# Role based access control ### Overview Role based access control allows for assigning users custom permissions within ION for creating/updating/deleting data. The ION data model allows for abstracting permissions to roles to make them easier to administrate. Permissions are assigned to roles, and roles can either be assigned directly to users or to users through teams. *See the data model below.* ![Hight level data model](/files/FP8nPh9iYWF7rXzG0BSx) Let's take an example. Let's say that you want to control the permissions of creating runs to the manufacturing engineering team. You'd also like manufacturing engineers to have access to create and update inventory. The warehouse team will have access to create and update inventory as well. A recommended approach for doing this in ION would be: 1. Create a new role for `Run creator` 2. Assign the appropriate permissions to role 3. Create the teams: `Manufacturing engineering` and `Warehouse.` 4. Assign the correct roles to the teams, which in this case will include `Run Creator` and the `inventory` role, which already exists in ION. ![](/files/twM7XZ3Ak8K2wogNaINE) 5\. Assign the correct staff to each team 6\. Go forth and prosper with your newly administered roles ## Creating and Assigning Roles to Users To grant users access to new roles, you either need to be an `admin` or you need to have a role with the `AttachRoleToUser` or `DetachRoleFromUser` permissions. To change the permissions associated with a role or to create new ones, you need the following permissions. * AttachPermissionGroupToRole * CreateRole * DeleteRole * DetachPermissionGroupFromRole * UpdateRole {% hint style="info" %} As a rule of thumb, every unique mutation in ION has an associated permission with it. See [Interactive API explorer](/api/interactive-api-explorer.md) for more details. {% endhint %} ### Admins Users with the role `admin` will have permissions to do any and all things within ION. Use judiciously! To see others that are admins within your environments, navigate to roles within the members section of settings here and see who all this applies to.
### ION Role The `ION` role is a system-protected role automatically assigned to every user. It cannot be removed or unassigned. This role does not grant any permissions and exists solely to support system migrations, upgrades, and maintenance processes within the platform. ### Adding permissions to roles: To add permissions to roles: 1. go to Settings -> Roles 2. Click on the role you want to edit 3. Click the permissions you want to add. Below is a video showing just that! {% embed url="" %} ### No permissions If a user does not have permissions to perform an action, they will get the a message listing the permission required, see example below. Permissions are required for any create/update/delete action in ION. ![](/files/0XYCk5ZhnWTsGQvspN8c) ### Special cases * Redlining on the frontend requires that you have access to the `updateRedline`Permission * Putting a step on hold or canceling a step requires the same access as completing a step: `updateRunStep` ### Bulk updates We've prepared some [bulk update python scripts](https://github.com/FirstResonance/ion-examples) here for managing users, roles, and teams to help make it easier to administer. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manual.firstresonance.io/features/application-settings/role-based-access-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.