Roles and permissions¶
Canopy uses a Role-Based Access Control (RBAC) system, and also sets a number of predefined global roles.
Global Roles¶
Canopy defines a number of global roles to make permission management easier with the system. The system defined roles are as follows:
Role name |
Default Permissions |
Description |
|---|---|---|
Administrators |
|
This is the global administrator. This user can perform any action on the system and access any object - i.e. no restrictions. However, the admins activities are logged. |
Technical Managers |
|
A Technical Manager is a user role that is one step down from an administrator. They are able to perform practically all operations on the system, with the exception of administration level actions (e.g. user management). |
Senior Analysts |
|
A Senior Analyst is a trusted user within the system who can perform key operations, including KB management and project creation. By default, these users can also view (read-only) clients and methodologies. |
Analysts |
|
An Analyst has a reduced set of permissions and must be explicitly granted access to a client, opportunity or project before they can work on anything. They are allowed to create KB findings and comment on them. |
Sales Managers |
|
A special admin-like user for managing clients, opportunities and their related templates. However, this user has limited access to projects and other technical content. |
Account Managers |
|
A user for managing clients and opportunities. No default access to projects is assigned, but has access to all companies and opportunities they create. |
Peer Reviewer |
Special permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it. |
These permissions are assigned based on the workflow engine. |
Quality Assurer |
Special permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it. |
These permissions are assigned based on the workflow engine. |
A number of additional roles will be included in the next iteration of Canopy, including: low privilege user role and the KB admin role.
Object Roles¶
There are currently three main objects for assigning user access, outside of the global roles. These are:
Clients
Opportunities
Projects
The following screenshot shows an example of the User Access management interface that is part of the Edit Client dialogue. The default permissions for all client objects are listed in italic.
It is possible to add users with additional access. Groups can not be added at the moment.
Permissions are grouped into a simple set of roles on each object, which are:
- Read-only
A read-only role
- Write
If available, this allows for the content of the object to be managed, but does not allow control over assigning access or deleting.
- Admin
Perform any operation
The specific instances of these roles on their corresponding objects are explained next.
Client¶
Clients were historically referred to as Companies and the Canopy API and backend still reflect this.
Role |
Permissions |
Description |
|---|---|---|
Read-only |
|
Read-only access to a client. |
Admin |
|
Manage the content and access control of a client. |
Opportunity¶
Role |
Permissions |
Description |
|---|---|---|
Read-only |
|
Read-only access to an opportunity. |
Write |
|
Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phase scopes). |
Admin |
|
Manage the structure, content and access control of an opportunity. |
Project¶
Role |
Permissions |
Description |
|---|---|---|
Read-only |
|
This is a read-only role. No editing can be performed by a user with this role. |
Write |
|
Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phases). |
Admin |
|
Manage the structure, content and access control of an opportunity. |