# Roles, Permissions, and Objects

The **Access Control model** in ONEWEB is based on the relationship between **Roles**, **Permissions**, and **Objects**.\
This model enables administrators and application designers to **control user access precisely**, ensuring that users can interact only with the parts of the system they are authorized to use.

This structure follows a **Role‑Based Access Control (RBAC)** approach, which is widely adopted in enterprise systems for its scalability, clarity, and compliance support.

***

### Overview of the Access Control Model

At a high level:

* **Users** are assigned one or more **Roles**
* **Roles** are granted one or more **Permissions**
* **Permissions** define allowed operations on **Objects**
* **Objects** are the resources being protected

This layered model decouples users from direct permission management, making access control easier to administer and audit.

***

### Role

A **Role** represents a **job function or responsibility** within the system and defines an **authority level**.

Characteristics of roles:

* Represent business responsibilities (e.g. User, Manager, Admin)
* Can be assigned to multiple users
* Aggregate multiple permissions
* Simplify access management by grouping capabilities

By assigning roles instead of individual permissions, ONEWEB allows consistent access control across users performing similar tasks.

***

### Permission

A **Permission** defines the **mode of access** to one or more objects.

Permissions typically specify:

* What can be done (view, create, edit, delete, execute)
* On which objects or object groups

Key characteristics:

* Permissions can group multiple objects
* One permission can be reused across multiple roles
* Permissions are not assigned directly to users, only through roles

This approach ensures consistency and reduces configuration duplication.

***

### Object

An **Object** is any resource that requires access control and protection.

Objects in ONEWEB can include:

* UI elements (buttons, textboxes, menus)
* Pages or forms
* Files or documents
* Application functions or features

Each object is associated with one or more permissions, determining who can access or interact with it.

<figure><img src="https://2015371994-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMpDjHWFRUtZ5nJcSfVXd%2Fuploads%2FbS7vHS9bOD4saNXye1wq%2Fimage.png?alt=media&#x26;token=cf853dc6-deda-4ef4-9ff2-48ed13f6c13b" alt=""><figcaption></figcaption></figure>

***

### Relationship Rules to Remember

The following relationships define how access control works in ONEWEB:

* **A user** can have **multiple roles**
* **A role** can be assigned to **multiple users**
* **A single role** can include **multiple permissions**
* **A permission** can be assigned to **multiple roles**
* **A permission** can cover **multiple objects**

These many‑to‑many relationships allow flexible yet controlled access management.

***

### Security & Compliance Benefits

This access control model supports security and compliance by:

* Enforcing least‑privilege access
* Supporting separation of duties
* Enabling clear audit trails
* Simplifying permission reviews
* Reducing risk of over‑privileged users

Well‑defined roles and permissions are essential for meeting enterprise governance and regulatory requirements.

***

### Best Practices

* Design roles around business responsibilities, not individuals
* Keep permissions granular but reusable
* Avoid assigning too many permissions to a single role
* Review roles and permissions periodically
* Document role definitions for audit and compliance

***

### Summary

In ONEWEB, access control is governed through a structured relationship between **Roles**, **Permissions**, and **Objects**.

Key takeaways:

* Roles represent authority levels and job functions
* Permissions define allowed operations
* Objects are the protected resources
* Users gain access by role assignment, not direct permissions

This model provides a **scalable, secure, and compliance‑ready foundation** for managing access in enterprise applications built on ONEWEB.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onewebstack.com/oneweb-platform-th/building-apps/security-and-compliance/authorization-and-access-control/roles-permissions-and-objects.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.