Environment Level Role-Based Access Control (RBAC)
Overview
To manage permissions, Unqork classifies end-users by roles and groups. End-users are the ones interacting with your application on the front-end. You'll manage users and roles separately for Express View and Designer tools. Express users use your application in Express View. Creator users have access to Designer tools for your application. In this
Let's examine how roles differ from groups and how they work to secure your application.
Express groups (working together with the role hierarchy) determine what submissions team members see. When you set up your groups, you can decide whether the end-user can access only their data, a specific set of data, or all data.
Express roles set what your end-users can do. You can use roles to regulate access to a module or component. For instance, users might have read-only access to modules or a module's components in a given role.
Here's a quick review:
- Groups determine which submissions your end-user can see.
- Roles determine what actions your end-user can take on those submissions.
It's a good idea to add your Express groups first. That way, when you add an Express role, your group is available to assign to it.
What You'll Learn
In this
- Add a group.
- View active groups.
- Edit a group.
- Delete a group.
- Promote groups.
- Add a role.
- View active roles.
- Edit roles.
- Delete roles.
- Promote all roles.
Adding a Group
Groups let you control end-user access to submission data. You define their access by the hierarchy of their role and the groups they're in. You can decide whether they can access only their data, a specific set of data, or all data.
First, add a new Express group. Give it a name, a description, and assign a Group Type.
To add an Express group:
| 1. | At the top right of the Unqork Designer Platform, click the Settings drop-down. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Group Administration. |
| 4. | Enter a group name and group description. |
NOTE Don't use spaces in group names. For example, if you want to call a group Training Group, use Training-Group or TrainingGroup.
| 5. | Choose a Group Type from the drop-down. The Group Type defines data access permissions for all members of that group. Refer to More About Group Types below to learn more. |
NOTE Group names are permanent. You can, however, change a group's description or Group Type at any time.
| 6. | Click Add Group. |
| 7. | At the Success notification, click OK. You can now add Express users to this group. |
More About Group Types
Your Express users can belong to more than one group. Because of this, you can use groups in various combinations to create complex rules.
Let's go over the 3 Group Types and how each option affects a group member's access to submission data. Imagine you lead a team with 2 members named Alice and Bob. You want to make sure you can control who sees what. Let's see how each Group Type affects Alice's access to Bob's submission data. Remember, Unqork manages Express permissions with roles as well as groups, so pay attention to Alice and Bob's roles too.
|
Alice's Group Type |
Alice's Submission Data Access |
|---|---|
|
Data Access to Role Descendants Only |
Alice can access Bob's submissions if they're both in this group and if her role is higher than Bob's. |
|
Data Access to Own Role and Role Descendants Only |
Alice can access Bob's submissions if they're both in this group and if her role is higher than or the same as Bob's. |
|
Data Access to All Roles in Hierarchy |
Alice can access Bob's submissions if they're both in this group, regardless of the role hierarchy. |
Viewing Active Groups
Once you add an Express group, it displays in the Active Groups list. This list makes it easy to keep track of and manage your Express groups.
To see all Active Groups and their settings:
| 1. | At the top right of the Unqork Designer Platform, click the Settings drop-down. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Group Administration. |
| 4. | Scroll down to Active Groups. Here you can see all current, active Express groups and their group descriptions. |
| 5. | Select the active group to view. The group's name and settings populate above. |
Editing a Group
Sometimes, you'll want to change something about an Express group like its Data Access permissions or its description.
To edit an Express group's settings:
| 1. | At the top right of the Unqork Designer Platform, click the Settings drop-down. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Group Administration. |
| 4. | Under Active Groups, select the group you want to edit. The Express group's name and settings populate above. |
| 5. | Make changes to the group's description or Group Type. |
| 6. | Click Save Changes. |
| 7. | At the Success notification, click OK. |
Deleting a Group
You might want to clean up or remove outdated Express groups from your Active Groups list. The Delete option makes this quick and easy.
