Skip to content

Role-based Access Control

Contour adopts Role Based Access Control (RBAC). Access to the system is provisioned through Roles.

  • A user (i.e. an account) will only have access to the system if they are assigned with at least one (1) Active role in the system. Otherwise, the user won't have access to the system.
  • A user's (i.e. an account) accesses to the system are determined by the Active roles that they are assigned with.
  • A user can be assigned with multiple roles, which will give the user accesses under all those roles. E.g. a user can be assigned with Maker and Checker role. Then, this user have both draft and verify access for a transaction.
  • A user can also be assigned a mix of administrator as well as business roles. For example, a user can be assigned with an Identity Administrator, Node Administrator, as well as a Maker role. Then, this user will be able to administrate the node, an identity, as well as draft transactions in the identity.

Contour system-defined roles for administrators

Every node has one Node Administrator role. For Self Managed members, this role will performed by staff of the member company. For Contour Cloud members, the Contour Operations staff will adminster the node.

Every identity in the node has a corresponding Identity Administrator role. This role will be performed by staff of the member company.

Role Name Description Functions Remarks
Node admin System Administrators, for IT Administrators to set up the Contour system. Refer here Functions assigned are fixed, cannot be edited.
Identity admin User Administrators, for managers/leads to manage user access based on business needs. Refer here Functions assigned are fixed, cannot be edited.

Built-In business roles for Contour Cloud members

On Contour Cloud, these common roles will be already setup and available in each identity.

Your identity administrators remain in full control to update or deactivate these roles.

Role Name Description Functions Remarks
maker Draft transaction
  • View Transactions
  • Draft new Transaction
  • Update Transaction rejected by checker/approver
checker Verify transaction drafted by Maker
  • View Transactions
  • Verify/Reject Transaction drafted by Maker
approver Approve Transaction verified by Checker
  • View Transactions
  • Approve/Reject Transaction verified by Checker

Self-managed Nodes

For self-managed nodes, the Node Administrator role is created by default. When an identity is onboarded on the node, an Identity Administrator role will be created for the respective identity.