Access Role Concept

Owned by Sandro Camastral
Aug 27, 2024
2 min read

Overview

This guide aims to give an overview to the access roles for Unique.

The access role concept has four layers: Zitadel Roles, Unique Roles, Space Access and Scope Access.

  • Zitadel Roles can modify settings and entities on Zitadel itself. That means they can manage organisations, users, branding and all other information of the Zitadel itself.

  • Unique Roles determine the access to the application and specific features in the application.

  • Space Access determines to which space which user or user group has access

  • Scope Access determines which user or user groups can read (see) or write (add/modify) documents to which scopes (folder). Based on this configuration you define what knowledge the user has access to when using spaces.

Zitadel Roles and Unique Roles are managed via Zitadel.
Space Access and Scope Access are managed in the Unique App or via APIs.

1. Zitadel Roles

Zitadel Roles can modify settings and entities on Zitadel itself. That means they can manage organisations, users, branding and all other information of the Zitadel itself and are provided through Zitadel , following this documentation: ZITADEL Docs

  • Some typical roles we use at Unique are :

Role Name

Remarks

Role Name

Remarks

IAM_OWNER

Only assigned to 2 users, that are able to make manage the Instance.

IAM_OWNER_VIEWER

Can view everything on the Instance (but not edit). Is used for scope-management service user.

IAM_ORG_MANAGER

We can have multiple that can make changes on the organisation level, including but not restricted to Managing Users and their authorizations.

  • Other roles might be relevant for service users

  • Can be adapted to meet the Customer’s need.

2. Unique Roles

Unique roles determine the access and permissions for platform features, as described in the following documentation: Roles and Permissions
These Roles are also managed using Zitadel and should be given to users on an organisation level. To be able to give the authorizations to users, you need to have the relevant Zitadel Roles.

3. Space Access

You can manage access to specific spaces, using the space management tab on the Unique App and following this documentation: Space Management Interface | Members .

  • To manage Space Access, users need to have the admin.space.write role, from the Unique Roles.

4. Scope Access (Folder in the Knowledge Base)

Scope Access determines which users or user groups can read (see) or write (add/modify) documents to which scopes (folders). Based on this access configuration you define what knowledge the user has access to when using spaces or Unique in general.

Scope Access can currently only be configured via API with the chat.admin.all Unique Role.

At the moment this can only be managed using APIs, a UI in the Unique App is in the works.

To manage scopes and groups, you will need these two documentations:

  1. Managing Scopes: Managing scopes & access via API

  2. Managing Groups:Managing groups & group members via API

If you are starting from scratch, you need to:

  1. Create a new group Managing groups & group members via API | Creating a group

  2. Add members to the group using the API or the UI (User management in the Unique App): https://unique-ch.atlassian.net/wiki/x/MgAFJQ

  3. Create a Scope Managing scopes & access via API | Creating a scope

  4. Create scope Access Managing scopes & access via API | Creating scope access



Author

@Paul Cornec @Sandro Camastral

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service