level of the organizational tree, restricting some functionalities and access to sections (see Roles page for more information).

1 - Users

CDM-Server Users as part of the RBAC

The Users Management is the essential first step in defining and organizing access permissions, as all subsequent groups, roles and permissions rely on the accurate setup of user accounts.

Regardless of the chosen ID Provider, configuring users in the User Management section establishes the essential foundation for RBAC (Role-Based Access Control), enabling robust, secure, and scalable access control across the system.

How Users integrate with RBAC

By establishing users first, the organization can easily assign them to groups and later link these groups to roles as needed, creating a scalable, manageable RBAC hierarchy.

Typical Workflow

  • User Registration: Users are created or imported from an external source (LDAPS or Azure). This provides a central repository for user accounts.
  • Assign Users to Groups: Once added, users are assigned to Groups. Groups are logical collections of users with similar access requirements, such as departments, teams, or project members.
  • Link Groups to Roles: Groups are then connected to Roles. Roles define the specific permissions for each group, streamlining the process by allowing permissions to be assigned collectively rather than individually.

For detailed guidance on managing users, visit the Users page.

2 - Groups

CDM-Server Groups as part of the RBAC

The Groups Management is a central component in the system’s Role-Based Access Control (RBAC) in the CDM-Server. It enables administrators to create, edit, view, and delete Groups—the critical link between users and roles. By assigning users to groups, and then associating those groups with roles, you can efficiently manage permissions across the organization without needing to configure each user individually.

How Groups integrate with RBAC

Groups act as a bridge between users and roles. By defining permissions at the group level, administrators can simplify access control, making it easier to manage permissions for multiple users at once.

Typical Workflow

  • Create a Group: Define a new group and specify its purpose (e.g., “Project Managers” or “Quality Assurance”).
  • Assign Users: Add users to the group who need similar access levels.
  • Associate Roles: Link the group to specific roles that define permissions.
  • Review and Adjust: Regularly view and update group memberships and role associations as team compositions change.

For detailed guidance on managing groups, visit the Groups page.

3 - Roles

CDM-Server Roles as part of the RBAC

The Roles Management section is the final and essential piece of the Role-Based Access Control (RBAC) in the CDM-Server.

Roles define specific permissions within the system, determining what actions can be taken and what resources can be accessed by groups and their members. Roles are the end-point in the RBAC hierarchy, serving as the permission layer that applies to users indirectly through their assigned groups.

How Groups integrate with RBAC

In the CDM-Server there are 3 predefined Role Template which already have specific permissions:

  • Admin: Grants full write permissions on the selected level within the organization’s tree, including all subordinate levels. Admin users have complete control over the selected node and any of its child nodes, allowing them to modify, add, or delete resources.
  • Editor: Provides write permissions ONLY on the child nodes of the selected level within the organization’s tree. Editors can modify content and make updates at subordinate levels without altering permissions or resources at the main (selected) level, preserving the structure while enabling focused updates.
  • Viewer: Offers read-only access on the selected level within the organization’s tree. Viewers can view resources and data within this level but cannot make any changes, ensuring secure and restricted access for users who need visibility without modification rights.

Typical Workflow

  • Create a Role: Define a new role by selecting the Role Template and level in the organization’s tree (Business Unit or Project).
  • Assign Groups: Add groups to the role.
  • Review and Adjust: Regularly view and update group and role associations as team compositions change.

For detailed guidance on managing roles, visit the Roles page.