--- alias: user-guide-security-roles description: "Manage roles within the application, including creation, editing, and assignment of users, services, and features to control access and permissions" --- # Roles :lock: Administration.**Security** ## Roles Overview The list of Roles is available by selecting the Roles label on the landing page of the **Security** page. ![security_role_list][security_role_list] The **Roles** page displays general information on the specific **Role**. In addition it enables the user to perform all the operations that can be performed on a specific **Role**. The **Details** view will display some or all of the following page sections: * **Details** - displays general information on the **Role**. * **Members** - displays information on the **Users** or other **Roles** that belong to the **Role**. * **Features** - displays information on the **Features** to which the **Role** has access. * **Services** - displays information on the **Services** to which the **Role** has access. * **Data Groups** - displays information on the **Data Groups** to which the **Role** belongs. * **Report Folders** - displays information on the **Data Groups** to which the **Role** has access. !!! warning In order to have access to the Report Folders section in the Role page, the user must have access to the ReportFolder.Edit feature. ![security_role_page_details_view][security_role_page_details_view] ## System Default Roles Critical Manufacturing MES provides a set of default roles that control the operations users can perform in the system. The following roles are available by default: * **Administrators** - the system's built-in administrative role. This role cannot be deleted. * **AppFrameworkApiAccess** - grants applications the permissions required to interact with Critical Manufacturing MES APIs during installation. This role is assigned to the user representing the application being installed. * **CubeExplorerAdministrators** - a role used to control access to the Cube Explorer (Cube Playground) functionality. * **DataOrchestratorAdministrators** - grants access to the [[user-guide-data-orchestrator]] (Dagster) user interface. * **MES** - an OAuth Scope Role automatically generated as part of the environment. This role is required for non-Administrator users to log in to Critical Manufacturing MES. Without it, users will receive an error at login. * **SysAdministrators** - grants access to environment management endpoints related to ClickHouse backup and restore operations. !!! info In addition to these roles, installed applications create their own roles. These roles are automatically generated and follow the name of the corresponding application. ## Creating a Role :lock: Role.**Create** To create a **Role** in the application - note that the role must exist in the Active Directory - it's necessary to choose the Roles page and select the Create button in the ribbon: 1. Provide the name for the Role. 2. Optionally provide a description. 3. Optionally enter a auto-lock timeout value (in seconds) which applies by default for every user which has this role defined as the primary role. Note that this value is overridden by the user level auto-lock timeout value. 4. Optionally specify a Distribution List where emails will be sent when notifying role. !!! note If a Distribution List is defined, it must be well formed - it must contain valid email addresses, and if multiple email addresses are provided, they must be separated by a semicolon. 5. If the Role is an Active Directory Role, the *Is Active Directory Group* checkbox must be checked. Note that in this case the Name must match exactly the Active Directory group name 6. If the Role is defined as an OAuth Scope Role, the *Is OAuth Scope* checkbox must be checked for proper authorization when using the appropriate Security Portal strategy. !!! note The `MES` OAuth Scope Role is required for non-Administrator users to log in to MES. Without it, the user will receive a message error at login. 7. Select **Create** to complete the operation. ![security_role_create][security_role_create] ## Editing a Role :lock: Role.**Edit** To edit a Role, it's necessary to: 1. Open the **Role** page. 2. Open the wizard by selecting Edit on the top ribbon. 3. Make the necessary changes. 4. Commit the data to the database by choosing **Update**. ![security_role_edit][security_role_edit] ## Removing a Role :lock: Role.**Remove** To remove a Role, it's necessary to: 1. Open the **Role** page. 2. Open the wizard by selecting Remove on the top ribbon. 3. Select **Remove** to complete the operation. ![security_role_remove][security_role_remove] !!! warning Any Personal Access Tokens with the scope associated through the role (directly or indirectly) will be revoked. ## Assigning Users to a Role :lock: Role.**Edit** To assign one or more Users to a Role is necessary to: 1. Open the Role details and navigate to the Members section in the Role details page or select the Roles in the Role list page. 2. Select the Assign dropdown button and select Users. 3. Choose the desired Users to be assigned the current Role. 4. Select **Assign** to complete the operation. ![security_role_assign_user][security_role_assign_user] ## Unassigning Users from a Role :lock: Role.**Edit** To unassign one or more Users from a Role is necessary to: 1. Open the Role details and navigate to the Members section in the Role details page. 2. Choose the Users you wish to unassign from the Role and select the Unassign dropdown button, followed by Users. 3. Select **Unassign** to complete the operation. ![security_role_unassign_user][security_role_unassign_user] ## Assigning Roles to a Role :lock: Role.**Edit** To assign one or more Roles to a Role is necessary to: 1. Open the Role details and navigate to the Members section in the Role details page or select the Roles in the Role list page. 2. Select the Assign dropdown button and select Roles. 3. Choose the desired Roles to be assigned the current Role. 4. Select **Assign** to complete the operation. ![security_role_assign_role][security_role_assign_role] ## Unassigning Roles from a Role :lock: Role.