Users, Roles, and Permissions

Users

The Fluent platform comes with user role management, which defines the actions a user can undertake, such as modifying a workflow or editing a location. To configure a user, permissions must be assigned to roles, and then roles must be assigned to users at a specific context level. Users may be assigned one or multiple roles at different context levels.

How does Context influence Roles and Permissions?

Roles are assigned within a Context, and higher levels of Context will automatically allocate to lower levels. For example, if a User has a Role which grants the ORDER_UPDATE Permission in the Account context, they will also have that Permission for all Retailers and Agents (Location level context) below that Account. 

User types 

The user

`Type`

Permissions 

Represents a single access right. Permissions follow a naming convention of NOUN_VERB (e.g. ORDER_UPDATE). They allow users to perform specific actions on an entity, such as VIEW, CREATE, and UPDATE. For example, the ORDER_UPDATE permission allows a user to edit the Order entity. 

Permissions are assigned to roles, enabling the role to perform specific actions. The list of permissions defined by the Fluent platform can be found in the GraphQL Permissions list.

GraphQL Permissions

Permissions currently protect every GraphQL operation

• Query permissions on entities follow an <ENTITY>_VIEW naming convention.
  Example:
  • The orders query is protected by the ORDER_VIEW permission
• Mutation permissions on entities follow <ENTITY>_CREATE and <ENTITY>_UPDATE permissions, respectively.
  Examples:
  • The updateOrder mutation is accessed via the ORDER_UPDATE permission.
  • The createOrder mutation is accessed via the ORDER_CREATE permission.

Roles 

A collection of permissions that can apply to a User in a given Context. Users can be assigned one or multiple roles. Roles can be created using GQL mutation or in the OMS web apps. For more on Role creation and editing within OMS web apps, consult How to create and edit a Role.

Some

`ROLE`

There is a set of roles that come with every account, this is how you retrieve them: 

1{
2    roles(first:1000){
3        edges{
4             node{
5                name
6                permissions{
7                    name
8                }
9             }
10        }
11    }
12}

Custom Roles

You can also create your own custom roles to fit your unique business requirements, either in the OMS Webapp (consult the Role Creation and Editing Mutations article), or via GraphQL mutation here is an example: 

1mutation createRole {
2    createRole (
3        input: {
4            name: "${role}",
5            permissions: [
6                {name:"${name}"}
7                ...
8            ]
9        }
10    ) {
11        id
12        name
13    }
14}

User management

When a user as the ROLE_MANAGER and the USER_MANAGER roles assigned on ACCOUNT context level, it can perform user management tasks.

Users who have these roles assigned are allowed to perform the following actions:

• SEARCH and LIST users.
• ADD new users.
• MODIFY existing users.

Check the above "Viewing all permissions" callout to see all available User permissions.  

Configuration 

You can configure Users (create, add, and delete) via SSO (using a Corporate IDP Integration) or directly in the User admin section in the Fluent OMS app (read User Configuration Overview to learn more). However, Roles & Permissions are currently managed via Fluent, unless you decide to use the Fluent-supported SCIM Connector. Learn about Exploring Roles & Permissions via the UI. 

Configuring permissions for Fluent Apps

• Access to Fluent Apps can be restricted to particular roles (Check the App-Level Configuration section in the OMX UX Framework Configuration Guide).
• User Actions can be restricted to particular roles (Check the Page Component).
• Some GraphQL queries allow for filtering by IDs (e.g., retailer id, location id), which allows filtering on the client side, e.g.

  `{{activeRetailer.id}}`

  ,

  `{{activeLocation.ref}}`

  (Check the Page Route section in the OMX UX Framework Configuration Guide)

Relationship between Users, Roles, and Context

• User management provides the capability to control who has access to the Fluent platform.
• A user can have multiple roles, and each of these roles may be associated with a context, which can be the account, any retailer, and/or any location within the account. 
• Context applies all the Roles for a User at a specific level. You can for example restrict a User's access to an Account, a Retailer (case scenario where you only want access to a specific brand/retailer), or a Location (case scenario where a store operator only needs Fluent Store access to the Store where they are operating).

Example 1: Giving admin access to a Retailer

• Admin User A1 can access Retailer 1 data

Example 2: Giving admin access to multiple Retailers

• Admin User A2 can access Retailer 1 & Retailer 2 data
• The context switcher allows the filtering of some data by Retailer

Example 3: Giving store access to multiple Locations

• Store User S1 can access Retailer 1 and Location 1 and 2 data
• The context switcher allows to filter by retailer-specific data (

  `fulfilments`

  only)