# Managing access > The **Manage Access** module enables you to manage user roles for an entity in your Data Fabric / Data Service tenant. This extensive and granular permission model allows you to integrate all your business users using the service, based on their level of expertise, and your business requirements. Furthermore, you can select users or groups from your organization and assign roles to them. ## Overview The **Manage Access** module enables you to manage user roles for an entity in your Data Fabric / Data Service tenant. This extensive and granular permission model allows you to integrate all your business users using the service, based on their level of expertise, and your business requirements. Furthermore, you can select users or groups from your organization and assign roles to them. :::note Data Fabric is configured such that organization users can read data by default, via the **Everyone** group. To limit data access, manage permissions and ensure that only relevant users have the **Read** permission**.** Further, add users or groups that need access, and assign them the desired roles. ::: The following steps enable you to manage your users and groups: 1. On the Data Fabric / Data Service home page, select the **More options** menu in the header. 2. Select **Manage Access**. The following tabs are available: | Tab | Description | | --- | --- | | Assign Roles | Contains a list of all the users and groups that are defined for your current tenant and their associated **Roles**. Use the **Assign Role** button to create and update role assignments. | | Roles | A list of all the **Roles** defined for Data Fabric / Data Service. For each role you can see the number of user or group assignments. Use the **Create New Role** button to create new roles, and the **Edit Role** button to update roles. | ## Standard roles Standard roles have a predefined set of permissions. The following standard roles can be assigned to Data Fabric / Data Service users: * Administrator * Data Reader * Data Writer * Designer :::note You cannot remove standard roles. ::: ### Standard role permissions Each standard role has a different set of permissions, including at least one administrative permission and a data access permission. #### Administrative permissions Below is a description of the **administrative permissions** for a standard role. | Permission | Roles with this permission... | | --- | --- | | Manage Permissions | ... can create new roles, edit and delete existing roles, and assign one or more roles to users or groups. | | View All Schema | ... can view the schema of all entities and choice set definitions, but cannot modify them. | | Customize All Schema | ... can view, create, edit, or delete the schema of all entities and choice set definition. | :::note **View all Schema** and **Customize All Schema** are applicable only to entities with role-based access enabled. ::: #### Data access permissions Below is a description of the **Data access permissions** of a standard role. | Permission | Roles with this permission... | | --- | --- | | No access | ... do not have access to any entity data. Users or groups with this permission are not allowed to create, read, edit, or delete data records of an entity. | | Read access for all Entities | ... can view the data records of an entity. | | Complete read and write access for all Entities | ... can create, view, edit, and delete data records of an entity. | ### Overview of standard role permissions The following table summarizes the default permissions of each standard role: | Standard role | Administrative Permissions | Data Access Permissions | | --- | --- | --- | | Administrator | Manage Permissions | No access | | Data Reader | View All Schema | Read access for all Entities | | Data Writer | View All Schema | Complete read and write access for all Entities | | Designer | View All Schema Customize All Schema | No access | ## Custom roles Custom roles enable you to create custom sets of permissions that can be assigned to users or groups. To create new custom roles, you need to have the **Manage Permissions** permission assigned. ### Custom role permissions For custom roles you can decide which permissions you want to assign to the role. At creation, assign at least one **Administrative Permissions** to the new role. Consequently, you may assign **Data Access Permissions** to the role, which grants **Create**, **Read**, **Edit**, or **Delete** permissions on the specified entities. #### Administrative permissions Below is a description of the **Administrative Permissions** that can be assigned to a custom role. | Permission | Description | | --- | --- | | Manage Roles | Roles with this permission can create new roles, edit and delete existing roles, and assign one or more roles to Users/Groups. | | View Schema | Roles with this permission can view the schema of all entities and choice set definitions, but cannot modify them. | | Customize All Schema | Roles with this permission can view, create, edit, or delete the schema of all entities and choice set definition. | #### Data access permissions When defining a custom role, you can assign different data access permissions for the selected entities in the tenant. You can select whether the custom role can create, read, edit, or delete the entity records. Moreover, if an entity has **Role base field access** enabled fields, you can assign data access permissions to each entity field. Below is a description of the **Data Access Permissions** for an entity that can be assigned to a Custom Role. Permission Description Create Roles with this permission can create entity records. Read Roles with this permission can view entity records. Edit Roles with this permission can view and modify entity records. Delete Roles with this permission can view and delete entity records. Reassign owner Roles with this permission can view and reassign entity record owners. Note: When you add new data to an existing entity, you are the default record owner of the new data. However, you can reassign ownership to a different user when you edit or add new data. ### Creating custom roles To create a new role: 1. On the **Roles** tab, select **Create new role**. 