Authorization
Authorization is the process of granting an authenticated party the ability to do or access something. Ideally, users of a system should only be able to access the parts of it that pertain to their specific functions. This is important for data protection, error reduction, and compliance with relevant policies and laws.
Authorization ("I'm allowed to do what I'm trying to do") is distinct from authentication ("I am who I say I am"). We have a separate page regarding authentication in Crystallize.
Crystallize uses role-based access control (RBAC) for determining what a user may do or access within a given tenant. Each user is assigned one role per tenant. There are two types of roles: built-in and custom.
Tenant Admin is a built-in role that is automatically assigned to the first user who creates a tenant. When the tenant gains additional users, the Tenant Admin role can be assigned to them as well.
A Tenant Admin receives all permissions, and can:
- Read, create, update, and delete everything
- Access the Usage, Users, Roles, Billing & Payments, and API Access screens in the Crystallize App
- Invite users to the tenant
- Create custom roles
- Assign roles to other users
- Copy tenants
- Read signature secrets
The Tenant Admin role can't be deleted, and its permissions can't be changed. Also note that Tenant Admins cannot be assigned a different role later.
Custom roles can be created per user requirements and can be updated or deleted when needed. It's possible to have different roles for content editors, order processors, and other people in your organization that will allow them to focus on the parts of each tenant that are relevant to them.
Someone with the appropriate permissions (such as a Tenant Admin) can use the Core API or Crystallize App to manage user roles and permissions.
Here's what you need to know about permissions:
- Resources. Permissions are applied based on resources such as the catalogue, topics, grids, and assets.
- Dependencies. Some resources depend upon other resources. For instance, the catalogue depends on shapes. Thus, you'll be asked to allow certain permissions for the dependent resources before enabling permissions for these resources.
- Conditional Access. The permissions system can be further fine-tuned by setting conditional access. For now, it's available only for the catalogue. Conditional access for the catalogue allows you to make only certain catalogue items available for a given role, and sets the languages in which the role can work with these items.
- Editorial Settings. These are a special set of rules that only affect the Crystallize App (UI) and have no effect on the API. They allow, for instance, for a given role to see/modify only a certain set of price variants within the UI. Editorial settings are not permissions, and they should not be used as such.
When additional users are invited to a tenant, they can be assigned a Tenant Admin or custom role within that tenant. Users who are invited to a tenant without being assigned a role will be given a default "user" role that they will have until someone with the appropriate permissions assigns them a new role.