Overview of RBAC

The Ditto portal provides the ability to create, modify, and delete custom roles, allowing you to set fine-grained read-write access controls to app data.

With this you can define organization hierarchies for permissions delegation, set permissions for portal functionality like viewing collections, querying tokens, transferring apps between organizations, and more.

Organization Permissions Settings

When configuring access control for roles within an organization, there are various types of privileges you can choose from.

These can be accessed from the role editor, available under Settings > Roles.

The following table provides an overview of the various settings you can configure for roles within an organization.

Some permissions have dependencies on others.

For example, a role with Accept incoming app transfer requests permission will also have View incoming app transfer requests.

Where this applies, these dependent roles will be selected automatically for you when selecting in the role editor.

SettingDescription
Accept incoming app transfer requestsInitiate, approve, or cancel requests to transfer apps between organizations
Access audit logsReview audit logs
Create an appSet up new apps
Manage organization membersOversee and administer the membership of an organization
View organization detailsAccess and view details related to the organization
View incoming app transfer requestsSee requests from other organizations to transfer apps into the organization
Reject incoming app transfer requestsDecline requests from other organizations to transfer apps to the organization
Update the organization detailsModify information related to the organization
View access grantsReview the permissions granted to specific users, roles, or organizations
Manage access grantsControl and administer access privileges granted to other roles within the organization

App Permissions Settings

Following is an overview of the various settings that, once assigned, grant end users the ability to manage the app. (See Creating Roles)

SettingDescription
Access app dataAccess mesh-generated transactional data
Modify app dataMake changes to mesh-generated transactional data
Access app data bridgesAccess CDC Data Bridges and their connection info
Manage app data bridgesCreate, update and delete CDC Data Bridges
Cancel a request for an app transferWithdraw active requests to transfer apps to other organizations
Request offline-only licensesManage the licenses designating apps for offline usage
Delete an appPermanently remove apps
Create API keysGenerate unique identifiers used for authentication and authorization access to app data
Delete API keysRevoke authentication and authorization to access to app data
View app metricsReview various analytics associated with apps
View app detailsAccess and review specific information and settings associated with apps
Access API keysView the API keys used for authentication and authorization to access app data
Access offline-only licensesView the licenses designating apps for offline usage
Initiate a request for the transfer of an appTransfer ownership of apps to other organizations
Update app detailsModify the information and settings associated with apps
Access a MongoDB connectorAccess the MongoDB connector configuration
Manage a MongoDB connectorMake changes to the MongoDB connector configuration

Organization Roles

To establish role-based access controls for your organization:

1

Create new roles with the desired settings. (Creating New Roles)

2

Designate roles for the appropriate end users within your organization. (Assigning Roles to End Users)

Creating New Roles

To add a new role to your organization:

1

From your organization, click Settings.

2

Click Roles.

3

Click Add new role.

4

Click to select and deselect the settings you want to apply to your new role as desired, and then click Create role.

For organization members to regain read-write access to app data, enable Access app data and Modify app data in the **App permissions **as shown in the following graphic.

Once you’ve created your role with read-write access permissions, make sure to assign the role to your members as appropriate. (Assigning Roles)

Assigning Roles to End Users

Once you’ve created a role, designate them to the appropriate end users within your organization:

1

From Settings > Members, click Invite member located on the right.

2

From the Invite users modal that appears:

  1. Enter the email belonging to the end user you want to add.
  2. Click Role and select the role type you want to assign.
  3. Click Add to list.
  4. When finished adding end users to the invite, click Invite users.

Viewing Pending Member Invitations

Once a member is assigned a role, Ditto automatically sends a formal invitation to the email address specified in the invite, which must be accepted before RBAC privileges take effect.

To view a list of invitations waiting for approval, go to Settings > Members in the portal. A complete list of invitations display within Pending member invitations, as shown in the following graphic:

Modifying and Deleting Roles

To edit a role’s settings or permanently remove a role from your organization:

1

From your organization, click Settings.

2

Click Roles.

3

Click the three-dot menu next to the role you want to modify or delete:

  • To modify, select Edit.
  • To permanently remove, select Delete.

Ditto Employee Access Grants

There are circumstances in which Ditto’s support team requires elevated privileges to access your app data, for instance, to troubleshoot an issue.

Ditto employees can only access your app data with an approved access grant. An access grant is a formal authorization provided by any of the following to approve the access request initiated by Ditto:

  • Current organization owner
  • Organization roles configured with** Manage access grants** privileges

Once accepted, you can revoke access grants at any time. (See Revoking Access)

For more information, see Organization Permissions Settings and Accepting Access Grants.

Granting Access

To approve a Ditto-initiated access grant:

1

Click Apps.

2

From Access grants, click Accept.

Revoking Access

Once an access grant is approved, you can end access at any time:

1

Click Apps.

2

From Access grants, click Revoke access.