**Edit** To unassign one or more Roles from a Role is necessary to: 1. Open the Role details and navigate to the Members section in the Role details page. 2. Choose the *Roles* you wish to unassign from the Role and select the Unassign dropdown button, followed by Roles. 3. Select **Unassign** to complete the operation. ![security_role_unassign_role][security_role_unassign_role] ## Assigning Services to a Role :lock: Role.**Edit** To assign one or more Services to a Role is necessary to: 1. Open the Role details and navigate to the *Services* section in the Role details page or select the Roles in the Role list page. 2. Press the *Assign* button. 3. Select the desired *Services* to be assigned the current Role. 4. Press **Assign** to complete the operation. ![security_role_assign_service][security_role_assign_service] ## Unassigning Services from a Role :lock: Role.**Edit** To unassign one or more *Services* from a Role is necessary to: 1. Open the Role details and navigate to the Services section in the Role details page. 2. Choose the Services you wish to unassign from the Role and select the Unassign button. 3. Select **Unassign** to complete the operation. ![security_role_unassign_service][security_role_unassign_service] ## Assigning Features to a Role :lock: Role.**Edit** To assign one or more Features to a Role is necessary to: 1. Open the Role details and navigate to the Features section in the Role details page or select the Roles in the Role list page. 2. Select the Assign button. 3. Choose the desired Features to be assigned the current Role. 4. Select **Assign** to complete the operation. !!! info For easier feature assignment, there is the possibility of selecting all features at once, bypassing the grid paging and allowing for a one-click selection of the entire set of features. Simply use Select All Items and all the available features will be selected. Similarly, to deselect all features, use Clear Selection and all features will be deselected. ![security_role_assign_feature][security_role_assign_feature] ## Unassigning Features from a Role :lock: Role.**Edit** To unassign one or more Features from a Role is necessary to: 1. Open the Role details and navigate to the Features section in the Role details page. 2. Choose the Features you wish to unassign from the Role and select the Unassign button. 3. Select **Unassign** to complete the operation. ![security_role_unassign_feature][security_role_unassign_feature] ## Assigning Data Groups to a Role :lock: Role.**Edit** To assign one or more Data Groups to a Role is necessary to: 1. Open the Role details and navigate to the Data Groups section in the Role details page or select the Roles in the Role list page. 2. Select the Assign button. 3. Choose the desired Data Groups to be assigned the current Role. 4. Choose the Access Mode for each of the Data Groups to assign to the current Role. 5. Select **Assign** to complete the operation. ![security_role_assign_datagroup][security_role_assign_datagroup] ## Unassigning Data Groups from a Role :lock: Role.**Edit** To unassign one or more Data Groups from a Role is necessary to: 1. Open the Role details and navigate to the Data Groups section in the Role details page. 2. Choose the Data Groups you wish to unassign from the Role and select the Unassign button. 3. Select **Unassign** to complete the operation. ![security_role_unassign_datagroup][security_role_unassign_datagroup] ## Assigning Report Folders to a Role :lock: Role.**Edit** To assign one or more *Report Folders* to a Role is necessary to: 1. Open the Role details and navigate to the *Report Folders* section in the Role details page or select the Roles in the Role list page. 2. Select the *Assign* button. 3. Choose the desired *Report Folders* to be assigned the current Role. 4. Choose the Access Mode for each of the *Report Folders* to assign to the current Role. 5. Select **Assign** to complete the operation. !!! warning In order to have access to the Report Folders section in the Role page, the user must have access to the ReportFolder.Edit feature. ![security_role_assign_report_folders][security_role_assign_report_folders] ## Unassigning Report Folders from a Role :lock: Role.**Edit** To unassign one or more Report Folders from a Role is necessary to: 1. Open the Role details and navigate to the Report Folders section in the Role details page. 2. Choose the Report Folders you wish to unassign from the Role and select the Unassign button. 3. Select **Unassign** to complete the operation. !!! warning In order to have access to the Report Folders section in the Role page, the user must have access to the ReportFolder.Edit feature. ![security_role_unassign_report_folders][security_role_unassign_report_folders] [security_role_list]: ../images/security_role_list.png [security_role_page_details_view]: ../images/security_role_page_details_view.png [security_role_create]: ../images/security_role_create.png [security_role_edit]: ../images/security_role_edit.png [security_role_remove]: ../images/security_role_remove.png [security_role_assign_user]: ../images/security_role_assign_user.png [security_role_unassign_user]: ../images/security_role_unassign_user.png [security_role_assign_role]: ../images/security_role_assign_role.png [security_role_unassign_role]: ../images/security_role_unassign_role.png [security_role_assign_feature]: ../images/security_role_assign_feature.png [security_role_unassign_feature]: ../images/security_role_unassign_feature.png [security_role_assign_datagroup]: ../images/security_role_assign_datagroup.png [security_role_unassign_datagroup]: ../images/security_role_unassign_datagroup.png [security_role_assign_service]: ../images/security_role_assign_service.png [security_role_unassign_service]: ../images/security_role_unassign_service.png [security_role_assign_report_folders]: ../images/security_role_assign_report_folders.png [security_role_unassign_report_folders]: ../images/security_role_unassign_report_folders.png