> ## Documentation Index
> Fetch the complete documentation index at: https://docs.metabind.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles Overview

> Define permission sets for role-based access control

Roles define sets of permissions that can be assigned to users, controlling their access to various features and resources within Metabind. Users follow a pure Role-Based Access Control (RBAC) model where permissions are never stored directly on user objects.

## The Role Object

<ParamField body="id" type="string">
  Unique identifier (UUID)
</ParamField>

<ParamField body="name" type="string">
  Role name (e.g., "editor", "developer")
</ParamField>

<ParamField body="description" type="string">
  Role description
</ParamField>

<ParamField body="permissions" type="object">
  Permission settings for each resource type
</ParamField>

<ParamField body="createdAt" type="string">
  Creation timestamp (ISO 8601 format)
</ParamField>

<ParamField body="updatedAt" type="string">
  Last update timestamp (ISO 8601 format)
</ParamField>

## Permission Categories

Roles control access to 10 resource types, each with specific actions:

### Administrative Resources

| Resource        | Actions                      | Description                  |
| --------------- | ---------------------------- | ---------------------------- |
| `organizations` | read, update, delete         | Organization settings access |
| `projects`      | create, read, update, delete | Project management           |
| `users`         | create, read, update, delete | User management              |
| `roles`         | create, read, update, delete | Role management              |
| `apiKeys`       | create, read, update, delete | API key management           |

### Development Resources

| Resource       | Actions                               | Description             |
| -------------- | ------------------------------------- | ----------------------- |
| `components`   | create, read, update, delete          | Component development   |
| `packages`     | create, read, update, delete          | Package publishing      |
| `contentTypes` | create, read, update, publish, delete | Content type management |

### Content Resources

| Resource  | Actions                               | Description        |
| --------- | ------------------------------------- | ------------------ |
| `content` | create, read, update, publish, delete | Content management |
| `assets`  | create, read, update, delete          | Asset management   |

<Note>
  Content and content types have a separate `publish` permission, allowing editorial workflows where users can create and update drafts but not publish.
</Note>

## Inherited Permissions

Certain organizational features inherit permissions from related core resources:

* **Collections**: Inherit from `components` permissions
* **Folders**: Inherit from the resources they organize
* **Saved Searches**: Inherit from `content` and `assets` permissions
* **Tags**: Inherit from `content` and `assets` permissions
* **Preview Links**: Inherit from source resource permissions

## Example Role Object

```json theme={null}
{
  "id": "role123",
  "name": "editor",
  "description": "Content management with publishing rights",
  "permissions": {
    "organizations": {
      "read": true,
      "update": false,
      "delete": false
    },
    "projects": {
      "create": false,
      "read": true,
      "update": false,
      "delete": false
    },
    "users": {
      "create": false,
      "read": false,
      "update": false,
      "delete": false
    },
    "roles": {
      "create": false,
      "read": false,
      "update": false,
      "delete": false
    },
    "apiKeys": {
      "create": false,
      "read": false,
      "update": false,
      "delete": false
    },
    "components": {
      "create": false,
      "read": true,
      "update": false,
      "delete": false
    },
    "packages": {
      "create": false,
      "read": true,
      "update": false,
      "delete": false
    },
    "contentTypes": {
      "create": false,
      "read": true,
      "update": false,
      "publish": false,
      "delete": false
    },
    "content": {
      "create": true,
      "read": true,
      "update": true,
      "publish": true,
      "delete": true
    },
    "assets": {
      "create": true,
      "read": true,
      "update": true,
      "delete": true
    }
  },
  "createdAt": "2024-03-20T10:00:00Z",
  "updatedAt": "2024-03-20T10:00:00Z"
}
```

## Permission Computation

When checking a user's permissions:

1. All roles assigned to the user are retrieved
2. Permissions from all roles are merged using OR logic
3. If any role grants a permission, the user has that permission

This allows flexible role composition where users can have multiple specialized roles.
