Role Based Access Control

Introduction

There are two role based approaches

  1. The Default, Project based approach
  2. Custom Roles

The default is to determine access for each project.
Custom roles allow you to determine access per object, per user, and more advanced schemes.

Custom Roles

For advanced roles see:
Custom Roles Tutorial
Custom Roles API

Project Roles

Add user

  • Click Share in top right or go to project /settings
    If they have a Diffgram account they will be instantly added to the project and receive an email alerting them. If they don't have a Diffgram account they will receive an email with an invite to create a new account.

Revoking / removing

Requires: admin permission.
Project / Settings

  • Select the users (or api keys)
  • Click remove
914

Project Scope

Almost every action in the system in some way revolves around the project, either directly, or as a cascading permission. A project also controls permissions for users, files, and jobs.

The act of creating a new project is basically an empty shell, and as you work with Diffgram more and more will be added and changed to it.

Your project_string_id is used in API calls, do not include sensitive information in it.
After creating the project you can change the nickname if you wish, however the project_string_id cannot be changed. Project scope is inspired by the Google Cloud project scope.

Each project is independent.
By default, a user can see no projects.

  • They can see any project they are added to.
  • Removal from project A does not affect project B

Project Roles

Admin

  • Add other admin users

Editor

  • Read, Write access to project

Viewer

  • Read only access

Granular Permissions

Accessing the project is just the most basic level of permission.

You can further assign specific users to specific task groups within a project.

View Existing Users

Go to project settings
Project Settings Navigation

Remove a User

Go to project settings
Project Settings Navigation

Select a user and click remove.