Skip to main content

User Access Management

Overview

The user access management system is designed for detailed control over who has access to which application resources. It employs a role-based access control (RBAC) model, where users are assigned to groups, and access rights are granted to these groups. This ensures efficient and secure access management.

Group Management

Creating a New Group

  1. Navigate to the Groups Section:
    • Open the Groups tab.
  2. Add a Group:
    • Click the Create Group button.
    • Specify a descriptive name and marker.
    • Assign initial access rights.
warning

A Guest group is always created by default in a new project.

Inheriting Access Rights

In the "Groups" tab, previously created groups are displayed hierarchically, and the newly created group can be linked to an existing group to inherit rights from the parent group.

warning

If there is a restriction in the path in the parent group, and the same restriction is overwritten in the child group, the final restriction will be that of the child group, but only if the parent group does not have the "Final Permission" option specified.

Only One Group in the Chain

A group can only be specified if neither a parent nor a child group has already been selected.

Modifying Access Rights

The "Permissions" tab is key for editing access rights.

Grouping Rights

If you previously specified a parent group for inheriting rights, all information about the established accesses will be displayed in the table above, and editing inherited rights is prohibited. Rights that include exceptions and unused rights are grouped separately in the same table.

Access Rights Management

Creating Access Rights

To start creating a right, click the "Create Right" button in the "Permissions" tab.

An access right consists of a combination of method and path.

remove
  1. Create a Minimal Set of Permissions:
    • This option allows you to minimize the task of creating rights by generating the minimally required set of permissions.
warning

Available only if there are no previously established permissions.

  1. Set Data Output Restrictions:
    • This option is applicable only when "Create a Minimal Set of Permissions" is selected, setting a restriction on data output (10 records).
  2. API Section:
    • A required parameter when creating new access, indicating the route for selecting permissions.
  3. Path:
    • Selection is available only after choosing the API section, specifying the route for setting rights.
  4. Name:
    • A mandatory field for naming the right.
  5. "Permissions" Table:
    • The table presents a selection of HTTP methods for the specified path, indicating options for "unrestricted" and "with record limit".
warning

For any path in the table, there are always 4 methods listed: GET, POST, PUT, DELETE.

  1. Additional Conditions These conditions appear not for all paths, but only for "list" paths and allow you to set exceptions for the received documents.

    • For example, if you need to grant access to all pages but make an exception, you can click the button "Select which data you want to exclude." In the opened additional window, you can select the data to restrict access to. For the API section - pages, a hierarchical list of pages will be displayed; for the attributes section - accordingly, the attributes.

    List of Available Paths with Additional Conditions:

    • /api/content/admins/all
    • /api/content/attributes-sets
    • /api/content/attributes-sets/{marker}/attributes
    • /api/content/pages
    • /api/content/blocks
    • /api/content/forms
    • /api/content/events/subscriptions
    • /api/content/orders-storage
    • /api/content/product-statuses
    • /api/content/templates
    • /api/content/template-previews
    • /api/content/integration-collections

    After selecting data for exclusion, two new options will appear: "Exclude" - this option indicates that the selected data should be excluded. "Final Right" - this right is not inherited throughout the entire child group chain (this option becomes available only if the "Exclude" option is selected).

warning

The selection of additional conditions depends on the chosen path and is not always available. When such a selection is available, it is marked with "Exceptions available for selection."

exceptions_marker

List of available paths for configuration

By default, new rights fall into the "Unused Rights" section; to activate them, simply select them by clicking the checkbox to the left of the name.

To open the editor, use the button edit

To delete, use remove

Understanding Access Rights

Access rights are detailed settings that define what actions a group can perform with specific resources. They are organized by API sections and can be further refined using conditions.

Searching for Rights in the Table

Searching for the required rights in the table is done by entering text in the "Search Rights" field, selecting the necessary API sections in the selector, and choosing the "Select Unused" option.

Final Rights

The final rights tab is an informative table filtered by API sections for easier searching.

Example: Access Restriction for Products

  • API Section: products
  • Access Rights:
    • Read (Read): Yes
    • Add (Add): No
    • Edit (Edit): No
    • Delete (Delete): No

API Integration

The system provides an API for programmatic management of users, groups, and access rights. Below are examples of typical operations.

Example Request

/api/content/attributes-sets/product_1/attributes

Response without authorization (Guest group):

[
{
"type": "image",
"value": {},
"marker": "image",
"position": 1,
"listTitles": [],
"validators": {
"requiredValidator": {
"strict": true
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
},
{
"type": "textWithHeader",
"value": {},
"marker": "textheader",
"position": 4,
"listTitles": [],
"validators": {},
"localizeInfos": {
"title": "text header"
},
"additionalFields": []
},
{
"type": "image",
"value": {},
"marker": "image1",
"position": 18,
"listTitles": [],
"validators": {
"sizeInPixelsValidator": {
"maxX": 0,
"maxY": 0
},
"checkingFilesValidator": {
"maxUnits": "kb",
"maxValue": 0,
"minUnits": "mb",
"minValue": 0,
"extensions": []
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
}
]

Response with authorization, where all attribute fields are allowed in the rights:

[
{
"type": "image",
"value": {},
"marker": "image",
"position": 1,
"listTitles": [],
"validators": {
"requiredValidator": {
"strict": true
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
},
{
"type": "textWithHeader",
"value": {},
"marker": "textheader",
"position": 4,
"listTitles": [],
"validators": {},
"localizeInfos": {
"title": "text header"
},
"additionalFields": []
},
{
"type": "image",
"value": {},
"marker": "image1",
"position": 18,
"listTitles": [],
"validators": {
"sizeInPixelsValidator": {
"maxX": 0,
"maxY": 0
},
"checkingFilesValidator": {
"maxUnits": "kb",
"maxValue": 0,
"minUnits": "mb",
"minValue": 0,
"extensions": []
}
},
"localizeInfos": {
"title": "image"
},
"additionalFields": []
},
{
"type": "float",
"value": {},
"marker": "price",
"position": 19,
"listTitles": [],
"validators": {},
"localizeInfos": {
"title": "price"
},
"additionalFields": []
}
]

As we can see, the authorized user received the additional field price.