Access Control
Tacnode implements a sophisticated access control system that separates users (authentication) from roles (authorization) to provide flexible and secure permission management.
Core Concepts
Users
Purpose: Authentication and platform login
- Registration: Email-based account creation
- Access: Login to both platform and database instances
- Identity: Unique identifier for system access
Roles
Purpose: Authorization and permission management
- Definition: Collection of operation permissions for specific resources
- Scope: Resource-specific access control
- Inheritance: Support hierarchical permission structures
Role Architecture
Permission Structure
Roles define specific permissions for resource objects. For example, an admin role for contract dc00000001 includes:
- Read permissions for contract data
- Write permissions for contract modifications
- Update permissions for contract settings
Role Inheritance
Roles support hierarchical permission management through inheritance:
- Viewer Role: Read-only permissions
- Admin Role: Read + Write permissions (inherits Viewer)
- Super Admin: Full permissions (inherits Admin)
Inheritance Benefits: Simplifies permission management by building complex roles from simpler ones.
Contract Role Management
The contract permission system provides comprehensive role management capabilities:
Available Contract Roles
| Role | Scope | Permissions |
|---|---|---|
admin@{id}.contracts | Full Contract Administration | Complete contract management including user role assignment and all inherited permissions |
viewer@{id}.contracts | Read-Only Access | View contract information without modification rights |
dc_creator@{id}.contracts | Data Cloud Management | Create and delete Data Cloud resources, includes viewer permissions |
billing_admin@{id}.contracts | Billing Administration | Full billing management capabilities, includes billing viewer permissions |
billing_viewer@{id}.contracts | Billing Visibility | View billing information and contract details, includes viewer permissions |
Role Naming Convention: Format is ShortName@Resource.type where ShortName is the role identifier and Resource indicates the target resource.
Access Permission Management
Navigate to contract permissions through: Dashboard → Contract → [Contract ID] → Permission Management
Role Hierarchy Visualization
View the complete role relationship structure for your contract:
This tree view shows inheritance relationships and permission dependencies between roles.
Managing Contract Users
User Role Assignment Interface
Adding Users to Roles
-
Navigate to Permissions
- Go to Contract → [Specific Contract] → Permission Management
-
Authorize User
- Click "Authorize User" next to the target role
- Enter the user's email address in the dialog
- Click "OK" to complete assignment
-
Verification
- User appears in the role member list
- User gains role permissions immediately
Removing Users from Roles
-
Access Role Management
- Open Contract → [Specific Contract] → Permission Management
-
Remove User
- Click the red "×" icon next to the user's name
- Confirm removal in the dialog box
- Click "OK" to complete removal
-
Effect
- User loses role permissions immediately
- Access to role-protected resources is revoked
Permission Changes: Role modifications take effect immediately. Ensure users have appropriate access before making changes.