[docs] Add permissions documentation #194

camrrx · 2025-09-08T12:37:38Z

Proposed changes

adding user documentation for the new RBAC system

Related issues

Closes RBAC: User documentation #196
Closes Add documentation for Groups, Users and RBAC #65

heditar · 2025-09-10T19:58:38Z

Good job with the documentation, I think all the informations are here. I think we can do better with the intro but I think JB can write that part. Also a question: should we mention the fact that we are removing auto grants?

heditar · 2025-09-10T19:54:35Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role (e.g. "Platform role")   ![Create role](assets/create-role.png)3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...      > **Note:** if you check a capability with **Delete**, the corresponding **Manage** and **Access** permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.      ![Select capabilities](assets/select-capabilities.png)4. Save the role.> **Note:** If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through **groups**.1. Go to **Settings → Security → Groups**.2. Create a group. 3. In the group options, assign:   - One or more **roles** (defining the capabilities for this group).   - One or more **users** (who will inherit the group’s roles).   ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Special Cases- **Simulations, Scenarios, and Atomic Testing**   - A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).- **Payloads**   - Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.  By default, the following features are open for everyone:- **Teams**- **Players**- **Taxonomies** (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


(which overrides individual grants

not sure we should say it overrides

RomuDeuxfois · 2025-09-11T06:42:36Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role (e.g. "Platform role")   ![Create role](assets/create-role.png)3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...      > **Note:** if you check a capability with **Delete**, the corresponding **Manage** and **Access** permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.      ![Select capabilities](assets/select-capabilities.png)4. Save the role.> **Note:** If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through **groups**.1. Go to **Settings → Security → Groups**.2. Create a group. 3. In the group options, assign:   - One or more **roles** (defining the capabilities for this group).   - One or more **users** (who will inherit the group’s roles).   ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Special Cases- **Simulations, Scenarios, and Atomic Testing**   - A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).- **Payloads**   - Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.  By default, the following features are open for everyone:- **Teams**- **Players**- **Taxonomies** (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


Note: if you check a capability with Delete, the corresponding Manage and Access permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.

Maybe something like this — it’s a bit more descriptive
Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access).

RomuDeuxfois · 2025-09-11T06:44:12Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role (e.g. "Platform role")   ![Create role](assets/create-role.png)3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...      > **Note:** if you check a capability with **Delete**, the corresponding **Manage** and **Access** permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.      ![Select capabilities](assets/select-capabilities.png)4. Save the role.> **Note:** If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through **groups**.1. Go to **Settings → Security → Groups**.2. Create a group. 3. In the group options, assign:   - One or more **roles** (defining the capabilities for this group).   - One or more **users** (who will inherit the group’s roles).   ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Special Cases- **Simulations, Scenarios, and Atomic Testing**   - A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).- **Payloads**   - Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.  By default, the following features are open for everyone:- **Teams**- **Players**- **Taxonomies** (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


How to assign a role to a user
In OpenAEV, roles are not assigned directly to users. Instead, they are linked through groups.

The objective here is to explain how to assign a role to a group and assign a user to it. You already mentioned this in the first paragraph: each user belongs to a group, and that group has one or more roles that define its permissions.

RomuDeuxfois · 2025-09-11T06:46:53Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role (e.g. "Platform role")   ![Create role](assets/create-role.png)3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...      > **Note:** if you check a capability with **Delete**, the corresponding **Manage** and **Access** permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.      ![Select capabilities](assets/select-capabilities.png)4. Save the role.> **Note:** If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through **groups**.1. Go to **Settings → Security → Groups**.2. Create a group. 3. In the group options, assign:   - One or more **roles** (defining the capabilities for this group).   - One or more **users** (who will inherit the group’s roles).   ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Special Cases- **Simulations, Scenarios, and Atomic Testing**   - A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).- **Payloads**   - Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.  By default, the following features are open for everyone:- **Teams**- **Players**- **Taxonomies** (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


It could be useful to illustrate the first part with a persona — for example, a tabletop content manager:

Full rights on players, teams, and organizations

No rights on payloads
What do you think?

Same for grants use case.

