Access Control in Answer Engine
Once a user has access to an org/instance of Answer Engine, all content access is granted through our Access Control system. Users have no access to any content in the system; instead they use the access levels granted to them via their Roles and their Attributes. This article gives an overview of how this access control works.
Roles
A Role is a concept in Answer Engine which contains a list of users and a list of access levels. Roles are the only methodology with which content is accessible through Answer Engine, and Roles may combine to represent the wide and complex range of access levels across all of a client’s connected systems.
Roles combine with the sum of each Role granted. If a user has multiple Roles, she gets all of the access of all of the Roles she is attached to. This access map is resolved when a user logs in or switches orgs.
Roles may be created, renamed, updated, or deleted by Admins at any time in Settings. All changes to all Admin controls are logged for audit purposes.
Controls granted by Roles
In addition to content access, Roles also control a variety of functionality and experience throughout the UI. Each of these controls is ranked highest to lowest, and users get the highest of all of the Roles they are member to.
Source
ON Users have access to this Source and it is included in searches unless overridden by user preference or configured Guided Conversation.
ON but Opt-In Users have access to this Source but it is not included in searches unless overridden by user preference or configured Guided Conversation.
OFF Users do not have access to this Source as member to this Role. They may still have access via other Roles they are member to.
Articles (f.k.a. CMS Sections)
ON with Priority Users who are member to this Role are subscribed to this Section and may not unsubscribe. Articles from this section will appear in search and research results.
ON Users who are member to this Role are subscribed to this Section but may unsubscribe. Articles from this section will appear in search and research results.
ON but Opt-In Users who are a member to this Role are unsubscribed from this Section but may subscribe. Articles from this section will appear in search and research results.
OFF Users do not have access to this Section as member to this Role. They may still have access via other Roles they are member to.
Collections (Collection Groups)
Priority Users who are member to this Role see this Collection Group at the top of their View All Collections page. Collections from this group also appear in their Collections Flyout in the navbar. This Collection Group appears on their homepage if their homepage has content enabled via the Manage Feature Prompt Mode Homepage Experience being OFF.
Featured Users who are member to this Role see this Collection Group on their Collections page.
None Users who are member to this Role do not have this Collection Group visible anywhere. They may still choose to subscribe to individual Collections within the Group, or be granted the Collection Group via another Role they are member to.
System Roles
Some Roles are created by Answer Engine to provide basic functionality and to synchronize access with external systems. System Roles behave just like other Roles functionally, however their user membership is managed and they may not be renamed or deleted.
System Role Named Users (f.k.a. Default) represents all users who have access to an instance who are logged in. Granting content to this Role means everyone who has logged in gets access to this content.
System Role Anonymous Users represents all users of an instance including those who have authenticated anonymously through an external application. This Role is only available when the Allow anonymous access setting is enabled.
System Role <<SITE_NAME>> are automatically created when auto-provisioning of access levels is enabled for that Source.
Attribute-Based Access
You can give access to all users matching an attribute using Attribute-Based Access. This section will explain what Attribute-Based Access is, how it relates to Role-Based Access, and how to use it.
Attributes vs. Roles
Attribute-Based Roles are a special type of Role that is automatically given to users matching certain criteria. Here is a table explaining the difference between Attributes and Roles.
| Role | Attribute |
|---|---|---|
Gives access to a set of sources | Yes | Yes |
Gives access to a set of CMS sections | Yes | Yes |
Access is the sum of all of the Roles plus Attribute Roles a user has | Yes | Yes |
Can be created by Admins | Yes | Yes |
Can be assigned to users | Yes | No |
Automatically assigned to users of a certain Group | No | Yes |
Creating Attribute-Based Access
Making new Attribute-Based Access is as simple as a journey through Settings. Follow the steps below to create a new Attribute and assign it to your first user.
Log in as an Admin.
Navigate to Settings > Roles > Attributes.
Click Add Attribute.
Select the type of Attribute and name your Attribute.
Note if your Attribute Type does not exist, a developer must add it first via Support.
Grant your Attribute Source access as needed.
Navigate to Settings > Users.
Click Edit User for the user you wish to assign this Attribute to.
Scroll down to Attributes and select the Attribute you created next to the Attribute Type.
If you need to remove or edit attributes/ roles the best course of action is to file a detailed support ticket.