canopy-ui

Overview

Roles are collections of permissions. Instead of assigning permissions directly, you group related permissions into a role, then assign that role to identities. For example, an Invoice Viewer role might include only invoice.read, while an Invoice Manager role might include invoice.create, invoice.update, and invoice.approve. Roles simplify access management by letting you assign multiple permissions at once.

Scope

Roles are scoped to an Environment

When you create a role, you're creating it in the active Environment — the one selected on the Tenant › Applications page. Two Environments in the same Application keep fully independent role catalogs.

A role added in Development does not exist in Production until you explicitly promote it

Renaming or removing a role only affects the Environment you're working in

A role's permission set, and every identity assignment that uses it, live in the same Environment as the role itself

Use the Promote, Export, and Import actions on the Environment card to move roles between Environments alongside the rest of the configuration.

View the Environments reference →

How Roles Are Used

Roles are assigned to identities at a specific point in your Environment's hierarchy. In flat RBAC, roles are assigned at the root level and apply across the entire Environment. Once assigned, the role grants all of its permissions to that identity.

Example

Continuing the invoice example:

Permissions

invoice.read

invoice.create

invoice.update

invoice.delete

invoice.approve

Roles

Role	Permissions
`Invoice Viewer`	`invoice.read`
`Invoice Manager`	`invoice.read`, `invoice.create`, `invoice.update`, `invoice.approve`
`Invoice Admin`	All invoice permissions

An identity assigned the Invoice Manager role can create, update, and approve invoices, but cannot delete them.

Next Step

Roles define access, but they don't apply until they are assigned.

Environment

API version

On this page