# Role-Based Access Control Frends uses a flexible and granular Role-Based Access Control (RBAC) system to manage user permissions. You can access the settings through **Administration > User Management** view. ## Available Rules The following rule types, or permission types, are available for setting for each role. | Rule | Explanation | | ---------------- | ---------------------------------------------------------------------------------- | | AllowAction | This rule describes the activities that the user in the role can do. | | DenyAction | This rule describes the activities that the user in the role explicitly cannot do. | | AllowTag | This rule allows the users in the role to only see Processes with a specific Tag. | | DenyTag | This rule explicitly hides the Processes with specified Tags. | | AllowEnvironment | This rule allows the users in the role to only see the Environment given. | | DenyEnvironment | This rule explicitly hides the Environment given for the users in the role. | ## Available Activities The following activities are available for using with **AllowAction** and **DenyAction** rules, to allow or limit access to features in Frends Control Panel. Provided auto-complete feature will also guide you in what is available to use while editing a role. | Activity | Explanation | | ------------------------------ | ---------------------------------------------------------------------------------- | | `*.*` | All permissions | | `*.Admin` | Admin permissions | | `*.Edit` | Edit permissions | | `*.View` | View permissions | | `ApiManagement.*` | APIs - All permissions | | `ApiManagement.View` | APIs - View permissions | | `ApiManagement.Edit` | APIs - Edit permissions | | `ApiMonitoring.*` | API Monitoring - All permissions | | `ApiMonitoring.View` | API Monitoring - View permissions | | `ApiMonitoring.Edit` | API Monitoring - Edit permissions | | `ApiPolicy.*` | API Policies - All permissions | | `ApiPolicy.View` | API Policies - View permissions | | `ApiPolicy.Edit` | API Policies - Edit permissions | | `Process.*` | Process - All permissions | | `Process.View` | Process - View permissions | | `Process.Edit` | Process - Edit permissions | | `Process.Deploy` | Process - Deploy | | `Process.Start` | Process - Run once | | `Process.Admin` | Process - Admin permissions | | `Processinstance.*` | Process Instance - All permissions | | `Processinstance.View` | Process Instance - View permissions | | `Processinstance.Edit` | Process Instance - Edit (terminating and deleting instances, acknowledging errors) | | `Environment.*` | Environment - All permissions | | `Environment.Edit` | Environment - Edit permissions | | `Environment.Admin` | Environment - Admin permissions | | `Task.*` | Task - All permissions | | `Task.View` | Task - View permissions | | `Task.Edit` | Task - Edit permissions | | `MonitoringRules.*` | Monitoring rules - All permissions | | `MonitoringRules.View` | Monitoring rules - View permissions | | `MonitoringRules.Edit` | Monitoring rules - Edit permissions | | `EnvironmentVariables.Edit` | Environment Variables - Edit permissions | | `UserManagement.Admin` | User management - Admin permissions | | `ApiKeyManagement.Admin` | API Keys - Admin permissions | | `ProcessTemplate.*` | Templates - All permissions | | `ProcessTemplate.View` | Templates - View permissions | | `ProcessTemplate.Edit` | Templates - Edit permissions | | `PrivateApplication.*` | Private Applications - All permissions | | `PrivateApplication.View` | Private Applications - View permissions | | `PrivateApplication.Edit` | Private Applications - Edit permissions | | `PrivateApplication.ViewToken` | Private Applications - View token(s) | | `Common.View` | Common View permissions (Required for all users) | ### Activity Wildcards The following wildcards are supported for activities: | Activity Pattern | Explanation | | ---------------- | --------------------------------------------------------- | | `*.*` | Match all activities | | `*.{action}` | Match all actions with the given name in every controller | | `{controller}.*` | Match all actions for the given controller | ## Using Tags for Access Control You can limit the Processes a role can see and access by using Tags and the **AllowTag** and **DenyTag** rules. The rules work the same way as the View actions (allow and deny). For example, if you cannot edit Processes, you cannot edit them even if the Tag would allow you to, as it only allows you to view those Processes, not edit. * If no Tag rules are active for a user, the user can see all Processes. * Wildcards are not supported. * AllowTag rule limits the users in the role to just see and access Processes with the defined Tag. * DenyTags allows the users in the role to access and view all Processes except those that are denied. You cannot use both the AllowTag and the DenyTag rules at the same time, as they would conflict. ## Environment Rules You can limit the Environments users in a role can see and access using the **AllowEnvironment** or **DenyEnvironment** rules. * If no environment rules are active, the user can see all Environments. * Wildcards are not supported. * AllowEnvironment rule limits the users in the role to just see and access the Environments with the defined Environment * DenyEnvironment rule allows the user in the role to see and access all Environments except those that are denied. ## Combining Roles & Rules Each user can have multiple roles given to them. Roles given to a user do not have hierarchy between them. This means that the rules included in each role will be combined. When combining different rules, explicitly allowing specific content using Allow rule will override any rule that denies it. Explicitly targeted rules to named content will also override any rules using wildcards. Order of the content being authorized: * Explicitly allowed content (e.g. Process.Start, View specific Tag or Environment) * Explicitly denied content (e.g. Process.Deploy, View specific Tag or Environment) * Wildcard allowed activity (e.g. Process.\*) * Wildcard denied activity (e.g. \*.Edit) * Full allow wildcards (\*.\*) * Full deny wildcards (\*.\*) ## Default Roles Frends comes with several built-in roles, each with a set of permissions. ### Administrator Allows every action, including user management and all administrative tasks. Default rules for this role: | Type | Rule | | ----------- | -------------------- | | AllowAction | \*.\* | | AllowAction | UserManagement.Admin | ### Editor Allows all edit actions for Processes, APIs and Environment Variables as well as deploying Processes, but access to User Management or editing Environments or Agent Groups. Default rules for this role: | Type | Rule | | ----------- | ----------- | | AllowAction | \*.\* | | AllowAction | Common.View | | DenyAction | \*.Admin | ### Viewer Allows viewing Processes and Environments, but no possibility to edit them. Default rules for this role: | Type | Rule | | ----------- | ------------------------- | | AllowAction | \*.View | | AllowAction | Common.View | | DenyAction | EnvironmentVariables.View | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.frends.com/reference/frends-6.1.0/administration/role-based-access-control.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.