This section is a high-level explanation of the ScaffoldHub roles and permissions. For low-level and implementation, refer to the Architecture > Security section.
Both frontend and backend validate permissions. On the backend, the validation happens on each endpoint.
To understand ScaffoldHub security, you must understand those concepts:
Permission is very specific actions users can perform. Examples are customer create, audit log read, or user delete.
A role is a group of permissions. For example, an admin (role) can create users (permission), view audit logs (permission), etc.
Out-of-the-box ScaffoldHub has two roles: Admin and Custom. The idea is that you manually create more roles based on your business context.
Users can have multiple roles in multiple tenants. For example, a user can be a viewer (role) and an entity editor (role) on Workspace A (workspace), and an admin (role) on Workspace B (workspace).
For this demonstration, we will have the following setup:
email@example.com with the admin role.
firstname.lastname@example.org with the custom role.
The admin role has all the permissions.
The custom role has permission to read customers, create customers, and read products.