Role-Based Access Controls

Fides uses Role-Based Access Controls which means that users can be assigned various roles within the organization that grant them a specific set of scopes (permissions).

Available roles

These are the current roles that can be granted to users within your organization:

Adding roles to users

Setting up your first user

If you do not yet have a user with Owner or Contributor permissions, set up a root user and log in using the root_username and root_password. We recommend avoiding using the root user for Fides management other than this initial account creation.

The root user is automatically granted all possible scopes.

Within Settings > Users, click on Add new user. Complete the fields for Username, Email address, First name, and Last name. Click Save. If messaging service configuration is set up, an invite will be sent to the associated email address to create a login password.

Once saved, the Permissions tab becomes accessible. Select the correct role and click Save. As an Owner, you will be able to manage all settings in Fides and create additional users:

Configuring other users

To add other users, login as an Owner or Contributor account, and follow the workflow above to assign various roles to users within your organization. In the example below, we are adding a user that can manage Privacy Requests.

Login as an Owner or Contributor:

Within Settings > Users, click on Add new user. Enter the information for the Privacy Request Approver.

In the Permissions tab, add the Viewer & Approver role to that user. This user will be given limited view access to the UI but will be able to create and manage privacy requests and view systems.

Re-inviting users

If a user has not yet accepted their invitation, Fides shows the invitation status on that user's detail page in Management > Users. Users with permission to create users can send a new invitation email from there.

If the original invitation is still active, the page shows Invite pending. If the original invitation has expired, the page shows Invite expired.

To re-invite a user:

1. Navigate to Management > Users.
2. Select the user you want to re-invite.
3. Review the invitation status shown near the top of the user details page.
4. Click Reinvite user and confirm the action.

When a new invitation is issued, the previously issued invite link is no longer valid. The user must use the most recent invitation email to complete setup.

Assigning systems

Owners, Contributors, Data Stewards, and Viewers can be assigned to systems as Data Stewards (system owners). For Viewers and Data Stewards, this provides an elevated set of permissions to manage the assigned systems without changing their overall permissions.

Note that Owners can edit all systems without being assigned as the Data Steward.

To assign systems to a user, first assign their role (ex. Viewer & Approver) and then use the Assign Systems+ button to select the systems they should manage. In this example, we click the Viewer & Approver row and then click Assign Systems+

In the Assign systems modal, toggle on/off the specific systems that you want this user to manage. You may assign all systems using the Assign all systems toggle or use the search to filter to the set of systems you want to assign. Using the Assign all systems toggle with filtered results will only assign the visible systems. When you've made your choices, click Confirm.

In this example, the user has been assigned a Viewer & Approver role which grants view-only access to all settings and systems in Fides. However, they have additionally been assigned as the Data Steward for the Cookie House PostgreSQL Database and the Cookie House Marketing System and can make updates to those specific systems.