# Role Based Access Control

## What is RBAC?

RBAC or **R**ole **B**ased **A**ccess **C**ontrol is a mechanism you can use as an admin to limit the access of your users in Teleskope.

RBAC is based on the following principles:

* Each role grants access to a collection of features and connectors
* Each user can be assigned one or more roles
* A user's permissions in the Teleskope app are the aggregate of all permissions granted by their roles

## Configuring RBAC as an admin

By default, admins are granted full access to your Teleskope instance, able to view and interact with every feature and connector. Admins are also the only users who can create/update/delete roles, and assign/un-assign roles from users.

Admins can navigate to the RBAC page by selecting the `Users and Roles` option under `Settings` on the sidebar in the Teleskope app. Then they can:

* Create/edit/delete roles in the `Roles` tab
* Assign/unassign roles for each user in the `Users` tab
* View a user's aggregate permissions to see what their roles have collectively granted them so far

## The 3 pre-existing RBAC roles

There are 3 starting roles that come by-default in your Teleskope instance, and each is unique:

* The `admin` role, which is immutable and gives full access to the Teleskope app while also unlocking admin features like configuring RBAC or inviting new users.
* The `default` role which all users have, and holds any permissions admins would like *all* users to have no matter what. This `default` role is given full permissions to start with, so it is up to admins to *opt in* to RBAC by downgrading any of these default role permissions. While the `default` role has S3 access, so do all users, etc.
* The `teleskope-support` role which is a special case, only assigned to Teleskope employees who have been given access to your instance for support or maintenance purposes.

### The 3 corresponding user types

These roles also determine what **User Type** a user is in the app. Users with the `admin` role are considered an **Admin** type user, users with the `teleskope-support` role are considered a **Teleskope Support** type user, and everyone else is just a regular **Standard** user.

## RBAC use case suggestions

It's ultimately up to the admin to use RBAC as they see fit and design their own rules. However, there are a few common themes and strategies Admins may want to employ with RBAC:

* Want to limit particularly sensitive data or features to only select users?
  * Limit access to these in a role, and only assign that role to select users.
* Onboarding a new employee to a specific team?
  * That user can be assigned a role for that team that includes all the permissions they may need.
* Off-boarding an employee from a team, but still keeping them at the company?
  * If that team had a custom role with their needed permissions, unassign that role from the off-boarded user.
* Want all new users to start with some level of basic permissions?
  * Add these permissions to the `default` role to automatically give new users this access.
* Don't care about restricting access at all?
  * You can give the `default` role full permissions, so any non-admin user can also see everything by default.