> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mage.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Role-based access controls (RBAC)

> Create user defined permissions for CRUD operations on any action or user experience. Add permissions to roles and add roles to users.

export const urls = {
  chat: 'https://www.mage.ai/chat',
  oss: 'https://www.mage.ai/oss',
  pro: 'https://cloud.mage.ai/sign-up'
};

export const ProOnly = ({button = 'Get started for free', description = 'Try our fully managed solution to access this advanced feature.', source = 'documentation', title = 'Only in Mage Pro.'}) => <a href={`https://cloud.mage.ai/sign-up?source=${source}`} className="block my-4 px-5 py-4 overflow-hidden rounded-xl flex gap-3 border border-emerald-500/20 bg-emerald-50/50 dark:border-emerald-500/30 dark:bg-emerald-500/10" target="_blank">
    <div style={{
  display: 'flex',
  alignItems: 'center',
  width: '100%'
}}>
      <div className="text-sm prose min-w-0 text-emerald-900 dark:text-emerald-200" style={{
  flex: 1
}}>
        {title}
        <p className="normal">{description}</p>
      </div>

      <div> </div>

      <div>
        <ProButton label={button} href={`https://cloud.mage.ai/sign-up?source=${source}`} />
      </div>
    </div>
  </a>;

export const ProButton = ({href, label = 'Get started with Mage Pro for free', source = 'documentation'}) => <div style={{
  height: 32,
  position: 'relative'
}}>
    <a target="_blank" className="group px-4 py-1.5 relative inline-flex items-center text-sm font-medium rounded-full" href={href ?? `https://cloud.mage.ai/sign-up?source=${source}`}>
      <span className="absolute inset-0 bg-primary-dark dark:bg-primary-light/10 border-primary-light/30 rounded-full dark:border group-hover:opacity-[0.9] dark:group-hover:border-primary-light/60">
      </span>

      <div className="mr-0.5 space-x-2.5 flex items-center">
        <span class="z-10 text-white dark:text-primary-light">
          {label}
        </span>

        <svg width="3" height="24" viewBox="0 -9 3 24" class="h-5 rotate-0 overflow-visible text-white/90 dark:text-primary-light">
          <path d="M0 0L3 3L0 6" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"></path>
        </svg>
      </div>
    </a>
  </div>;

export const ProBanner = ({button = 'Try Mage Pro for free', description, source = 'documentation', title = 'Our fully managed solution for teams is now available!'}) => <a href={`https://cloud.mage.ai/sign-up?source=${source}`} className="block my-4 px-5 py-4 overflow-hidden rounded-xl flex gap-3 border border-emerald-500/20 bg-emerald-50/50 dark:border-emerald-500/30 dark:bg-emerald-500/10" target="_blank">
    <div style={{
  display: 'flex',
  alignItems: 'center',
  width: '100%'
}}>
      <div className="text-sm prose min-w-0 text-emerald-900 dark:text-emerald-200" style={{
  flex: 1
}}>
        {title}
        {description && <br />}
        {description && <p className="normal">{description}</p>}
      </div>

      <div> </div>

      <div>
        <ProButton label={button} href={`https://cloud.mage.ai/sign-up?source=${source}`} />
      </div>
    </div>
  </a>;

<Frame>
  <p align="center">
    <img alt="User defined permissions" src="https://i.pinimg.com/originals/4d/96/3b/4d963bcbda38f5981a3c83b8f99933ae.gif" />
  </p>
</Frame>

<br />

## Overview

Define roles with 1 or more permissions.
Each permission can grant or deny read and write operations on
specific resources (e.g. API endpoints).
One or more roles can be assigned to 1 or multiple users.

### Why is this important?

Control which user can perform specific actions at a granular level.

## Features

<ProOnly source="permissions" />

* Define roles.
* Define permissions.
* Add permissions to 1 or more roles.
* Add roles to 1 or more users.

***

## How to use

### Create roles

<Note>
  You must be the owner or have a role that grants permissions to read and write on the following
  entities:

  * `Permission`
  * `Role`
  * `RolePermission`
  * `UserRole`
  * `User`
</Note>

1. Go the the Mage project settings and click on the navigation row labeled <b>Roles</b>.
2. On the roles list page, there is a button labeled <b>Create default roles and permissions</b>.
   If you click this button, 6 roles and a few hundred permissions will be created.

   The roles are:

   * Admin default permissions
   * Editor default permissions
   * Editor with notebook edit access
   * Editor with pipeline edit access
   * Owner default permissions
   * Viewer default permissions

   Each role will have a set of permissions that match the Mage API policies that are normally
   used to authenticate operations when the user authentication feature is turned on but
   the user permissions feature is turned off.
3. Alternatively, click the button <b>Add new role</b> to create a single new role.
4. Enter in a unique name for the role.
5. Click the button <b>Create new role</b> to save the role.
6. Once you create the role, you’ll be taken to the role detail page.
7. From here, you can add existing permissions to the role.
8. From here, you can add existing users to the role. This will grant permissions or
   deny operations for user.

<Frame>
  <p align="center">
    <img alt="Roles" src="https://mage-ai.github.io/assets/authentication/permissions/roles-detail.png" />
  </p>
</Frame>

### Create permissions

1. Go the the Mage project settings and click on the navigation row labeled <b>Permissions</b>.
2. Click the button <b>Add new permission</b> to create a new permission.
3. Select an entity that these permissions will be applied to.
   An entity refers to a defined API endpoint that currently exists in the Mage application.

   For example, the entity `Pipeline` applies to the API endpoints `/pipelines`.
4. Optionally enter an entity UUID that these permissions are applied to.
   For example, you can grant or deny permissions to a specific pipeline by selecting the entity
   `Pipeline` and entering the entity `UUID` `example_pipeline`.
   This permission will only be applied to the pipeline with the UUID `example_pipeline`.
5. Under the section labeled <b>Access</b>, toggle 1 or more accesses to grant.
   For more information on what each access grants or denies,
   read the [permissions documentation](/authentication/permissions/permissions).
6. Click the button <b>Create new permission</b> to save the permission.
7. Once you create the role, you’ll be taken to the role detail page.
8. From here, you can edit the permission.
9. From here, you can add this permission to existing roles.

<Frame>
  <p align="center">
    <img alt="Permissions" src="https://mage-ai.github.io/assets/authentication/permissions/permissions-detail.png" />
  </p>
</Frame>

### Assign roles to users

1. Go the the Mage project settings and click on the navigation row labeled <b>Users</b>.
2. Click on a row for an existing user.
3. From here, you can assign existing roles to the user.
4. Alternatively, you can add a user to a role by following these steps:
   1. Go to the [roles list page](http://localhost:6789/settings/workspace/roles).
   2. Click on a row for an existing role.
   3. Click the button labeled <b>+Add user</b>.
   4. Select 1 or more users to assign this role to.

<Frame>
  <p align="center">
    <img alt="Users" src="https://mage-ai.github.io/assets/authentication/permissions/users-detail.png" />
  </p>
</Frame>