# Managing access (Automation Cloud) > This section addresses to Automation Cloud users and contains information on how to manage access in the IXP capability, Communications Mining™. This section addresses to Automation Cloud users and contains information on how to manage access in the IXP capability, Communications Mining™. ## Roles and their underlying permissions This section contains an overview of the different roles and the underlying permissions they grant in the UiPath® IXP service. In the **Manage Access** tab from the **Administration** page, you can assign roles to specific users. Each role comes with a predefined set of permissions, so you cannot assign individual permissions. Instead, you must assign the main role, which includes all associated permissions. :::note All users can view other users in projects and tenants, but only administrators can modify users. ::: The following table contains a list of all roles and permissions, as well as a description of each role: | **Role** | **Permissions** | **Role description** | | --- | --- | --- | | **IXP Service Admin** | Audit Log - Read Tenant - Manage | Grants full rights to the IXP service. | | **IXP Project Admin** | Alert - Write Appliance Configuration - Write Bucket - Append Bucket - Write Comment - Manage Dataset - Export Dataset - Manage Integration - Write Source - Manage Stream - Consume Stream - Manage | Allows you to manage everything within a project such as users, integrations, sources, datasets, models, streams, and alerts. You cannot create or delete projects. | | **IXP Model Trainer** | Alert - Read Dataset - Review Dataset - Write Integration - Read Source - ReadSensitive Stream - Read | Allows you to view everything within a project, review and label data, and pin model versions. You can also create and update datasets, but you cannot delete them. | | **IXP Developer** | Alert - Read Appliance Configuration - Write Bucket - Append Bucket - Read Comment - Manage Dataset - Export Integration - Write Model - Manage Source - Manage Stream - Consume Stream - Manage | Allows you to view everything within a project, upload or export data, configure integrations, pin model versions, manage streams, and consume predictions from them. You cannot review and label data. Also, you cannot create, update, or delete datasets or alerts. | | **IXP Viewer** | Alert - Read Dataset - Read Integration - Read Source - Read Stream - Read | Allows you to view everything within a project. You cannot create, update, or delete anything. | | **IXP Analyst** | Alert - Write Dashboard - Write Dataset - Read Integration - Read Source - Read Stream - Read | Allows you to view everything within a project and can create, update, and delete dashboards and alerts. You cannot import, export, or review and label data. Also, you cannot modify or consume streams or set up integrations. | :::note Since permissions are granted at the project level, users might need different permissions for different projects. ::: ### Permission types Define the level of access granted to users for specific actions or resources. | **Permission type** | **Description** | | --- | --- | | Service permissions | Allows you to view audit logs and manage projects and users for a tenant. | | Sources permissions | Refer to the data your company uploaded for analysis. | | Datasets permissions | Grant access to datasets, that is, a named collections of labels, general fields, and training data. | | Streams permissions | Grant access to streams, which allow you to take actions on newly ingested data. | | Buckets permissions | Grant access to buckets, which are containers of raw data items that you can upload. | | Integration permissions | Grant access to integrations, which allow you to connect other services to the platform. | | Utility permissions | Include any permissions that do not belong to any of the other categories. | :::note Buckets, integration, and utility permissions are typically only granted to programmatic users such as development engineers. In addition, these permissions are not required for the daily use of the platform. ::: ### Permissions :::note The **Modify users**, **View users**, and **Upload file** permissions are deprecated because they are no longer required as standalone permissions outside of the available roles. ::: In the **Manage Access** tab from the **Administration** page, you can assign roles to specific users. Each role comes with a predefined set of permissions, so you cannot assign individual permissions. Instead, you must assign the main role, which includes all associated permissions. | Permission type | Permission | Permission description | |----------------|------------|------------------------| | Service (only non-project) | **Tenant - Manage** | Create, modify, and delete projects and users for a tenant. Additionally, all admins on UiPath® Automation Cloud also receive this permission in the IXP platform automatically. | | Service (only non-project) | **Audit Log - Read** | View audit logs. | | Sources | **Source - Read** | View sources and the messages they contain. This is required to view individual messages on the platform. | | Sources | **Source - ReadSensitive**Grants **Source - Read** | View any user properties marked as sensitive, in addition to others. | | Sources | **Source - Manage**Grants **Source - ReadSensitive** | Create, modify, and delete sources. You must create sources via the API. | | Sources | **Comment - Manage** | Create, update, and delete messages in a source via the API. | | Datasets | **Dataset - Read** | View pinned and predicted labels on the datasets of the user. This is required to view individual messages on the platform. **Note:** To view any data related to a source, dataset, or message in the platform, both **Source - Read** and **Dataset - Read**, or their parent roles, are required. | | Datasets | **Dataset - Manage**Grants **Dataset - Write**, **Dataset - Read**, **Dataset - Review** | Create, update, and delete datasets. | | Datasets | **Dataset - Write** | Create datasets and update their properties, for example, their description, sources and general fields, as well as enabling **Quality of Service and Tone analysis**. | | Datasets | **Dataset - Review**Grants **Dataset - Read** | Create, edit, and delete labels, and pin them to messages in the dataset of the user. Add pre-trained labels. | | Datasets | **Dataset - Export** | Export datasets via the user interface. | | Datasets | **Model - Manage** | Pin model versions. | | Datasets | **Dashboard - Write** | Create or modify dashboards. | | Streams | **Stream - Read** | View streams and their configuration. | | Streams | **Stream - Manage** | Create, modify, and delete streams. | | Streams | **Stream - Consume** | Fetch and advance the output of a stream. | | Buckets | **Bucket - Read** | View information on raw data buckets. | | Buckets | **Bucket Item - Read** | Download items from raw data buckets. | | Buckets | **Bucket - Write** | Add or remove raw data buckets. | | Buckets | **Bucket - Append** | Upload data to buckets. | | Integrations | **Integration - Read** | View