Users and Roles Explained
The Congrid system has two different entities for user and access right management, namely users and roles. These entities have different purposes but are related to each other. For a user there is always one and only one user account model but there can be many roles.
User entity describes the details of a user account. These details comprise for example from the email address and name of the user. Additionally all objects that the user generates with Congrid system are associated with the user account.
Role entity on the other hand specifies the access rights in Congrid system. Hence a user can have multiple different roles in the system. The roles can be system specific, company specific or project specific.
The API does NOT expose any end-point to access the user data in the system. It only exposes end-points to modify the roles.
Because a user can have access to projects from different companies, all the actions performed through the API for the roles is limited to those that are somehow related to the company of the API user.
Congrid also supports handling of user roles through Active Directory.
Lets consider for example the following scenario:
User Bob is working for Builders Ltd
Project A (Owned by Acorp) Invites Bob as a subcontractor for the project -> Bob gets access to project A Project B (Owned by Builders Ltd) Invites Bob as a main contractor for the project -> Bob gets access to project B
Now Bob has access to two different projects from two different companies (Acorp and Builders Ltd). As a result the following actions are available for the API users of the different companies:
- Can modify Bob's roles for project A
- Can invite Bob for any other project owned by Acorp
- Can NOT remove Bob's role for Project B
- Can modify Bob's roles for project B
- Can invite Bob for any other project owned by Builders Ltd
- Can NOT remove Bob's role for Project A