RomuDeuxfois · 2025-09-11T06:48:19Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role (e.g. "Platform role")   ![Create role](assets/create-role.png)3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...      > **Note:** if you check a capability with **Delete**, the corresponding **Manage** and **Access** permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.      ![Select capabilities](assets/select-capabilities.png)4. Save the role.> **Note:** If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through **groups**.1. Go to **Settings → Security → Groups**.2. Create a group. 3. In the group options, assign:   - One or more **roles** (defining the capabilities for this group).   - One or more **users** (who will inherit the group’s roles).   ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Special Cases- **Simulations, Scenarios, and Atomic Testing**   - A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).- **Payloads**   - Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.  By default, the following features are open for everyone:- **Teams**- **Players**- **Taxonomies** (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


I think we have an indentation issue here

RomuDeuxfois · 2025-09-11T06:49:37Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role (e.g. "Platform role")   ![Create role](assets/create-role.png)3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...      > **Note:** if you check a capability with **Delete**, the corresponding **Manage** and **Access** permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.      ![Select capabilities](assets/select-capabilities.png)4. Save the role.> **Note:** If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through **groups**.1. Go to **Settings → Security → Groups**.2. Create a group. 3. In the group options, assign:   - One or more **roles** (defining the capabilities for this group).   - One or more **users** (who will inherit the group’s roles).   ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Special Cases- **Simulations, Scenarios, and Atomic Testing**   - A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).- **Payloads**   - Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.  By default, the following features are open for everyone:- **Teams**- **Players**- **Taxonomies** (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


For readability, I think it’s simpler to start with the types of grants and then move on to the special cases.

RomuDeuxfois · 2025-09-11T06:50:41Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role (e.g. "Platform role")   ![Create role](assets/create-role.png)3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...      > **Note:** if you check a capability with **Delete**, the corresponding **Manage** and **Access** permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it.      ![Select capabilities](assets/select-capabilities.png)4. Save the role.> **Note:** If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through **groups**.1. Go to **Settings → Security → Groups**.2. Create a group. 3. In the group options, assign:   - One or more **roles** (defining the capabilities for this group).   - One or more **users** (who will inherit the group’s roles).   ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Special Cases- **Simulations, Scenarios, and Atomic Testing**   - A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).- **Payloads**   - Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.  By default, the following features are open for everyone:- **Teams**- **Players**- **Taxonomies** (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


This section should be presented as a warning, perhaps placed directly in the first paragraph?

RomuDeuxfois · 2025-09-11T16:05:27Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.!!! warning "Default read access"        Some elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.        By default, the following features are open for everyone:    - **Teams**      - **Players**      - **Taxonomies** (in the Settings)        Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...4. Save the role.!!! info "Hierarchical permissions"         Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access).!!! tip "Bypass"        If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.### Example : Crisis content creator!!! tip "Role : Crisis content creator"**Context:** This user is in charge of designing crisis management content. Their role is to create **scenarios** that can later be reused by other teams to run exercises.  For example, they might build an **“Earthquake Crisis Scenario”**.**Capabilities:**    - **Security platforms** : Manage groups to assign them grants   - **Assessment** : Create scenarioWith this role, the user can design new scenarios, and configure everything needed to prepare exercises.  For instance, they may create a **“Earthquake Crisis Template”**, which becomes the foundation for future simulations.![Create role](assets/create-role.png)![Assign capabilities](assets/assign-capabilities.png)Then, the user will be able to create scenario, launch it and grant their team on this simulation. ---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---### Example : Local coordinator!!! tip "Role : Local coordinator"  **Context:** This user is not a global content creator. Instead, they are trained locally to run a specific simulation designed by the content creator.  They do not need all capabilities — only access to the resources explicitly granted to them.**Grants assigned through their group:**   - **Simulation** → *Launch* on the simulation based on the “Earthquake Crisis”**Concrete workflow:**        - The **Content Creator** travels to the **French Embassy** and trains a local coordinator.   - This coordinator is granted launch to the simulation created from the *Earthquake Crisis Scenario*.    - The coordinator can now run and manage this simulation, but cannot see or modify other simulations or scenarios.    - Later, the same process is repeated at the **UK Embassy**, where another coordinator is granted launch only to the local simulation derived from the same scenario.---### Special Cases!!! tip "Simulations, Scenarios, and Atomic Testing"       A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).!!! tip "Payloads"    Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.    ---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


I checked on CTI, and we’re going with capabilities directly without mentioning permissions, to make things clearer.

https://docs.opencti.io/latest/administration/users/?h=permission#list-of-capabilities