To delete an Express group:
| 1. | At the top right of the Unqork Designer Platform, click the Settings drop-down. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Group Administration. |
| 4. | Under Active Groups, select the Express group to delete. The group's name and settings populate above. |
| 5. | Click Delete, next to the Cancel button. |
NOTE You can't delete a Group if it is assigned to at least one user.
| 6. | At the confirmation message, click OK. |
NOTE Remember, deleting a group is permanent. To make a group available again, you must re-add it from scratch and reassign all members.
Promoting Groups
Environments in Unqork support each phase of building and rendering applications. There are generally 3 environment stages for each production customer:
|
Environment Stage |
Description |
Code-base |
|---|---|---|
|
Client Staging |
The Staging environment stage (sometimes called the Dev stage) is where Unqork creators do most of their critical work. This is where creators build applications, modules, API calls, and more. Client Staging is a non-production environment that hosts test content only. Features and bug fixes get released to Client Staging at the end of a sprint cycle (every two weeks). We host Staging internally at Unqork. Staging offers both a Designer and Express View interface. |
Staging |
|
UAT (User Acceptance Testing) |
The UAT environment stage is where both Unqork and the client can view the latest build. This non-production environment hosts test content only, including checking API responses and setting up unit tests. As with Staging, we host UAT internally at Unqork. UAT offers both a Designer and Express View interface. |
UAT |
|
Production |
This environment stage is the live application, the only environment that end-users can access. It is also the only environment stage to host live client data. |
Production |
NOTE Some applications move through up to five environment stages. The two additional stages include dedicated QA (Quality Assurance) and Pre-production environments. QA environment stages use the UAT code-base. Pre-production environment stages use the Production code-base.
When promoting an application to the next environment, you must also separately promote all Express groups associated with it.
NOTE Express groups can have access to multiple applications. It's important to be mindful when promoting an application and all its features. Promoting a group can affect other applications in the target environment, as promoting a group overwrites any previous versions in the target environment.
To promote all Express groups:
| 1. | At the top right of the Unqork Designer Platform, click the Settings drop-down. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Group Administration. |
| 4. | Click Promote All Groups. The Promote Group pop-up displays. |
| 5. | From the Target Environment drop-down menu in the Promote Group modal, select a new target. |
| 6. | Click Promote. |
| 7. | At the Success notification, click OK. |
NOTE Only follow these steps if you want to promote all of your active Express groups. To promote a single Express group or a few chosen groups, you must add each of them to the new environment. To do this, follow the instructions for Adding an Express Group.
Adding a Role
Before you create an Express role, you should consider the following:
- Will this role need full submission access?
- Should the role have no-access, read-only, or write default permission?
- Is there a parent role?
- Should this role be a member of any group?
Now that you have planned your role, let's add it.
To add a new Express role:
| 1. | Click the Settings drop-down at the top right of the Unqork Designer Platform. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Role Administration. |
Express Role Details
| 1. | Enter the Role Name. Role Names are permanent. |
NOTE Create your Role Name without using spaces between words. If you're adding an Express role named Human Capital Management, enter Human-Capital-Management or HumanCapitalManagement. You'll remove the segmentation by deleting the space between the words or by using a hyphen.
| 2. | Enter the Role Description. |
Express Role Permissions
There are a few ways to set up permissions for your Express role. Read through the following options and choose what works best for you:
| 1. | Select the parent for this Express role from the Choose role parent drop-down. The parent-child relationship defines the hierarchy in groups. The role you are creating is the child. The parent you select has access to modules and workflow the child’s role can access. |
| 2. | Click Full Submission Access to give the Express role full access to all submission data. Full Submission Access supersedes role hierarchy, group membership, and field-level permissions. Please note that this setting will provide users with this role Write access to every submission in every application in the entire environment. Use with caution. |
| 3. | From the drop-down, select the Choose Role Default Permission. Default permissions let you decide how this Express role interacts with data. (If the role has Full Submission Access, skip this step.) |
There are 3 default permissions:
|
Setting |
Description |
|---|---|
|
No-Access |
The Express user has no access to the application. |
|
Read-Only |
The Express user can view but cannot write or engage with the application. |
|
Write |
The Express user has full access to write and engage with the application. |
Setting Groups
You can organize Express users into groups to limit or grant permissions to specific roles. Each group has a set of rules for its users. These rules outline what data a group member can see.