information on external integrations. | | Integrations | **Integration - Write** | Add or remove integrations with external services. | | Utility | **Alert - Read** | View alerts, and issues raised by them. | | Utility | **Alert - Write** | Create, modify and delete alerts. | | Utility | **Appliance Configuration - Read** | Fetch appliance configs. | | Utility | **Appliance Configuration - Write** | Upload new or replace existing appliance configs. | ## Managing user and group roles (Automation Cloud) :::important Until all existing tenants are migrated to the new RBAC experience, you will still have the manage access experience as presented in the [Managing projects](https://docs.uipath.com/communications-mining/automation-cloud/latest/user-guide/managing-projects-legacy) documentation. ::: :::note You must have either the **Service Admin** role or the **Project Admin** role assigned to manage user and group roles. ::: To manage roles, proceed as follows: 1. Once you log into Communications Mining, select the gear icon. 2. Select the **Manage Access** tab in the **Administration** page. 3. Start managing roles in the **Service** or **Project** sections, depending on what roles you have. ### Viewing available roles To view the available roles for a specific scope, either a tenant or a project, proceed as follows: 1. Go to the **Manage Access** tab. 2. Select either **Service** or a specific project. :::note **Service** displays all roles, including project roles. ::: 3. Select the **Roles** tab. To view the permissions that each role grants, select the eye icon for a specific role. For more details, check Roles and permissions. ### Adding a user or group to a project To add a user or Automation Cloud group to a project, you need to assign them a role. For more details on adding users to Automation Cloud groups, check [Managing access in the Automation Cloud](https://docs.uipath.com/automation-cloud/automation-cloud/latest/admin-guide/managing-access). To add users or Automation Cloud groups to a project, proceed as follows: 1. Go to the **Manage Access** tab, and select a project. 2. Select **Assign role** under the **Role assignments** tab. 3. In the **Names** field of the **Assign roles** side panel, enter the names of the users or groups you want to assign roles to. 4. Select a name from the drop-down list, where all available users and groups in the tenant are displayed. 5. In the **Roles** field, select from the drop-down list the roles you want to assign. 6. Select **Assign**. :::note * The **Organization Administrator** role - can update role assignments at the service level or in any project for any users in the tenant. * The **Project Administrator** role - can update role assignments in any project where they have this role. * The **IXP Service Admin** role - can update role assignments at the service level. ::: Figure 1. The project-level Role assignments tab ![The image shows the Role assignments tab at project level.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-role-assignments-tab-at-project-level-542178-edd62562.webp) Figure 2. The project-level Assign roles side panel ![The image shows the Assign roles side panel after you select the Assign roles button.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-assign-roles-side-panel-after-you-select-the-assign-roles-button-542182-0e59bcea.webp) ### Assign service roles to a user or group To assign service roles to a user or group, proceed as follows: 1. Go to the **Manage Access** tab, and select a project. 2. Select **Assign role** under the **Role assignments** tab. 3. In the **Names** field of the **Assign roles** side panel, enter the names of the users or groups you want to assign roles to. 4. Select a name from the drop-down list, where all available users and groups in the tenant are displayed. 5. In the **Roles** field, select from the drop-down list the roles you want to assign. 6. Select **Assign**. :::note * The **Organization Administrator** role - can update role assignments at the service level or in any project for any users in the tenant. * The **Project Administrator** role - can update role assignments in any project where they have this role. * The **IXP Service Admin** role - can update role assignments at the service level. ::: Figure 3. The service-level Role assignments tab ![The image shows the Role assignments tab at service level.](https://dev-assets.cms.uipath.com/assets/images/ixp/ixp-the-image-shows-the-role-assignments-tab-at-service-level-542186-076238c7.webp) ### Editing or removing existing role assignments To edit or remove any existing role assignments, proceed as follows: 1. In the **Manage Access** tab, select **Service** or a specific project. 2. Select the **Role assignments** tab to locate the user or group whose role you want to update or remove. 3. Select the ellipsis for the user or group you want to edit or remove. 4. Select **Edit** or **Remove**, depending on the case. 1. **Edit** - allows you to add additional roles to the user or group, or remove existing ones. 2. **Remove** - removes the user or group from the project. A warning pop-up appears, which states the action is permanent. Next, select the **Remove** button in the warning pop-up to confirm the deletion. ## Access control for group-based project roles (Automation Cloud) When you assign project roles to groups, the users part of those groups can access any projects the groups are added to. This means the users can view the data within those projects, which might not be appropriate for a large group of users, especially in regulated industries. For more details, check [Understanding the data structure and permissions](https://docs.uipath.com/communications-mining/automation-cloud/latest/user-guide/understanding-the-data-structure-and-permissions). ### Access control for single sign-on (SSO) As a best practice, when you use single sign-on (SSO), segregate groups at relevant and appropriate access levels. For example, if only a limited set of users should have access to a specific project, create a per-project group to provision access to that project. Otherwise, unauthorized people might access the data. :::note If strict segregation is required and data must not be shared across teams, consider using a separate Automation Cloud tenant. ::: ### Access control for Automation Cloud groups When using Automation Cloud groups, determine if everyone in the group should have access to the project data. This ensures that you only grant access to the right people and maintain proper data security. ### Default Project access and group mappings IXP does not automatically grant access to the **Default Project** folder in **Manage Access** to all users. The access depends on whether the user is part of an Automation Cloud group. Each default Automation Cloud group is mapped to a corresponding permission set in the **Default Project**, as described in the following table: | **Automation Cloud group** | **Default Project role** | | --- | --- | | Everyone | IXP Viewer | | Automation Developers | IXP Developer | | Administrators | IXP Project Admin |