RomuDeuxfois · 2025-09-11T16:05:57Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.!!! warning "Default read access"        Some elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.        By default, the following features are open for everyone:    - **Teams**      - **Players**      - **Taxonomies** (in the Settings)        Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...4. Save the role.!!! info "Hierarchical permissions"         Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access).!!! tip "Bypass"        If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.### Example : Crisis content creator!!! tip "Role : Crisis content creator"**Context:** This user is in charge of designing crisis management content. Their role is to create **scenarios** that can later be reused by other teams to run exercises.  For example, they might build an **“Earthquake Crisis Scenario”**.**Capabilities:**    - **Security platforms** : Manage groups to assign them grants   - **Assessment** : Create scenarioWith this role, the user can design new scenarios, and configure everything needed to prepare exercises.  For instance, they may create a **“Earthquake Crisis Template”**, which becomes the foundation for future simulations.![Create role](assets/create-role.png)![Assign capabilities](assets/assign-capabilities.png)Then, the user will be able to create scenario, launch it and grant their team on this simulation. ---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---### Example : Local coordinator!!! tip "Role : Local coordinator"  **Context:** This user is not a global content creator. Instead, they are trained locally to run a specific simulation designed by the content creator.  They do not need all capabilities — only access to the resources explicitly granted to them.**Grants assigned through their group:**   - **Simulation** → *Launch* on the simulation based on the “Earthquake Crisis”**Concrete workflow:**        - The **Content Creator** travels to the **French Embassy** and trains a local coordinator.   - This coordinator is granted launch to the simulation created from the *Earthquake Crisis Scenario*.    - The coordinator can now run and manage this simulation, but cannot see or modify other simulations or scenarios.    - Later, the same process is repeated at the **UK Embassy**, where another coordinator is granted launch only to the local simulation derived from the same scenario.---### Special Cases!!! tip "Simulations, Scenarios, and Atomic Testing"       A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).!!! tip "Payloads"    Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.    ---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


Indentation issue here

RomuDeuxfois · 2025-09-11T16:14:39Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.!!! warning "Default read access"        Some elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.        By default, the following features are open for everyone:    - **Teams**      - **Players**      - **Taxonomies** (in the Settings)        Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...4. Save the role.!!! info "Hierarchical permissions"         Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access).!!! tip "Bypass"        If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.### Example : Crisis content creator!!! tip "Role : Crisis content creator"**Context:** This user is in charge of designing crisis management content. Their role is to create **scenarios** that can later be reused by other teams to run exercises.  For example, they might build an **“Earthquake Crisis Scenario”**.**Capabilities:**    - **Security platforms** : Manage groups to assign them grants   - **Assessment** : Create scenarioWith this role, the user can design new scenarios, and configure everything needed to prepare exercises.  For instance, they may create a **“Earthquake Crisis Template”**, which becomes the foundation for future simulations.![Create role](assets/create-role.png)![Assign capabilities](assets/assign-capabilities.png)Then, the user will be able to create scenario, launch it and grant their team on this simulation. ---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---### Example : Local coordinator!!! tip "Role : Local coordinator"  **Context:** This user is not a global content creator. Instead, they are trained locally to run a specific simulation designed by the content creator.  They do not need all capabilities — only access to the resources explicitly granted to them.**Grants assigned through their group:**   - **Simulation** → *Launch* on the simulation based on the “Earthquake Crisis”**Concrete workflow:**        - The **Content Creator** travels to the **French Embassy** and trains a local coordinator.   - This coordinator is granted launch to the simulation created from the *Earthquake Crisis Scenario*.    - The coordinator can now run and manage this simulation, but cannot see or modify other simulations or scenarios.    - Later, the same process is repeated at the **UK Embassy**, where another coordinator is granted launch only to the local simulation derived from the same scenario.---### Special Cases!!! tip "Simulations, Scenarios, and Atomic Testing"       A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).!!! tip "Payloads"    Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.    ---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


Security platforms or Manage platform settings ?
I also realize that at this point, it’s the first time I come across the word assessments, and it isn’t connected to anything.
What is it for? I have no idea. Could be great to defined this capa OR write this Assessments (Scenarios, Simulation, Atomic Tesings). Something I can hold on to (on the application side as well).

