Roles
A role is a group of users within a tenant. Roles can be granted permissions on datasets, which apply to their members. This enables fine-grained access control within organizations and makes it easier to manage permissions for different teams.Role-based permissions — When a role is granted a permission on a dataset, all users assigned to that role inherit that permission.
Role Concept
Roles are created by tenant owners and are scoped to that specific tenant. The role belongs to exactly one tenant as soon as it’s created. Because of that foreign-key link, a role can’t be moved or shared with another tenant; you would need to create a new role under the other tenant instead. Users can be assigned to multiple roles within their tenant, and roles can contain multiple users. This many-to-many relationship allows flexible permission management across teams.Role-Based Permissions
When a role is granted a permission on a dataset, all users assigned to that role inherit that permission. Users receive the union of their direct permissions, tenant-level permissions, and role-level permissions. Roles allow you to create permission groups like “editors” or “viewers” within a tenant, making it easier to manage access for different teams without granting permissions to individual users.Role Model Fields
Role Model Fields
The Role model defines what gets stored in the SQL database. The
roles table contains:id: Unique identifier (UUID primary key, references principals.id)name: Human-readable name (unique within tenant)tenant_id: ID of the tenant this role belongs to (required)
Role Creation
Role Creation
create_role(role_name, owner_id): Creates a new role (tenant owner only)add_user_to_role(user_id, role_id, owner_id): Assigns a user to a role (tenant owner only)
Limitations
Limitations
- Roles are tenant-scoped and cannot cross tenants
- API endpoints for role management
Role Management
Tenant owners can:- Create roles within their tenant
- Assign users to roles
- Remove users from roles
- Grant permissions to roles
- Delete roles (when no longer needed)
Common Role Patterns
Roles are typically organized around job functions or responsibilities:- Editors — Can modify content and run cognify operations
- Viewers — Can only read and search data
- Administrators — Can manage permissions and users
- Project Managers — Can access specific project datasets
- Reviewers — Can read and provide feedback on content
Permission Inheritance Hierarchy
Users receive permissions through a three-level hierarchy:- Direct permissions — Explicitly granted to the user
- Role permissions — Inherited through role memberships
- Tenant permissions — Inherited through tenant membership
Best Practices
- Create meaningful role names — Use descriptive names that reflect the role’s purpose
- Keep roles focused — Each role should have a clear, specific purpose
- Regular role reviews — Periodically review and update role assignments
- Document role purposes — Keep clear documentation of what each role is for
- Principle of least privilege — Grant only the minimum permissions necessary
Role vs Tenant Permissions
- Tenant permissions — Broad, organization-wide access
- Role permissions — Specific, team-based access within the tenant
- Direct permissions — Individual, user-specific access