Skip to main content

Role model

BAF supports a role-based access control model. Roles allow you to restrict the set of available actions for specific users within workspaces. Role assignment to users is performed on the IdP provider side.

Before configuring the assignment, correctly map the role name from BAF to the corresponding attribute in the IdP data.

For more information about configuring integration with IdP, see the IdP Integration section.

note

Currently, the role model is only available for users authenticated via IdP. All users registered using the legacy method automatically receive the WorkspaceOwner role, which corresponds to the full set of privileges within the workspace. This role cannot be replaced or changed for these users.

Role types

There are two types of roles: global and workspace-scoped.

Global roles are designed to operate outside the context of workspaces – for example, to manage roles or to perform operations across all workspaces (for example, reading applicant data from all workspaces).

Workspace-scoped roles (local roles) grant permissions only within a specific workspace and essentially mean that the user has access to that workspace with the corresponding privileges.

Role privileges

Each role defines a set of available actions (privileges). The privileges themselves are grouped by the entities to which they apply.

The following entities and privileges are currently available:

"Applicant" entity (ApplicantActionEnum):

  • Create – ability to create new applicants.
  • Read – ability to retrieve applicant data as a list or for a specific entity.
  • Update – ability to update applicant data.
  • Delete – ability to delete an applicant.
  • Block – ability to block an applicant.
  • Unblock – ability to unblock an applicant.
  • ConfirmRegistration – ability to confirm applicant registration.
  • GetImage – ability to obtain the applicant's registration photo.
  • ManualRegistration – ability to manually register an applicant.

"Applicant Attempt" entity (AttemptActionEnum):

  • Read – ability to retrieve attempt data as a list or for a specific entity.
  • GetImage – ability to retrieve attempt images.
  • GetVideo – ability to retrieve attempt videos.
  • GetArchive – ability to obtain an archive with attempt data (note: the archive contains images and videos).
  • GetPdf – ability to obtain a PDF report with attempt data (note: the report includes images).

"Access Tokens" entity (AccessTokenActionsEnum):

  • Create – ability to create access tokens.
  • Read – ability to read access tokens.
  • Update – ability to update access tokens, i.e., change the expiration period.
  • Delete – ability to delete access tokens.
danger

Access tokens provide full access to the public API, which grants almost unlimited rights to work with applicants and attempts. Grant these privileges to users with caution.

"Reports" entity (ReportActionsEnum):

Reports refer to global system performance data. Reports on specific attempts and applicants are governed by the privileges of the corresponding entities. List of available privileges for reports:

  • Create – ability to create reports.
  • Read – ability to read and download reports.
  • Delete – ability to delete reports.

"Workspace Settings" entity (SettingsActionsEnum):

  • Read – ability to read settings.
  • UpdateAlgorithm – ability to update algorithm settings.
  • UpdateApplicantBlocking – ability to update applicant blocking settings.
  • UpdateRegistration – ability to update applicant registration settings.
  • UpdateRisks – ability to manage risks.
  • UpdateRetention – ability to update data retention settings.
  • StartManualRetention – ability to start the manual data retention procedure.
danger

Permissions related to data retention allow deletion of biometric data of attempts. Grant these privileges to users with caution.

"Web Component Integrations" entity (WebComponentIntegrationActionsEnum):

  • Create – ability to create a web component integration.
  • Read – ability to read integration data.
  • UpdateIntegrationData – ability to update integration settings.
  • UpdateAlgorithmSettings – ability to update algorithm settings for the integration.
  • Delete – ability to delete integrations.
  • ReadAuthSettings – ability to read component authentication settings (authentication settings contain client secrets).
  • UpdateAuthSettings – ability to update component authentication settings.

"Blacklists" entity (BlackListActionsActionsEnum):

  • Create – ability to add an applicant to the blacklist.
  • Read – ability to read blacklists.
  • Update – ability to update blacklist data.
  • Delete – ability to remove an applicant from the blacklist.

"Roles" entity (RoleActionsEnum):

  • Create – ability to create roles.
  • Read – ability to read role data.
  • Update – ability to update roles.
  • Delete – ability to delete roles.

"Workspaces" entity (WorkspaceActionsEnum):

  • AccessAll – ability to gain access with a role that has this privilege to any workspaces.
  • Update – ability to update workspace data (name and description).
  • Create – ability to create a new workspace.
note

For privileges to manage roles and workspaces to take effect, the role containing these privileges must be global. In other words, it must be available before the workspace selection stage, since the "role" and "workspace" entities are outside the context of workspaces.

Role combination

A single user can have multiple roles simultaneously. The privileges of all roles are combined: if at least one of the user's roles contains the privilege to read applicants, the user will be able to do so.

Global roles with the AccessAll privilege are added to the list of roles for a specific workspace. For example, if a user has the global role ReadApplicantsGlobal and access to workspace #1 with the role UpdateApplicants, then in workspace #1 they will have both roles (ReadApplicantsGlobal and UpdateApplicants), while in all other workspaces they will only have ReadApplicantsGlobal.

Default roles

The system initially provides two immutable roles: SuperAdmin and WorkspaceOwner.

  • SuperAdmin allows management of the entire system, including role management and full access to any workspace.
  • WorkspaceOwner is the workspace owner role. It is automatically assigned to users created inside BAF. For more information about creating such users, see the User Management Guide.