RomuDeuxfois · 2025-09-11T16:15:06Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.!!! warning "Default read access"        Some elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.        By default, the following features are open for everyone:    - **Teams**      - **Players**      - **Taxonomies** (in the Settings)        Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...4. Save the role.!!! info "Hierarchical permissions"         Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access).!!! tip "Bypass"        If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.### Example : Crisis content creator!!! tip "Role : Crisis content creator"**Context:** This user is in charge of designing crisis management content. Their role is to create **scenarios** that can later be reused by other teams to run exercises.  For example, they might build an **“Earthquake Crisis Scenario”**.**Capabilities:**    - **Security platforms** : Manage groups to assign them grants   - **Assessment** : Create scenarioWith this role, the user can design new scenarios, and configure everything needed to prepare exercises.  For instance, they may create a **“Earthquake Crisis Template”**, which becomes the foundation for future simulations.![Create role](assets/create-role.png)![Assign capabilities](assets/assign-capabilities.png)Then, the user will be able to create scenario, launch it and grant their team on this simulation. ---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---### Example : Local coordinator!!! tip "Role : Local coordinator"  **Context:** This user is not a global content creator. Instead, they are trained locally to run a specific simulation designed by the content creator.  They do not need all capabilities — only access to the resources explicitly granted to them.**Grants assigned through their group:**   - **Simulation** → *Launch* on the simulation based on the “Earthquake Crisis”**Concrete workflow:**        - The **Content Creator** travels to the **French Embassy** and trains a local coordinator.   - This coordinator is granted launch to the simulation created from the *Earthquake Crisis Scenario*.    - The coordinator can now run and manage this simulation, but cannot see or modify other simulations or scenarios.    - Later, the same process is repeated at the **UK Embassy**, where another coordinator is granted launch only to the local simulation derived from the same scenario.---### Special Cases!!! tip "Simulations, Scenarios, and Atomic Testing"       A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).!!! tip "Payloads"    Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.    ---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


Note that the term exercise sometimes appears: it actually refers to our simulations.

RomuDeuxfois · 2025-09-11T16:18:33Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.!!! warning "Default read access"        Some elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.        By default, the following features are open for everyone:    - **Teams**      - **Players**      - **Taxonomies** (in the Settings)        Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...4. Save the role.!!! info "Hierarchical permissions"         Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access).!!! tip "Bypass"        If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.### Example : Crisis content creator!!! tip "Role : Crisis content creator"**Context:** This user is in charge of designing crisis management content. Their role is to create **scenarios** that can later be reused by other teams to run exercises.  For example, they might build an **“Earthquake Crisis Scenario”**.**Capabilities:**    - **Security platforms** : Manage groups to assign them grants   - **Assessment** : Create scenarioWith this role, the user can design new scenarios, and configure everything needed to prepare exercises.  For instance, they may create a **“Earthquake Crisis Template”**, which becomes the foundation for future simulations.![Create role](assets/create-role.png)![Assign capabilities](assets/assign-capabilities.png)Then, the user will be able to create scenario, launch it and grant their team on this simulation. ---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---### Example : Local coordinator!!! tip "Role : Local coordinator"  **Context:** This user is not a global content creator. Instead, they are trained locally to run a specific simulation designed by the content creator.  They do not need all capabilities — only access to the resources explicitly granted to them.**Grants assigned through their group:**   - **Simulation** → *Launch* on the simulation based on the “Earthquake Crisis”**Concrete workflow:**        - The **Content Creator** travels to the **French Embassy** and trains a local coordinator.   - This coordinator is granted launch to the simulation created from the *Earthquake Crisis Scenario*.    - The coordinator can now run and manage this simulation, but cannot see or modify other simulations or scenarios.    - Later, the same process is repeated at the **UK Embassy**, where another coordinator is granted launch only to the local simulation derived from the same scenario.---### Special Cases!!! tip "Simulations, Scenarios, and Atomic Testing"       A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).!!! tip "Payloads"    Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.    ---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


We give an example on grant here
Then, the user will be able to create scenario, launch it and grant their team on this simulation.

But we defined the grant later.
I like the teasing !

