Module-Level Role-Based Access Control (RBAC)
Overview
Each role has a set of access privileges for what your end-users can and can’t do in your modules. At Unqork, an end-user’s role defines their access to a module. Module permissions are also specific to the individual modules. So, you could give an end-user full access to one module and read-only access to another. You'll do this using module-level RBAC (role-based access control).
Here are some scenarios where you’d want to use module-level RBAC:
- When you want the Authenticated role, with read-only access, to have write permissions for a module.
- When you want Anonymous users (unauthenticated) to view your module.
Accessing Module Builder Settings
In Module Builder Settings, you can choose how your module interacts with API (application programming interfaces) calls and end-users. Here, you’ll adjust your module's settings for RBAC. Let’s navigate to the Module Builder Settings.
To access Module Builder Settings:
| 1. | Open your module in the Module Builder. |
| 2. | Hover over the (ellipsis) button on the top. |
| 3. | Click Module Settings. |
| 4. | From the left side menu, click the User Permissions, to view the RBAC settings. |
How Module-Level RBAC Works
Module-level RBAC is unique because you can change a role's permission for a module. Changes to permissions only impact the current module. They don't impact any other modules.
By default, the Customize RBAC for This Module toggle is set to (ON). This toggle displays all the roles and permissions in your module. By default, each role permission is set to Inherit. Inherit means that the role's access in this module is the same as your environment.
The Effective Permissions column shows the active permission for the role. If the Effective Permission is Inherit, it inherits that role permission from the environment level. The Effective Permission displays any change you make to your module permissions.
Let's look at the default Effective Permissions by role:
| Role | Description |
|---|---|
|
Administrator |
By default, the Administrator role has an Effective Permission of Write. This permission gives the Administrator users full access to write and engage with the module. |
|
Authenticated |
By default, the Authenticated role has an Effective Permission of Read-Only. This means the Authenticated user can only view the module. They don't have permission to write or engage with it. |
Now, let's select the role permissions you want for this module.
Changing Module RBAC
Let's look at an example to change role permissions. The Permissions drop-down has the following options:
|
Permission |
Description |
|---|---|
|
Inherit |
Inherit means that the role's access in this module is the same as the environmental level. Meaning, you've inherited the permissions from the environment-level RBAC. |
|
No Access |
Your end-user has no access to your application. |
|
Read-Only |
Your end-user can view but can't write or engage with your application. |
|
Write |
Your end-user has full access to write and engage with your application. |
For example, let's change the Authenticated user permissions. By default, Authenticated users have Read-Only permissions. Let's change the permission from Read-Only to Write.
To change default RBAC settings for your module:
| 1. | Open your module in the Module Builder. |
| 2. | Hover over the (ellipsis) button on the top. |
| 3. | Click Module Settings. |
| 4. | From the left side menu, click the User Permissions, to change the role permissions. |
| 5. | Select Write from the Authenticated Permission drop-down. |
The Effective Permission and Inherited From columns change to reflect the role's current permission.
| 6. | Click Save & Close. |
Adding Anonymous Access to a Module
Now, let's look at the Allow Access to Anonymous Users setting in the Module Builder Settings. Anonymous end-users aren't registered in Unqork. Enabling this setting gives unauthenticated end-users access to your modules without a login.
If you change the Anonymous role's permissions to Read-Only or Write, end-users get a temporary token. Using this token, they can view your module in Express View. For this example, let's enable Anonymous access and change the permissions to Read-Only.
To enable Anonymous access to unauthenticated end-users:
| 1. | Open your module in the Module Builder. |
| 2. | Hover over the (ellipsis) button on the top. |
| 3. | Click Module Settings. |
| 4. | From the left side menu, click the User Permissions, to view the RBAC settings |
| 5. | Set the Allow Access to Anonymous Users toggle to (ON). An Anonymous role displays in the Module Permissions table. |
| 6. | Select Read-Only from the Anonymous Permission drop-down. |
You have the same permission options as before: Inherit, No Access, Read-Only, and Write.
| 7. | Click Save & Close. |
What if you have a workflow and want to grant access to Anonymous end-users? No problem. Set up your module and add it to an Anonymous role lane in the Workflow Builder. When an Anonymous end-user accesses the workflow, they can view it in Express View without logging in.
Use the Allow Access to Anonymous Users setting wisely. Once enabled, non-administrative users have higher privileges in your module.