2. In the **Create Role** panel, enter a name for the new role in the **Role Name** field. 3. Select the **Administrative Permissions** that you want assign to the role. 4. To add **Data Access Permissions** to the role, select the targeted entity: * Select **Add Entity** to display the available entities. * Select the entity for which you want to define the permissions. * Select the desired permissions. By default, the **Read** permissions is enabled. 5. Select **Save** to create the new custom role. The role is displayed in the **Roles** tab, of **Type**—**Custom**. #### Setting permissions for specific fields When creating entities it is possible to enable **Role based field access** for user-created fields. When defining a custom role, you may assign data access permissions to these fields. :::note Only custom roles can be updated to grant permissions to access the data in the fields. ::: Follow the steps below to set role based field permissions: 1. Create a new role, or edit an existing custom role. 2. If the entity has **Role based field access** enabled fields, a message indicating to add data access permissions is displayed: **Certain fields require data access permissions**. Select **Add them**. 3. From the drop-down list, select the fields for which you want to set data access permissions. 4. Set the desired permissions: Create, Read, Edit, or Delete. 5. Click **Save**. See also [Customizing an Entity](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/customizing-an-entity#customizing-an-entity) . :::note If you do not configure permissions for fields where you enabled **Role based field access,** they will not be visible by default. ::: ### Editing custom roles You may change your mind about specific permissions for a custom role. You can edit custom roles by selecting the corresponding **Edit** button. ### Removing custom roles If you decide you no longer need a custom role, you can remove it by selecting the corresponding **Delete** button. :::note You cannot remove [standard roles](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/managing-access#standard-roles). ::: ## Folder-level entities roles and permissions Access to folder-level entities is managed through Orchestrator roles, as shown in the following table: | | | | --- | --- | | **Permission** | **Description** | | Entity Records | Controls access to the data stored in the entities within the folder (read, write, delete). | | Entity Schema | Controls access to the structure and schema definition of the entities within the folder. | | Entity Roles | Controls management of roles assigned to the entities within the folder. | User access is determined by the permissions assigned in Orchestrator roles. ## Adding users or groups All calls in Data Fabric / Data Service are based on user authorization. The decision to grant or deny an operation is always based on the effective permissions for the user based on their individual or group membership permission grants. Studio, Assistant, and Robot also inherit permissions based on their configured users. Data Fabric / Data Service supports all users and groups defined in the organization and does not maintain a separate user list. To add users that are part of your organization, take the following steps: 1. Navigate to **Admin**, select Manage access, then select the **Role assignments** tab. 2. Select **Assign role**. The **Assign Roles** panel opens. 3. In the **Names** field, search for an existing user or Orchestrator group, and select the user or group for which you want to assign a role. 4. In the **Roles** field, select the roles you want to assign to your selected users or groups. 5. Select **Assign**. :::note If you cannot find a user it means they do not have an account within the organization. ::: ## Defining roles for a user or group A group is a collection of user accounts. Data Fabric / Data Service supports all groups defined in the account and does not maintain a separate list of groups. A permission granted to a group propagates to all users and groups. To define the roles for a user or group, take the following steps: 1. In the **Assign Roles** tab hover over the user or group you want to assign roles to. 2. Select the **Edit** icon available on the right-hand side. The **Edit Roles** panel opens. 3. Select the desired roles for the user or group. 4. Select **Save**. :::note You can assign multiple roles to a user or group. In this case, union of the permissions applies. ::: ## Default group mapping Groups are user containers with specific permission sets. Permissions for groups can be configured inside each service by selecting the group and associating the desired permissions. Users get the union of all permissions assigned to the groups they are members in. When you assign users to a group, you grant them access to all the services which have permissions configured for that specific user group. The level of access to the service is determined by the roles assigned to that group at the service level. | Group membership | Organization Level role | Data Fabric / Data Service **roles** | | --- | --- | --- | | Administrators | **Organization Administrator** | [Administrator, Designer and Data Writer](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/managing-access#overview-of-standard-role-permissions) | | Automation Developers | **User** | [Designer and Data