Contour adopts Role Based Access Control (RBAC) process to enable flexible user permissions. Access to the system is provisioned through
- A role is an allowable set of actions. Usefully, Contour Cloud comes with a built-in set of roles for simplified set-up
- A user can be assigned with multiple roles, which will give the user permissions under all those roles.
- A user can only login if they have been assigned at least one (1) role.
- A user can also be assigned a mix of administrator as well as business roles. For example, a user can be assigned with an Identity Administrator, Node Administrator, as well as a
Makerrole. Then, this user will be able to administrate the node, an identity, as well as draft transactions in the identity.
The following permissions are available in Contour and can be assigned to user created roles.
|Permission Name||Allowed Actions|
Roles can be created and given the permissions above, see the guide here
Built-in Roles for Contour Cloud
For simplicity, these roles will be setup and available for each identity by default. Identity administrators may choose to deactivate or edit these roles as they require.
|Role Name||Description||Assigned Permission|
|Checker||Verify transaction drafted by Maker||Check|
|Approver||Approve Transaction verified by Checker||Approve|
Recommended Set-ups for Transaction Approvals
Using the built-in roles above, Contour recommends the following set-up depending on your internal control requirements.
If no checks are required, assign the 3 roles to a single user.
4-eyes (Maker -> Checker)
To enforce 4-eyes approvals ensure you have 2 users set-up and then make the following role assignments
- User 1: Maker
- User 2: Checker & Approver
6-eyes (Maker -> Checker -> Approver)
To enforce 6-eyes approvals ensure you have 3 users set-up and then make the following role assignments
- User 1: Maker
- User 2: Checker
- User 3: Approver
The following roles exist and cannot be modified.
Every Identity has an Identity Administrator role. to be assigned to users to perform admin actions, such as User Administration. This role does not have any transaction/business permissions. If you require your Identity Admins to perform transactions, they will need to be assigned additional roles as per above.
Contour strongly recommends having at least 3 Users with the Identity Administrator role, as some user management actions mandate 4-eye approval.
Self-managed members will additionally have a Node Administrator role to mange their node. This role does not have any transaction/business permissions. If you require your Node Admins to perform transactions, they will need to be assigned additional roles as per above.