> ## Documentation Index
> Fetch the complete documentation index at: https://docs2.zenskar.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles

Zenskar employs a mix of [role-based access control (RBAC)](https://auth0.com/docs/manage-users/access-control/rbac) and permission-based access control for **authorization**. People often get confused between authentication and authorization. It is important to remember that authorization is not the same as authentication:

| **Authentication**                                                                                                                          | **Authorization**                                                                             |
| ------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
| Are you who you claim to be?                                                                                                                | Are you allowed to do what you are trying to do?                                              |
| You are challenged to validate your credentials through mechanisms such as password verification, fingerprint matching, facial recognition. | You are provided access to a resource through policies and rules created by an administrator. |
| Generally governed by the OpenID Connect (OIDC) protocol.                                                                                   | Generally governed by the OAuth 2.0 framework.                                                |

In summary, access to a resource is protected by both authentication and authorization: you have to prove your identity and possess appropriate permissions to interact with resources

<Image align="center" src="https://files.readme.io/2743616-Drawing_2023-10-03_12.58.19.excalidraw.png" />

Important concepts are summarized in the table below:

| Authorization object | Description                                                                                                                               |
| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| Permissions          | Sets of permitted verbs (or actions) on a set of resources. In Zenskar, `Read`, `Write`, `Delete`, and `Approve` are the verbs available. |
| Roles                | Collections of permissions. You can bind (or assign) users to a role.                                                                     |
| Bindings             | Associations of a user with a role.                                                                                                       |

## How to add a new role?

1. Click on the named drop-up menu located at the bottom of the side panel, and click on **Roles**.
2. Click on the **+ ADD NEW ROLE**  button.
3. Enter the new role name.
4. Grant required permissions to the role by selecting permissions from the **AVAILABLE PERMISSIONS** list and adding them to the **GRANTED PERMISSIONS** list.
5. Click **ADD ROLE**.

> 🚧 Choose all permissions
>
> The option to choose all permissions must be used with caution. The user attains unlimited power.

<Image align="center" className="border" border={true} src="https://files.readme.io/0086c80-Screenshot_from_2024-04-01_14-25-59.png" />

### Available permissions

The permissions are of the form:

Can Read \<RESOURCE>\
Can Write \<RESOURCE>\
Can Delete \<RESOURCE>

> 📖 Can Approve \<RESOURCE> permission
>
> There is also a **Can Approve\<RESOURCE>** permission applicable only to invoices.

| Resource        |
| :-------------- |
| Accounting      |
| Aggregate       |
| Analytics       |
| Contract        |
| Credit Notes    |
| Customer        |
| Data Sources    |
| Integrations    |
| Invoices        |
| Jobs            |
| Monitors        |
| Payments        |
| Payment Methods |
| Product         |
| Raw Metric      |
| Roles           |
| Template        |
| Triggers        |
| User            |

## How to update a role?

1. Click on the named drop-up menu located at the bottom of the side panel, and click on **Roles**.
2. From the roles listed on the page, click on the role you wish to edit.
3. Make the necessary edits and click the **UPDATE ROLE** button.

<Image align="center" className="border" border={true} src="https://files.readme.io/0f82f6b-Screenshot_from_2024-04-01_14-25-38.png" />

## How to delete a role?

1. Click on the named drop-up menu located at the bottom of the side panel, and click on **Roles**.
2. Each row on the Roles page has a **kebab menu**. Clicking on the kebab menu will display the option to delete a role.

<Image align="center" className="border" border={true} src="https://files.readme.io/7eeb527-Screenshot_from_2024-04-01_14-27-49.png" />

> 🚧 Caution
>
> A user can be granted more permissions than allowed by a role. Deleting a role will revoke the permissions granted to user by the role. However, the user will retain the extra permissions.