With fabric’s role-based access control settings, you can restrict which users are authorized to manage or access certain parts within each tenant.

Key Concepts

TermDescription
UserA person who has access to your organization’s tenant. Each user can have one or more roles and scopes that control what they can access.
ScopeA set of rules that determine which resources a user can access. Scopes are defined using attributes.
AttributeA specific property or key-value pair that helps define access rules within a scope. For example brand: Nike or region: North America. Attributes in the context of scope represent resource characteristics or user permissions. Users are assigned attributes based on their roles or responsibilities.
ResourceAn asset or entity within the fabric Copilot app, such as Offers or Orders, that can be accessed or managed by users. Resources have attributes that define access permissions, determining which users can view or manage them based on their assigned scope.
AppA functional module or service within fabric that organizes related resources. Apps provide specific capabilities and manage resources, such as promotions in the Offers app.

Scope Logic

The logic for determining access in user access management follows a union principle, ensuring flexibility when managing user access to resources.

Key rules for scope

Attributes are assigned to users as part of their role or scope settings. Copilot administrators define attributes when configuring access levels. A user might receive attributes based on factors such as:

  • Their department or team. For example, region: North America.
  • The brands they manage. For example, brand: Nike.
  • Their role-specific permissions. For example, category: Electronics.

Users without scope attributes:

  • Can access all resources, regardless of the resource’s attributes.
  • New users start with full access until a scope is assigned.

Users with multiple scope attributes:

  • Can access a resource if any of their attributes match the resource’s attributes.
  • Can access a resource if any of the user’s attributes is a partial match with the resource’s attributes.
  • Can’t access a resource if none of the resource’s attributes match with user’s attributes.

These rules provide a balance between controlled access and flexibility, ensuring users can access appropriate resources based on their scope.

Example Scenarios

CaseUser’s ScopeResource’s AttributesAccess
User has a brand, and the promotion has the same brand.brand: Nikebrand: Nike✅ Granted
User has no brands, and the promotion has brands.No brand assignedbrand: Adidas✅ Granted
User has no brands, and the promotion has no brands.No brand assignedNo brand assigned✅ Granted
User has a brand, and the promotion has no brand.brand: NikeNo brand assigned✅ Granted
User has a brand, and the promotion has a different brand.brand: Nikebrand: Adidas❌ Denied

Prerequisites

Ensure you have administrator privileges to edit or delete user access settings.

Procedure

  1. In the left menu, click Settings > Account Settings.

    The Account Settings page is displayed.

  2. Click User Management.

    The User Management page is displayed.

  3. In the User column, click the Edit Roles icon.

    The user profile is displayed.

  4. Do one of the following:

    • If the user already has a role and you want to add more scope to their role, click Add Scope next to the role in the Scope column and skip to step 7.
      The Add Scopes window is displayed.
    • If the user has no roles, click Add Roles & Scopes.
      The Add Roles & Scopes window is displayed.
  5. In the Role Set field, select the roles you want enabled for the user.

    Multiple roles can be selected.

  6. Click Add Scopes.

    The fields App and Resource are displayed.

  7. In the App field, select an app you want to use for the user’s scope.

  8. In the Resource field, select a resource of the app you want to use for the user’s scope.

    The fields Attribute key and Attribute value are displayed.

  9. In the Attribute key field, select the attribute type you want to use for the user’s scope.

    The selection of Attribute key varies across organizations. To discuss your attribute options, contact your customer success manager.

  10. In the Attribute value field, select the specific attribute you want to use for the user’s scope.

  11. (Optional) Click Add Another Scope as needed.

  12. (Optional) Click Add Another Role Set as needed.

  13. In the Add Roles & Scopes window, click Save

  14. In the user profile, click Save

The user’s roles and scope settings are updated in the User Management table.