RomuDeuxfois · 2025-09-11T16:20:23Z

docs/administration/rbac.md

@@ -0,0 +1 @@
+# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform.  Each user belongs to a group, and this group has one or more roles that define its **permissions**.Permissions determine what features a user can access.  If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called *capabilities*), OpenAEV also supports **grants**. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.!!! warning "Default read access"        Some elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants.        By default, the following features are open for everyone:    - **Teams**      - **Players**      - **Taxonomies** (in the Settings)        Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## How to create a roleTo create a new role in OpenAEV:1. Go to **Settings → Security → Roles**.2. Click on **Create role**. Enter a **name** and an optional **description** for the role3. Select the **capabilities** that should be included in this role, such as:    - Access assets    - Manage dashboards    - Delete documents    - ...4. Save the role.!!! info "Hierarchical permissions"         Permissions are organized hierarchically by indentation: selecting a permission further to the right (e.g., Delete) will automatically enable the less-indented ones that precede it (e.g., Manage and Access).!!! tip "Bypass"        If you want a user to automatically have all capabilities without restriction, you can enable the **Bypass** capability in their role.Once the role is created, it can be assigned to a **group**. All users in that group will automatically inherit the role’s permissions.### Example : Crisis content creator!!! tip "Role : Crisis content creator"**Context:** This user is in charge of designing crisis management content. Their role is to create **scenarios** that can later be reused by other teams to run exercises.  For example, they might build an **“Earthquake Crisis Scenario”**.**Capabilities:**    - **Security platforms** : Manage groups to assign them grants   - **Assessment** : Create scenarioWith this role, the user can design new scenarios, and configure everything needed to prepare exercises.  For instance, they may create a **“Earthquake Crisis Template”**, which becomes the foundation for future simulations.![Create role](assets/create-role.png)![Assign capabilities](assets/assign-capabilities.png)Then, the user will be able to create scenario, launch it and grant their team on this simulation. ---## Grants### How to grant a simulation to a userBeyond global **capabilities** defined in roles, OpenAEV also allows assigning more precise **grants**. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the **group** level.**To grant a simulation to a user:**1. Go to **Settings → Security → Groups**.2. Click on **Manage grants** in the group options.3. A drawer will open with the available resources:      - Simulations      - Scenarios      - Atomic testings      - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level.      ![Manage grants](assets/manage-grants.png)---### Types of GrantsThere are three levels of granularity:| Grant   | Rights included                           ||---------|-------------------------------------------|| Access  | View only                                 || Manage  | View, edit, delete                        || Launch  | Manage rights + ability to launch tests   |---### Example : Local coordinator!!! tip "Role : Local coordinator"  **Context:** This user is not a global content creator. Instead, they are trained locally to run a specific simulation designed by the content creator.  They do not need all capabilities — only access to the resources explicitly granted to them.**Grants assigned through their group:**   - **Simulation** → *Launch* on the simulation based on the “Earthquake Crisis”**Concrete workflow:**        - The **Content Creator** travels to the **French Embassy** and trains a local coordinator.   - This coordinator is granted launch to the simulation created from the *Earthquake Crisis Scenario*.    - The coordinator can now run and manage this simulation, but cannot see or modify other simulations or scenarios.    - Later, the same process is repeated at the **UK Embassy**, where another coordinator is granted launch only to the local simulation derived from the same scenario.---### Special Cases!!! tip "Simulations, Scenarios, and Atomic Testing"       A user can access these either through specific **grants**, or globally if the group has the **ASSESSMENT** capability (which overrides individual grants).!!! tip "Payloads"    Access is given either through specific **grants**, or globally if the group has the **PAYLOAD** capability.    ---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability.  If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In **Scenarios**, when creating an article, the user also needs the capability to **access Channels**.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing.  ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.


We are talking of 4 grantable ressources and we have 5 grantable ressources on the screenshot

savacano28 · 2025-09-12T08:37:28Z

@camrrx @heditar This pr could close this issue: #65 ?

heditar · 2025-09-12T08:52:00Z

@camrrx @heditar This pr could close this issue: #65 ?

yes, I just moved it from the Openbas repo, it was not available when Camille created the PR

heditar · 2025-09-12T08:53:14Z

@camrrx @heditar This pr could close this issue: #65 ?

yes, I just moved it from the Openbas repo, it was not available when Camille created the PR

sorry read fast, it can close this one plus we also have a task on our side for that #196 , I added both to the PR

