.. _role_based_access:
Role-based Access
-----------------
The system implements role-based access control through:
* Hierarchies
* User Roles
All users are added to the system at a specific hierarchy level. A user added at a specific hierarchy
can only view system resources available to users at that hierarchy.
On the interface, this means that the user has no visibility of nodes outside of
the sub-tree starting at the parent hierarchy. The user may change to a level of the
hierarchy below the parent hierarchy.
The diagram shows that a user at VS-Corp has no visibility of GenCorp and InGen.
.. image:: /src/images/hierarchy-VS-Corp.png
From the context of the hierarchy level that a user was created at, role-based
access is implemented. When users are added to the system at a hierarchy level,
a User Role can be assigned to them.
A user role is a combination of:
* Rules applying to the role, specifically, the hierarchy
types applying to the role. A role is only available to a user at a hierarchy level that belongs to
a hierarchy type associated with the role. For example, a Site Administrator role may have a rule that associates it with Site
and Building hierarchy types, but not Customer hierarchy types.
In this way a Site Administrator role cannot be associated with
a user created at a Customer hierarchy level. A hierarchy rule
is therefore enforced by the role.
* System permissions to resources from that hierarchy.
* Access Profiles associated with a User Role that
determine access specific operations supported
by different models and/or on miscellaneous permissions.
* The visibility of resource attributes.
* The look and feel of the interface.
* Default values of resource attributes.
.. image:: /src/images/rbac.png
.. rubric:: Related Topics
*
.. raw:: latex
Role-based Access for Multi-vendor Subscriber in the Core Feature Guide
.. raw:: html
Role-based Access for Multi-vendor Subscriber
*
.. raw:: latex
User Roles in the Core Feature Guide
.. raw:: html
User Roles