Environment Level Role-Based Access Control (RBAC)

Overview

To manage permissions, Unqork classifies end-users by roles and groups. End-users are the ones interacting with your application on the front-end. You'll manage users and roles separately for Express View and Designer tools. Express users use your application in Express View. Creator users have access to Designer tools for your application. In this article, you'll learn about environment-level RBAC for your Express users.

Let's examine how roles differ from groups and how they work to secure your application.

Express groups (working together with the role hierarchy) determine what submissions team members see. When you set up your groups, you can decide whether the end-user can access only their data, a specific set of data, or all data.

Express roles set what your end-users can do. You can use roles to regulate access to a module or component. For instance, users might have read-only access to modules or a module's components in a given role.

Here's a quick review:

  • Groups determine which submissions your end-user can see.
  • Roles determine what actions your end-user can take on those submissions.

It's a good idea to add your Express groups first. That way, when you add an Express role, your group is available to assign to it.

What You'll Learn

In this article, you’ll learn how to:

Adding a Group

Groups let you control end-user access to submission data. You define their access by the hierarchy of their role and the groups they're in. You can decide whether they can access only their data, a specific set of data, or all data.

First, add a new Express group. Give it a name, a description, and assign a Group Type.

To add an Express group:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Express Permissions, select Express Group Administration.
4. Enter a group name and group description.

Don't use spaces in group names. For example, if you want to call a group Training Group, use Training-Group or TrainingGroup.

5. Choose a Group Type from the drop-down. The Group Type defines data access permissions for all members of that group. Refer to More About Group Types below to learn more.

Group names are permanent. You can, however, change a group's description or Group Type at any time.

6. Click Add Group.

7. At the Success notification, click OK. You can now add Express users to this group.

More About Group Types

Your Express users can belong to more than one group. Because of this, you can use groups in various combinations to create complex rules.

Let's go over the 3 Group Types and how each option affects a group member's access to submission data. Imagine you lead a team with 2 members named Alice and Bob. You want to make sure you can control who sees what. Let's see how each Group Type affects Alice's access to Bob's submission data. Remember, Unqork manages Express permissions with roles as well as groups, so pay attention to Alice and Bob's roles too.

Alice's Group Type

Alice's Submission Data Access

Data Access to Role Descendants Only

Alice can access Bob's submissions if they're both in this group and if her role is higher than Bob's.

Data Access to Own Role and Role Descendants Only

Alice can access Bob's submissions if they're both in this group and if her role is higher than or the same as Bob's.

Data Access to All Roles in Hierarchy

Alice can access Bob's submissions if they're both in this group, regardless of the role hierarchy.

Viewing Active Groups

Once you add an Express group, it displays in the Active Groups list. This list makes it easy to keep track of and manage your Express groups.

To see all Active Groups and their settings:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Express Permissions, select Express Group Administration.
4. Scroll down to Active Groups. Here you can see all current, active Express groups and their group descriptions.
5. Select the active group to view. The group's name and settings populate above.

Editing a Group

Sometimes, you'll want to change something about an Express group like its Data Access permissions or its description.

To edit an Express group's settings:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Express Permissions, select Express Group Administration.
4. Under Active Groups, select the group you want to edit. The Express group's name and settings populate above.
5. Make changes to the group's description or Group Type.
6. Click Save Changes.

7. At the Success notification, click OK.

Deleting a Group

You might want to clean up or remove outdated Express groups from your Active Groups list. The Delete option makes this quick and easy.

To delete an Express group:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Express Permissions, select Express Group Administration.
4. Under Active Groups, select the Express group to delete. The group's name and settings populate above.
5. Click Delete, next to the Cancel button.

You can't delete a Group if it is assigned to at least one user.

6. At the confirmation message, click OK.

Remember, deleting a group is permanent. To make a group available again, you must re-add it from scratch and reassign all members.

Promoting Groups

Environments in Unqork support each phase of building and rendering applications. There are generally 3 environment stages for each production customer:

Environment Stage

Description

Code-base

Client Staging

The Staging environment stage (sometimes called the Dev stage) is where Unqork creators do most of their critical work. This is where creators build applications, modules, API calls, and more. Client Staging is a non-production environment that hosts test content only. Features and bug fixes get released to Client Staging at the end of a sprint cycle (every two weeks).

We host Staging internally at Unqork. Staging offers both a Designer and Express View interface.

Staging

UAT (User Acceptance Testing)

The UAT environment stage is where both Unqork and the client can view the latest build. This non-production environment hosts test content only, including checking API responses and setting up unit tests.

As with Staging, we host UAT internally at Unqork. UAT offers both a Designer and Express View interface.

UAT

Production

This environment stage is the live application, the only environment that end-users can access. It is also the only environment stage to host live client data.

Production

Some applications move through up to five environment stages. The two additional stages include dedicated QA (Quality Assurance) and Pre-production environments. QA environment stages use the UAT code-base. Pre-production environment stages use the Production code-base.

When promoting an application to the next environment, you must also separately promote all Express groups associated with it.

Express groups can have access to multiple applications. It's important to be mindful when promoting an application and all its features. Promoting a group can affect other applications in the target environment, as promoting a group overwrites any previous versions in the target environment.

To promote all Express groups:

1. At the top right of the Unqork Designer Platform, click the Settings drop-down.
2. Click Administration.
3. Under Express Permissions, select Express Group Administration.
4. Click Promote All Groups. The Promote Group pop-up displays.
5. From the Target Environment drop-down menu in the Promote Group modal, select a new target.
6. Click Promote.