You can assign groups to an Express user, or you can assign groups to an Express role. When you assign a role to an Express user, the user is automatically included in that role's groups.
| 1. | Under the Groups section, you'll see the different groups in your platform. Click the checkbox next to the group(s) that you want for your role. |
An Express user with this new role gets enrolled in the group(s) you select on this page.
| 2. | Click the Add Role button. |
With this finished, you can now assign Express users to this role. When adding a new Express user, choose the Express role from the Default Role drop-down.
NOTE You can adjust permissions on modules and components through RBAC (role-based access control). Turn on Customize RBAC using the Module Builder Settings sidebar option. From there, you can adjust module-level and component-level permissions.
Viewing Active Roles
Once you add an Express role, it lives on the Active Roles list.
To view all active Express roles:
| 1. | Click the Settings drop-down at the top right of the Unqork Designer Platform. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Role Administration. |
| 4. | Under Active Roles, click the Express role you'd like to view. |
When you select a role, the current settings show in the Express Role Administration fields at the top of the page. Read on for details on editing or deleting an Express role.
Editing a Role
While a role's name is permanent, you can change a role's description and permissions.
To edit an Express role:
| 1. | Click the Settings drop-down at the top right of the Unqork Designer Platform. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Role Administration. |
| 4. | Under Active Roles, click the Express role you'd like to edit. |
When you select a role, the current settings show in the Express Role Administration fields at the top of the page.
| 5. | Make your changes to the role description and/or role permissions. |
| 6. | Click Save Changes. |
Deleting a Role
From time to time, you might clean up or refine your Active Roles list. A delete option makes this quick and easy.
To delete an Express role:
| 1. | Click the Settings drop-down at the top right of the Unqork Designer Platform. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Role Administration. |
| 4. | Under Active Roles, click the Express role you'd like to delete. |
| 5. | Click the Delete link above the Active Roles list. |
NOTE Deleting a role is permanent. To make a deleted role available again, you'll need to re-add it.
Promoting a Role
When promoting an application to the next environment, you must also promote roles. This applies to Express roles and Creator roles. Below, we'll cover the steps for promoting Express roles.
You can share roles between more than one application. Be mindful when promoting an application and all its features. Consider how promoting an Express role might affect other applications in the target environment.
NOTE Promoting a role overwrites any previous versions in the target environment.
Environments in Unqork support each phase of building and rendering applications. Generally, we use 3 environments for each production customer.
|
Environment Stage |
Description |
Code-base |
|---|---|---|
|
Client Staging |
The Staging environment stage (sometimes called the Dev stage) is where Unqork creators do most of their critical work. This is where creators build applications, modules, API calls, and more. Client Staging is a non-production environment that hosts test content only. Features and bug fixes get released to Client Staging at the end of a sprint cycle (every two weeks). We host Staging internally at Unqork. Staging offers both a Designer and Express View interface. |
Staging |
|
UAT (User Acceptance Testing) |
The UAT environment stage is where both Unqork and the client can view the latest build. This non-production environment hosts test content only, including checking API responses and setting up unit tests. As with Staging, we host UAT internally at Unqork. UAT offers both a Designer and Express View interface. |
UAT |
|
Production |
This environment stage is the live application, the only environment that end-users can access. It is also the only environment stage to host live client data. |
Production |
NOTE Some applications move through up to five environment stages. The two additional stages include dedicated QA (Quality Assurance) and Pre-production environments. QA environment stages use the UAT code-base. Pre-production environment stages use the Production code-base.
To promote all Express roles:
| 1. | Click the Settings drop-down at the top right of the Unqork Designer Platform. |
| 2. | Click Administration. |
| 3. | Under Express Permissions, select Express Role Administration. |
| 4. | Click + Promote All Roles. |
| 5. | Select a target environment from the Select a Target drop-down. |
| 6. | Click Promote. |
NOTE The above instructions only apply if you're promoting all your active roles. To promote a single role or a few chosen roles, you must add each of them to the new environment. To do this, follow the instructions for adding an Express role.
