C3 AI Documentation Home

Role-based access control for application developers

Ensuring access to certain pages in the application based on the user's roles is important. For example, a page that allows users to add other users into certain groups like platform/application or remove users should have limited access based on that user's roles. This document covers how to limit or give access to users based on their roles.

Because of this requirement, you can implement Role Based Access Control to limit access to pages to only users within certain roles.

This is achieved by assigning roles to pages, utilizing the UiSdlRoute metadata and adding a role ID into the seeded metadata.

Note that this association may only be performed at development time. Conversely, users may be associated with roles (through the UserGroup Type) at runtime.

Arranging the Role hierarchy

In the C3 Agentic AI Platform, roles may be arranged in a hierarchical structure, as the Role Type may itself have other roles as children. Application developers are encouraged to make use of this capability, as it leverages the C3 AI Platform native capability for the reverse inheritance of permissions and resources.

To provide more detail here, consider the example of resources at a bank, and three different roles of bank employees:

Text
- Bank Manager - Oversees bank operations. Has access to teller cash boxes, as well as the main vault
- Bank Teller - Direct customer service. Has access to teller cash boxes
- Custodian - Cleans the bank. Has access to the utility closet

You can see that the Bank Manager and Bank Teller have some overlapping responsibilities, while the Custodian has separate, non-overlapping responsibilities. This informs you that the Bank Manager and Bank Teller should have a parent-child relationship, while the Custodian should have its own separate role.

The way to model this from the C3 AI perspective would be to nest the roles accordingly. Child roles have lesser privileges than parent roles. Parent roles inherit the capabilities of their child roles. Note that this is the inverse of the typical inheritance relationship in object oriented methodologies, where children inherit the capabilities of their parents.

Text
- C3.Role.BankManager - Has access to teller boxes and vault
  - C3.Role.BankTeller - Has access to teller boxes

- C3.Role.Custodian - Has access to utility closet

Roles and routes

Our implementation provides the capability to assign a single role to a route using UiSdlRoute metadata. It is important to ensure the routes and roles are setup to allow for the most efficient use of the platform, while limiting the access to routes as desired for the application. An example using the C3 AI base application ESG follows.

Scenario and current design

Assuming application PM specifies an application has two roles

  • Chief Sustainability Officer (CSO)
  • Analyst

And three pages:

  • Dashboard (accessible to both CSO and Analyst)
  • Projects (accessible to CSO, but not Analyst)
  • Analysis (accessible to Analyst, but not CSO)

The proposed implementation is as follows

Create one role for each page. This role should enumerate its permissions such that a user with access to the page is able to request all the required data for that page.

Text
- c3.ESG.Dashboard, with permissions allow:DashboardMetrics::*, ...
- c3.ESG.Projects, with permissions allow:Project::*
- c3.ESG.Analysis, with permissions allow:AirQuality::*, allow:SustainabilityMetrics::*

Create one role for each persona defined by the PM:

Text
- c3.ESG.CSO
- c3.ESG.Analyst

Associate page roles to persona roles (using child-parent relationship). In this case, based on requirement #1 from PM, c3.ESG.Dashboard, should be a sub-role of both c3.ESG.CSO and c3.ESG.Analyst. Only CSO should have access to Projects page, and only Analyst should have access to Analysis page.

The roles would be structured as follows:

Text
- c3.ESG.CSO
  - c3.ESG.Dashboard
  - c3.ESG.Projects
- c3.ESG.Analyst
  - c3.ESG.Dashboard
  - c3.ESG.Analysis

Finally, associate the specified routes with the proper page roles:

Text
UiSdlRoute.csv

name,targetModuleName,targetModulePage,urlPath,role
Dashboard,ESG,Dashboard,/dashboard,c3.ESG.Dashboard
Projects,ESG,Projects,/projects,c3.ESG.Projects
Analysis,ESG,Analysis,/analysis,c3.ESG.Analysis

Related content

Was this page helpful?