Skip to content

Permissions

Contour adopts Role Based Access Control (RBAC) process to enable flexible user permissions. Access to the system is provisioned through Roles.

  • A role is an allowable set of actions. Usefully, Contour Cloud comes with a built-in set of roles for simplified set-up
  • A user can be assigned with multiple roles, which will give the user permissions under all those roles.
  • A user can only login if they have been assigned at least one (1) role.
  • A user can also be assigned a mix of administrator as well as business roles. For example, a user can be assigned with an Identity Administrator, Node Administrator, as well as a Maker role. Then, this user will be able to administrate the node, an identity, as well as draft transactions in the identity.

Permissions

The following permissions are available in Contour and can be assigned to user created roles.

Permission Name Allowed Actions
View
  • View Transaction Summary
  • View Transaction details
  • Export to PDF
  • User self service (password/MFA reset, manage email preferences)
Make
  • All actions from 'View' permission
  • Draft new Transaction
  • Update Transaction rejected by checker/approver</li?
Check
  • All actions from 'View' permission
  • Verify/Reject Transaction drafted by Maker
Approve
  • All actions from 'View' permission
  • Approve/Reject Transaction verified by Checker

Standard Roles

Roles can be created and given the permissions above, see the guide here

Built-in Roles for Contour Cloud

For simplicity, these roles will be setup and available for each identity by default. Identity administrators may choose to deactivate or edit these roles as they require.

Role Name Description Assigned Permission
Maker Draft transaction Make
Checker Verify transaction drafted by Maker Check
Approver Approve Transaction verified by Checker Approve

Using the built-in roles above, Contour recommends the following set-up depending on your internal control requirements.

No Checks

If no checks are required, assign the 3 roles to a single user.

4-eyes (Maker -> Checker)

To enforce 4-eyes approvals ensure you have 2 users set-up and then make the following role assignments

  • User 1: Maker
  • User 2: Checker & Approver

6-eyes (Maker -> Checker -> Approver)

To enforce 6-eyes approvals ensure you have 3 users set-up and then make the following role assignments

  • User 1: Maker
  • User 2: Checker
  • User 3: Approver

Administration Roles

The following roles exist and cannot be modified.

Identity Admin

Every Identity has an Identity Administrator role. to be assigned to users to perform admin actions, such as User Administration. This role does not have any transaction/business permissions. If you require your Identity Admins to perform transactions, they will need to be assigned additional roles as per above.

Contour strongly recommends having at least 3 Users with the Identity Administrator role, as some user management actions mandate 4-eye approval.

Node Admin

Self-managed members will additionally have a Node Administrator role to mange their node. This role does not have any transaction/business permissions. If you require your Node Admins to perform transactions, they will need to be assigned additional roles as per above.