7. At the Success notification, click OK.

Only follow these steps if you want to promote all of your active Express groups. To promote a single Express group or a few chosen groups, you must add each of them to the new environment. To do this, follow the instructions for Adding an Express Group.

Adding a Role

Before you create an Express role, you should consider the following:

  • Will this role need full submission access?
  • Should the role have no-access, read-only, or write default permission?
  • Is there a parent role?
  • Should this role be a member of any group?

Now that you have planned your role, let's add it.

To add a new Express role:

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. Click Administration.
3. Under Express Permissions, select Express Role Administration.

Express Role Details

1. Enter the Role Name. Role Names are permanent.

Create your Role Name without using spaces between words. If you're adding an Express role named Human Capital Management, enter Human-Capital-Management or HumanCapitalManagement. You'll remove the segmentation by deleting the space between the words or by using a hyphen.

2. Enter the Role Description.

Express Role Permissions

There are a few ways to set up permissions for your Express role. Read through the following options and choose what works best for you:

1. Select the parent for this Express role from the Choose role parent drop-down. The parent-child relationship defines the hierarchy in groups. The role you are creating is the child. The parent you select has access to modules and workflow the child’s role can access.
2. Click Full Submission Access to give the Express role full access to all submission data. Full Submission Access supersedes role hierarchy, group membership, and field-level permissions. Please note that this setting will provide users with this role Write access to every submission in every application in the entire environment. Use with caution.
3. From the drop-down, select the Choose Role Default Permission. Default permissions let you decide how this Express role interacts with data. (If the role has Full Submission Access, skip this step.)

There are 3 default permissions:

Setting

Description

No-Access

The Express user has no access to the application.

Read-Only

The Express user can view but cannot write or engage with the application.

Write

The Express user has full access to write and engage with the application.

Setting Groups

You can organize Express users into groups to limit or grant permissions to specific roles. Each group has a set of rules for its users. These rules outline what data a group member can see.

You can assign groups to an Express user, or you can assign groups to an Express role. When you assign a role to an Express user, the user is automatically included in that role's groups.

1. Under the Groups section, you'll see the different groups in your platform. Click the checkbox next to the group(s) that you want for your role.

An Express user with this new role gets enrolled in the group(s) you select on this page.

2. Click the Add Role button.

With this finished, you can now assign Express users to this role. When adding a new Express user, choose the Express role from the Default Role drop-down.

You can adjust permissions on modules and components through RBAC (role-based access control). Turn on Customize RBAC using the Module Builder Settings sidebar option. From there, you can adjust module-level and component-level permissions.

Viewing Active Roles

Once you add an Express role, it lives on the Active Roles list.

To view all active Express roles:

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. Click Administration.
3. Under Express Permissions, select Express Role Administration.
4. Under Active Roles, click the Express role you'd like to view.

When you select a role, the current settings show in the Express Role Administration fields at the top of the page. Read on for details on editing or deleting an Express role.

Editing a Role

While a role's name is permanent, you can change a role's description and permissions.

To edit an Express role:

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. Click Administration.
3. Under Express Permissions, select Express Role Administration.
4. Under Active Roles, click the Express role you'd like to edit.

When you select a role, the current settings show in the Express Role Administration fields at the top of the page.

5. Make your changes to the role description and/or role permissions.
6. Click Save Changes.

Deleting a Role

From time to time, you might clean up or refine your Active Roles list. A delete option makes this quick and easy.

To delete an Express role:

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. Click Administration.
3. Under Express Permissions, select Express Role Administration.
4. Under Active Roles, click the Express role you'd like to delete.
5. Click the Delete link above the Active Roles list.

Deleting a role is permanent. To make a deleted role available again, you'll need to re-add it.

Promoting a Role

When promoting an application to the next environment, you must also promote roles. This applies to Express roles and Creator roles. Below, we'll cover the steps for promoting Express roles.

You can share roles between more than one application. Be mindful when promoting an application and all its features. Consider how promoting an Express role might affect other applications in the target environment.

Promoting a role overwrites any previous versions in the target environment.

Environments in Unqork support each phase of building and rendering applications. Generally, we use 3 environments for each production customer.

Environment Stage

Description

Code-base

Client Staging

The Staging environment stage (sometimes called the Dev stage) is where Unqork creators do most of their critical work. This is where creators build applications, modules, API calls, and more. Client Staging is a non-production environment that hosts test content only. Features and bug fixes get released to Client Staging at the end of a sprint cycle (every two weeks).

We host Staging internally at Unqork. Staging offers both a Designer and Express View interface.

Staging

UAT (User Acceptance Testing)

The UAT environment stage is where both Unqork and the client can view the latest build. This non-production environment hosts test content only, including checking API responses and setting up unit tests.

As with Staging, we host UAT internally at Unqork. UAT offers both a Designer and Express View interface.

UAT

Production

This environment stage is the live application, the only environment that end-users can access. It is also the only environment stage to host live client data.

Production

Some applications move through up to five environment stages. The two additional stages include dedicated QA (Quality Assurance) and Pre-production environments. QA environment stages use the UAT code-base. Pre-production environment stages use the Production code-base.

To promote all Express roles:

1. Click the Settings drop-down at the top right of the Unqork Designer Platform.
2. Click Administration.
3. Under Express Permissions, select Express Role Administration.
4. Click + Promote All Roles.
5. Select a target environment from the Select a Target drop-down.

6. Click Promote.

The above instructions only apply if you're promoting all your active roles. To promote a single role or a few chosen roles, you must add each of them to the new environment. To do this, follow the instructions for adding an Express role.