[docs] Add permissions documentation

ed59f0b

camrrx requested a review from jborozco September 8, 2025 12:41

heditar reviewed Sep 10, 2025

View reviewed changes

RomuDeuxfois reviewed Sep 11, 2025

View reviewed changes

[doc] RBAC - permissions documentation

d496535

RomuDeuxfois reviewed Sep 11, 2025

View reviewed changes

[doc] RBAC - permissions documentation

6fa1d0c

heditar assigned camrrx Sep 12, 2025

heditar added the filigran team label Sep 12, 2025

heditar approved these changes Sep 15, 2025

View reviewed changes

		@@ -0,0 +1 @@
		# User permissions ## What is RBACRole-Based Access Control (RBAC) is the way OpenAEV manages who can do what inside the platform. Each user belongs to a group, and this group has one or more roles that define its permissions.Permissions determine what features a user can access. If a user does not have the right permission, the option will simply not be available to them.In addition to general permissions (called capabilities), OpenAEV also supports grants. Grants are more precise: they allow access to a specific resource, such as one particular simulation, without giving the user access to all simulations.---## How to create a roleTo create a new role in OpenAEV:1. Go to Settings → Security → Roles.2. Click on Create role. Enter a name and an optional description for the role (e.g. "Platform role") ![Create role](assets/create-role.png)3. Select the capabilities that should be included in this role, such as: - Access assets - Manage dashboards - Delete documents - ... > Note: if you check a capability with Delete, the corresponding Manage and Access permissions will automatically be selected as well. This is because it is not possible to delete something without first being able to access and manage it. ![Select capabilities](assets/select-capabilities.png)4. Save the role.> Note: If you want a user to automatically have all capabilities without restriction, you can enable the Bypass capability in their role.Once the role is created, it can be assigned to a group. All users in that group will automatically inherit the role’s permissions.---## How to assign a role to a userIn OpenAEV, roles are not assigned directly to users. Instead, they are linked through groups.1. Go to Settings → Security → Groups.2. Create a group. 3. In the group options, assign: - One or more roles (defining the capabilities for this group). - One or more users (who will inherit the group’s roles). ![Select capabilities](assets/manage-group.png)---## Grants### How to grant a simulation to a userBeyond global capabilities defined in roles, OpenAEV also allows assigning more precise grants. Grants define permissions on specific resources (for example, one simulation), and they are always managed at the group level.To grant a simulation to a user:1. Go to Settings → Security → Groups.2. Click on Manage grants in the group options.3. A drawer will open with the available resources: - Simulations - Scenarios - Atomic testings - Payloads4. Select the specific items you want the group to access and assign the appropriate grant level. ![Manage grants](assets/manage-grants.png)---### Special Cases- Simulations, Scenarios, and Atomic Testing - A user can access these either through specific grants, or globally if the group has the ASSESSMENT capability (which overrides individual grants).- Payloads - Access is given either through specific grants, or globally if the group has the PAYLOAD capability.---### Types of GrantsThere are three levels of granularity:\| Grant \| Rights included \|\|---------\|-------------------------------------------\|\| Access \| View only \|\| Manage \| View, edit, delete \|\| Launch \| Manage rights + ability to launch tests \|---## Default Read AccessSome elements in OpenAEV are always visible to all users, regardless of their assigned capabilities or grants. By default, the following features are open for everyone:- Teams- Players- Taxonomies (in the Settings)Users can view these elements without needing any specific capability, but additional rights are required if they want to manage them.---## Capability DependenciesIn some cases, performing an action in OpenAEV requires more than one capability. If a required capability is missing, the action will be blocked and a warning message will explain which capability is missing.### Example- In Scenarios, when creating an article, the user also needs the capability to access Channels.- If the user does not have this capability, the article cannot be created.- A warning will be displayed, indicating that the necessary capability is missing. ![Missing capability](assets/warning-missing-capabilities.png)This mechanism ensures consistency across the platform: actions that depend on other features cannot be performed without the proper access.

[docs] Add permissions documentation #194

Are you sure you want to change the base?

[docs] Add permissions documentation #194

Uh oh!

Conversation

camrrx commented Sep 8, 2025 • edited by heditar Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed changes

Related issues

Uh oh!

heditar commented Sep 10, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

savacano28 commented Sep 12, 2025

Uh oh!

heditar commented Sep 12, 2025

Uh oh!

heditar commented Sep 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

camrrx commented Sep 8, 2025 •

edited by heditar

Loading

heditar commented Sep 12, 2025 •

edited

Loading