RBAC roles
RBAC lets admins restrict the pages a specific end-user can view and how those pages are populated. Application tagging is intertwined with RBAC. While it is possible to use RBAC without defining applications tags, its usefulness is limited. See What is tagging? if you are not familiar with the concept of tagging and how to generate tags for Unravel to use.
The end-user's access is restricted based upon three factors
Tags for the end-user
You can create tags for
Applications - See Tagging applications.
Workflows - See Tagging workflows.
End-users are then associated with the tags via LDAP or SAML. See com.unraveldata.login.mode.
When RBAC is turned on an end-user's view is filtered based upon their tags. For instance, if a user only has the defined tag dept:marketing they can only see applications tagged with dept:marketing.
Unravel default tag
com.unraveldata.rbac.default is always used to filter the end-user's view. It is set to
Usernameby default.Mode
com.unraveldata.ngui.user.mode
extendeda user can accessrestricteda user can only access Application > Application
What the end-user sees when RBAC is turned on
The available pages (as defined by com.unraveldata.ngui.user.mode) display applications contained in
(filtered end-user tags) ∪ (filtered by com.unraveldata.rbac.default)
Note
If com.unraveldata.rbac.default is not set and an end-user has no tags, the viewable pages are unpopulated (blank).
How to exempt an end-user from RBAC
To exempt an end-user from RBAC, you must make them a read-only admin.