Module-Level Role-Based Access Control (RBAC)

Overview

Each role has a set of access privileges for what your end-users can and can’t do in your modules. At Unqork, an end-user’s role defines their access to a module. Module permissions are also specific to the individual modules. So, you could give an end-user full access to one module and read-only access to another. You'll do this using module-level RBAC (role-based access control).

Here are some scenarios where you’d want to use module-level RBAC:

  • When you want the Authenticated role, with read-only access, to have write permissions for a module.
  • When you want Anonymous users (unauthenticated) to view your module.

What You’ll Learn

In this article, you'll learn:

Accessing Module Builder Settings

In Module Builder Settings, you can choose how your module interacts with API (application programming interfaces) calls and end-users. Here, you’ll adjust your module's settings for RBAC. Let’s navigate to the Module Builder Settings.

To access Module Builder Settings:

1. Open your module in the Module Builder.
2. Hover over the left menu bar.
3. Click Settings.

How Module-Level RBAC Works

Module-level RBAC is unique because you can change a role's permission for a module. Changes to permissions only impact the current module. They don't impact any other modules.

By default, the Customize RBAC for This Module toggle is set to ON. This toggle displays all the roles and permissions in your module. By default, each role permission is set to Inherit. Inherit means that the role's access in this module is the same as your environment.

The Effective Permissions column shows the active permission for the role. If the Effective Permission is Inherit, it inherits that role permission from the environment level. The Effective Permission displays any change you make to your module permissions.

Let's look at the default Effective Permissions by role:

Role Description

Administrator

By default, the Administrator role has an Effective Permission of Write. This permission gives the Administrator users full access to write and engage with the module.

Authenticated

By default, the Authenticated role has an Effective Permission of Read-Only. This means the Authenticated user can only view the module. They don't have permission to write or engage with it.

Now, let's select the role permissions you want for this module.

Changing Module RBAC

Let's look at an example of changing role permissions. The Permissions drop-down has the following options:

Permission

Description

Inherit

Inherit means that the role's access in this module is the same as the environmental level. Meaning, you've inherited the permissions from the environment-level RBAC.

No Access

Your end-user has no access to your application.

Read-Only

Your end-user can view but can't write or engage with your application.

Write

Your end-user has full access to write and engage with your application.

For this example, let's look at changing the Authenticated user permissions. By default, Authenticated users have Read-Only permissions. Let's change the permission from Read-Only to Write.

To change default RBAC for your module:

1. Open the Module Builder Settings page.
2. Select Write from the Authenticated Permission drop-down.

The Effective Permission and Inherited From columns change to reflect the role's current permission.

3. Click Save Settings.

Adding Anonymous Access to a Module

Now, let's look at the Allow Access to Anonymous Users setting in the Module Builder Settings. Anonymous end-users aren't registered in Unqork. Enabling this setting gives unauthenticated end-users access to your modules without a login.

If you change the Anonymous role's permissions to Read-Only or Write, end-users get a temporary token. Using this token, they can view your module in Express View. For this example, let's enable Anonymous access and change the permissions to Read-Only.

To enable Anonymous access to unauthenticated end-users:

1. Open the Module Builder Settings.
2. Set the Allow Access to Anonymous Users toggle to ON. An Anonymous role displays in the Module Permissions table.
3. Select Read-Only from the Anonymous Permission drop-down.

You have the same permission options as before: Inherit, No Access, Read-Only, and Write.

4. Click Save Settings.

What if you have a workflow and want to grant access to Anonymous end-users? No problem. Set up your module and add it to an Anonymous role lane in the Workflow Builder. When an Anonymous end-user accesses the workflow, they can view it in Express View without logging in.

Use the Allow Access to Anonymous Users setting wisely. Once enabled, non-administrative users have higher privileges in your module.