Role based access control

Overview

Role based access control allows for assigning users custom permissions within ION for creating/updating/deleting data. The ION data model allows for abstracting permissions to roles to make them easier to administrate.

Permissions are assigned to roles, and roles can either be assigned directly to users or to users through teams. See the data model below.

Hight level data model

Let's take an example. Let's say that you want to control the permissions of creating runs to the manufacturing engineering team. You'd also like manufacturing engineers to have access to create and update inventory. The warehouse team will have access to create and update inventory as well.

A recommended approach for doing this in ION would be:

  1. Create a new role for Run creator

  2. Assign the appropriate permissions to role

  3. Create the teams: Manufacturing engineering and Warehouse.

  4. Assign the correct roles to the teams, which in this case will include Run Creator and the inventory role, which already exists in ION.

5. Assign the correct staff to each team

6. Go forth and prosper with your newly administered roles

Creating and Assigning Roles to Users

To grant users access to new roles, you either need to be an admin or you need to have a role with the AttachRoleToUser or DetachRoleFromUser permissions.

To change the permissions associated with a role or to create new ones, you need the following permissions.

  • AttachPermissionGroupToRole

  • CreateRole

  • DeleteRole

  • DetachPermissionGroupFromRole

  • UpdateRole

As a rule of thumb, every unique mutation in ION has an associated permission with it. See Interactive API explorer for more details.

Admins

Users with the role admin will have permissions to do any and all things within ION. Use judiciously!

To see others that are admins within your environments, navigate to roles within the members section of settings here and see who all this applies to.

Adding permissions to roles:

To add permissions to roles:

  1. go to Settings -> Roles

  2. Click on the role you want to edit

  3. Click the permissions you want to add.

Below is a video showing just that!

No permissions

If a user does not have permissions to perform an action, they will get the a message listing the permission required, see example below. Permissions are required for any create/update/delete action in ION.

Special cases

  • Redlining on the frontend requires that you have access to the updateRedlinePermission

  • Putting a step on hold or canceling a step requires the same access as completing a step: updateRunStep

Bulk updates

We've prepared some bulk update python scripts here for managing users, roles, and teams to help make it easier to administer.

Last updated

Was this helpful?