> ## Documentation Index > Fetch the complete documentation index at: https://developer.fabric.inc/llms.txt > Use this file to discover all available pages before exploring further. # Managing User Scope With fabric’s role-based access control settings, you can restrict which users are authorized to manage or access certain parts within each tenant. ## Key Concepts | **Term** | **Description** | | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **User** | A person who has access to your organization’s tenant. Each user can have one or more roles and scopes that control what they can access. | | **Scope** | A set of rules that determine which resources a user can access. Scopes are defined using attributes. | | **Attribute** | A specific property or key-value pair that helps define access rules within a scope. For example *brand: Nike* or *region: North America*. Attributes in the context of scope represent resource characteristics or user permissions. Users are assigned attributes based on their roles or responsibilities. | | **Resource** | An asset or entity within the fabric Copilot app, such as Offers or Orders, that can be accessed or managed by users. Resources have attributes that define access permissions, determining which users can view or manage them based on their assigned scope. | | **App** | A functional module or service within fabric that organizes related resources. Apps provide specific capabilities and manage resources, such as promotions in the Offers app. | ## Scope Logic The logic for determining access in user access management follows a [union principle](https://www.speedsolving.com/wiki/index.php/Union_Principle#:~:text=The%20Union%20Principle%20is%20a,the%20%22any%20piece%22%20problem.), ensuring flexibility when managing user access to resources. ### Key rules for scope Attributes are assigned to users as part of their role or scope settings. Copilot administrators define attributes when configuring access levels. A user might receive attributes based on factors such as: * Their department or team. For example, *region: North America*. * The brands they manage. For example, *brand: Nike*. * Their role-specific permissions. For example, *category: Electronics*. Users without scope attributes: * Can access all resources, regardless of the resource's attributes. * New users start with full access until a scope is assigned. Users with multiple scope attributes: * Can access a resource if any of their attributes match the resource's attributes. * Can access a resource if any of the user’s attributes is a partial match with the resource's attributes. * Can't access a resource if none of the resource's attributes match with user's attributes. These rules provide a balance between controlled access and flexibility, ensuring users can access appropriate resources based on their scope. ### Example Scenarios | **Case** | **User's Scope** | **Resource's Attributes** | **Access** | | ---------------------------------------------------------- | ----------------- | ------------------------- | ---------- | | User has a brand, and the promotion has the same brand. | `brand: Nike` | `brand: Nike` | ✅ Granted | | User has no brands, and the promotion has brands. | No brand assigned | `brand: Adidas` | ✅ Granted | | User has no brands, and the promotion has no brands. | No brand assigned | No brand assigned | ✅ Granted | | User has a brand, and the promotion has no brand. | `brand: Nike` | No brand assigned | ✅ Granted | | User has a brand, and the promotion has a different brand. | `brand: Nike` | `brand: Adidas` | ❌ Denied | ## Prerequisites Ensure you have administrator privileges to edit or delete user access settings. ## Procedure 1. In the left menu, click **Settings > Account Settings**. The **Account Settings** page is displayed. 2. Click **User Management**. The **User Management** page is displayed. 3. In the **User** column, click the **Edit Roles** icon. The user profile is displayed. 4. Do one of the following: * If the user already has a role and you want to add more scope to their role, click **Add Scope** next to the role in the **Scope** column and skip to step 7.\ The **Add Scopes** window is displayed. * If the user has no roles, click **Add Roles & Scopes**.\ The **Add Roles & Scopes** window is displayed. 5. In the **Role Set** field, select the roles you want enabled for the user. Multiple roles can be selected. 6. Click **Add Scopes**. The fields **App** and **Resource** are displayed. 7. In the **App** field, select an app you want to use for the user's scope. 8. In the **Resource** field, select a resource of the app you want to use for the user's scope. The fields **Attribute key** and **Attribute value** are displayed. 9. In the **Attribute key** field, select the attribute type you want to use for the user's scope. The selection of **Attribute key** varies across organizations. To discuss your attribute options, contact your customer success manager. 10. In the **Attribute value** field, select the specific attribute you want to use for the user's scope. 11. (Optional) Click **Add Another Scope** as needed. 12. (Optional) Click **Add Another Role Set** as needed. 13. In the **Add Roles & Scopes** window, click **Save** 14. In the user profile, click **Save** The user's roles and scope settings are updated in the **User Management** table.