Users, Roles, and Permissions
Authors:
Randy Chan, Esma Tuzovic, Cille Schliebitz, Holger Lierse, Ben Harrison
Changed on:
5 Nov 2024
Overview
The Fluent platform provides a comprehensive user role management system, allowing for the assignment of diverse permissions via roles to regulate platform access and functionalities. Custom roles can be created and fine-tuned, ensuring users only have access to appropriate functionality and data. The system provides flexibility to specify the scope for a role at different context levels, such as Accounts, Retailers, and Locations.
Key points
- A role can be assigned to multiple users, and a user can be assigned multiple roles.
- Permissions are granular access controls and protect every GraphQL or REST API operations. GraphQL permissions follow specific naming conventions.
- Context plays a pivotal role in access levels, allowing users to have role-based access to data for specific Accounts, Retailers, or Locations.
Users
The Fluent platform comes with user role management, which defines the actions a user can undertake, such as modifying a workflow or editing a location. To configure a user, permissions must be assigned to roles, and then roles must be assigned to users at a specific context level. Users may be assigned one or multiple roles at different context levels.
Roles are assigned within a Context, and higher levels of Context will automatically allocate to lower levels. For example, if a User has a Role which grants the ORDER_UPDATE Permission in the Account context, they will also have that Permission for all Retailers and Agents (Location level context) below that Account.
User types
The user
`Type`Permissions
Represents a single access right. Permissions follow a naming convention of NOUN_VERB (e.g. ORDER_UPDATE). They allow users to perform specific actions on an entity, such as VIEW, CREATE, and UPDATE. For example, the ORDER_UPDATE permission allows a user to edit the Order entity.
Permissions are assigned to roles, enabling the role to perform specific actions. The list of permissions defined by the Fluent platform can be found in the GraphQL Permissions list.
GraphQL Permissions
Permissions currently protect every GraphQL operation
- Query permissions on entities follow an <ENTITY>_VIEW naming convention.
Example:- The orders query is protected by the ORDER_VIEW permission
- Mutation permissions on entities follow <ENTITY>_CREATE and <ENTITY>_UPDATE permissions, respectively.
Examples:- The updateOrder mutation is accessed via the ORDER_UPDATE permission.
- The createOrder mutation is accessed via the ORDER_CREATE permission.
Roles
A collection of permissions that can apply to a User in a given Context. Users can be assigned one or multiple roles. Roles can be created using GQL mutation or in the OMS web apps. For more on Role creation and editing within OMS web apps, consult How to create and edit a Role.
Some
`ROLE`There is a set of roles that come with every account, this is how you retrieve them:
1{
2 roles(first:1000){
3 edges{
4 node{
5 name
6 permissions{
7 name
8 }
9 }
10 }
11 }
12}Language: plain_text
Name: Retrieving Roles
Description:
Query to retrieve Role names
Custom Roles
You can also create your own custom roles to fit your unique business requirements, either in the OMS Webapp (consult the Role Creation and Editing Mutations article), or via GraphQL mutation here is an example:
1mutation createRole {
2 createRole (
3 input: {
4 name: "${role}",
5 permissions: [
6 {name:"${name}"}
7 ...
8 ]
9 }
10 ) {
11 id
12 name
13 }
14}Language: plain_text
Name: GraphQL mutation to create a custom Role
Description:
GraphQL mutation to create a custom Role
User management
When a user as the ROLE_MANAGER and the USER_MANAGER roles assigned on ACCOUNT context level, it can perform user management tasks.
Users who have these roles assigned are allowed to perform the following actions:
- SEARCH and LIST users.
- ADD new users.
- MODIFY existing users.
Check the above "Viewing all permissions" callout to see all available User permissions.
Configuration
You can configure Users (create, add, and delete) via SSO (using a Corporate IDP Integration) or directly in the User admin section in the Fluent OMS app (read User Configuration Overview to learn more). However, Roles & Permissions are currently managed via Fluent, unless you decide to use the Fluent-supported SCIM Connector. Learn about Exploring Roles & Permissions via the UI.
Configuring permissions for Fluent Apps
- Access to Fluent Apps can be restricted to particular roles (Check the App-Level Configuration section in the OMX UX Framework Configuration Guide).
- User Actions can be restricted to particular roles (Check the Page Component).
- Some GraphQL queries allow for filtering by IDs (e.g., retailer id, location id), which allows filtering on the client side, e.g. ,
`{{activeRetailer.id}}`(Check the Page Route section in the OMX UX Framework Configuration Guide)`{{activeLocation.ref}}`
Relationship between Users, Roles, and Context
- User management provides the capability to control who has access to the Fluent platform.
- A user can have multiple roles, and each of these roles may be associated with a context, which can be the account, any retailer, and/or any location within the account.
- Context applies all the Roles for a User at a specific level. You can for example restrict a User's access to an Account, a Retailer (case scenario where you only want access to a specific brand/retailer), or a Location (case scenario where a store operator only needs Fluent Store access to the Store where they are operating).
Example 1: Giving admin access to a Retailer
- Admin User A1 can access Retailer 1 data
Example 2: Giving admin access to multiple Retailers
- Admin User A2 can access Retailer 1 & Retailer 2 data
- The context switcher allows the filtering of some data by Retailer
Example 3: Giving store access to multiple Locations
- Store User S1 can access Retailer 1 and Location 1 and 2 data
- The context switcher allows to filter by retailer-specific data (only)
`fulfilments`
