Role based access control


Role based access control allows for assigning users custom permissions within ION for creating/updating/deleting data. Existing roles are unchanged, and can be modified. See here for information on the migration.

The ION data model allows for abstracting permissions to roles to make them easier to administrate.

Permissions are assigned to roles, and roles can either be assigned directly to users or to users through teams. See the data model below.

Let's take an example. Let's say that you want to control the permissions of creating runs to the manufacturing engineering team. You'd also like manufacturing engineers to have access to create and update inventory. The warehouse team will have access to create and update inventory as well.

A recommended approach for doing this in ION would be:

  1. Create a new role for Run creator

  2. Assign the appropriate permissions to role

  3. Create the teams: Manufacturing engineering and Warehouse.

  4. Assign the correct roles to the teams, which in this case will include Run Creator and the inventory role, which already exists in ION.

5. Assign the correct staff to each team

6. Go forth and prosper with your newly administered roles


Users with the role admin will have permissions to do any and all things within ION. Use judiciously!

No permissions

If a user does not have permissions to perform an action, they will get the a message listing the permission required, see example below. Permissions are required for any create/update/delete action in ION.

Special cases

  • Redlining on the frontend requires that you have access to the updateRedlinePermission

  • Putting a step on hold or canceling a step requires the same access as completing a step: updateRunStep

Bulk updates

We've prepared some bulk update python scripts here for managing users, roles, and teams to help make it easier to administer.

Last updated