Writer](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/managing-access#overview-of-standard-role-permissions) | | Automation Users | **User** | [Data Writer](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/managing-access#overview-of-standard-role-permissions) | | Citizen Developers | **User** | [Designer and Data Writer](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/managing-access#overview-of-standard-role-permissions) | | Everyone | **User** | [Data Reader](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/managing-access#overview-of-standard-role-permissions) | :::note The automatic role mapping applies for tenants created after [the introduction of the Citizen Developer group](https://docs.uipath.com/data-service/automation-cloud/latest/release-notes/release-notes-december-2023#13-december-2023). For tenants created prior to the group addition, you need to add the Citizen Developer group and assign the Designer and Data Writer roles manually. ::: ## Removing users or groups Removing users or groups from the **Assign Roles** tab implies the inability to access Data Fabric / Data Service. That is, every deleted user and users part of the deleted group cannot access Data Fabric / Data Service anymore. To allow access once again, [add organization users or groups](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/managing-access#adding-users-or-groups) individually, and assign them Data Fabric / Data Service roles. To remove a user or a group from Data Fabric / Data Service, select the corresponding **Remove user/group**![](https://dev-assets.cms.uipath.com/assets/images/data-service/data-service-image-Minus_Circle-dc337e6f-15a5a349.png) button. ## Role-based record access Role-based record access allows you to restrict access to specific records in your Data Fabric / Data Service entity. :::note Role-based record access restricts data access at the record level. [**Role based field access**](https://docs.uipath.com/data-service/automation-cloud/latest/user-guide/customizing-an-entity#enabling-or-disabling-role-based-field-access) restricts data access at the field level. ::: ### The Record Owner system field When you enable **Role-based record access**, Data Fabric / Data Service adds the **RecordOwner** field to your entity. The **RecordOwner** field is a system field which specifies the user or group that owns the record. When the record is created, Data Fabric / Data Service assigns the creator of the record as the record owner by default. In addition, when you enable **Role-based record access**, Data Fabric / Data Service adds an access level to your roles: **Read**/**Edit**/**Reassign Own**/**Delete Own**. This access level limits the role to only operate on records they are the record owner for. For example, if you create an entity for a scenario involving an application form: * You can assign the **Can Create**, **Read All**, **Edit All**, **Reassign All**, and **Delete All** access levels for a manager. * You can assign the **Cannot Create, Read All, Edit Own**, **Reassign Own**, and **Cannot Delete** access levels for a review agent. ### Enabling or disabling role-based record access for an entity You can enable role-based record access when you create an entity, or by editing an existing entity. #### Enabling role-based record access for a new entity To enable **Role-based record access** for a new entity, take the following steps: 1. Go to Data Service. 2. Select **Create New Entity.** 3. Give your entity a **Name** and **Description**. 4. Select **Enable role-based record access**. 5. Select **Save.** A pop-up opens and prompts you to access **Manage Access** to configure custom roles. #### Enabling or disabling role-based record access for an existing entity To enable or disable **Role-based record access** for an existing entity, take the following steps: 1. Go to Data Fabric / Data Service. 2. Select **Entities** to view all entities. 3. Select the **Edit** button adjacent to a non-system entity. 4. Select **Role-based record access**. :::note Role-based record access restricts data access at the record level. [**Role based field access**](customizing-an-entity.md#enabling-or-disabling-role-based-field-access) restricts data access at the field level. ::: 5. Select **Save.** The Role-based record access slider is a context-sensitive toggle: * If you select **Role-based record access** for an entity without this feature active, Data Fabric / Data Service enables the feature. * If you select **Role-based record access** for an entity with this feature already active, Data Fabric / Data Service disables the feature. ### Entity-level RBAC for folder-level entities Entity-level RBAC can also be configured for folder-level entities directly in Data Fabric under **Manage Access**. This provides an additional layer of control on top of Orchestrator folder permissions. * Folder access in Orchestrator is the first-level control. * RBAC rules are applied as an additional security layer on top of folder permissions. * Users must have folder access in Orchestrator before RBAC rules take effect. :::note Permission changes are subject to a two-minute cache. A short delay in permission sync may be observed after access is updated. ::: To configure folder-level entity RBAC, take the following steps: 1. Select **Manage Access** in Data Fabric. 2. Select the **Roles** tab, and then select **Folder entities role** from the **Create new role** dropdown. 3. Enter a role name in the **Role Name** field. 4. Select a folder from the **Location** dropdown. 5. Select your preferred entities from the **Add entity** dropdown. 6. Define your preferred permissions for each entity. 7. Select **Save**. 8. Select the **Role Assignments** tab, and then select **Assign role** to assign roles to users or groups.