Role Based Access Control

The RBAC model in ComplyVigilance ensures that every action within the platform is performed by authorized users only. This document explains how roles, permissions, and scopes work together to maintain secure access control and operational transparency across the system.

Understanding Global vs Local Roles

Global Roles apply platform-wide and always take precedence over local roles.
Local Roles apply to specific projects or project groups.

Global roles always take precedence but do not override local roles. If a user has both, permissions from both roles are combined, allowing them to perform all authorized actions.

Role Hierarchy

The ComplyVigilance RBAC model defines access across four scopes, Admin, Global, Local, and AI/Basic Users. Each level grants permissions for specific entities and actions.

The hierarchy below provides a visual overview of how these roles relate across the platform. Global roles apply across the entire platform, while local roles operate within specific project scopes.

🌍 ADMIN
├── GLOBAL ROLES
│   ├── Global Project Manager (GPM)
│   │   ├── Manage Projects & Project Groups (create, update, delete, view)
│   │   └── Manage Tokens (create, view, delete)
│   │
│   ├── Global Project Viewer
│   │   └── View Projects, Project Groups & Tokens
│   │
│   ├── Global Project Scanner
│   │   └── Upload Scans & Manage Tokens
│   │
│   ├── Global User Manager (GUM)
│   │   ├── Manage Users (create, update, delete, roles)
│   │   ├── Manage User Groups (create, update, delete, sync users)
│   │   └── Manage Tokens (create, view, delete)
│   │
│   └── Global User Viewer
│       └── View Users, User Groups & Tokens
│
├── LOCAL ROLES
│   ├── Project Manager
│   │   └── Full control of assigned Projects & Groups
│   │
│   ├── Project User Manager
│   │   └── Manage Users & Groups in assigned Projects
│   │
│   └── Project Viewer
│       └── Read-only access to Projects & Groups
│
├── AI User
│   └── Access Optimus & manage tokens
│
└── Basic User
    └──  View public docs and profile, and generate tokens

💡 Tip: Use the hierarchy above to understand scope (who can do what). Use the tables below to understand permissions (what they can do).

Global Roles & Permissions

Global roles provide platform-wide access and apply across all projects, user groups, and organizational scopes.
They are typically assigned to administrators, project owners, or team leads who require cross-project visibility and control.

Role Name	Description	Key Permissions
Admin	Full access to all platform features and configurations. Reserved for system administrators.	All permissions (system-wide) Manage users, roles, tokens, and configurations Access audit logs and reports
Global Project Manager (GPM)	Manages all projects and project groups across the organization.	`project:` create, view, view_list, update, delete `project_groups:` create, view, view_list, update, delete `token:` create, view, delete
Global User Manager (GUM)	Manages users, roles, and user groups globally.	`user:` create, view, view_list, update, delete `user_roles:` create, view, view_list, update, delete `user_actions:` create, view, view_list, update, delete `user_groups:` create, view, view_list, update, delete `token:` create, view, view_list, delete
Global Project Viewer	Read-only access to all projects and project groups.	`project:` view, view_list `project_groups:` view, view_list `token:` create, view, delete
Global Project Scanner	Can scan and upload to assigned projects only. Ideal for automation accounts or CI/CD integrations.	Upload and trigger scans Limited project-level visibility
Global User Viewer	Read-only access to all users and user groups.	`user:` view, view_list `user_groups:` view
Project User Manager (Global)	Manages tokens and project-level user assignments.	`token:` create, view, delete `project_user_group:` view
AI User	Can access and use Optimus only.	Use AI/Optimus modules No project or user management
Basic User	Limited access to personal and public content only.	View public documentation Access own profile Request demo

Local Roles & Permissions

Local roles apply to specific projects or project groups and define access within those scopes.
They are typically assigned to project managers, reviewers, or collaborators who need controlled access to project-level data and actions.

Local Role	Description	Key Permissions
Project Manager	Has full control over assigned project groups and their child projects. Cannot view assigned users unless combined with the Project User Manager role.	Create, read, update, and delete project groups (including child projects) Manage project configurations and settings Cannot view assigned users unless also a Project User Manager
Project User Manager	Manages users and user groups within assigned projects. Cannot access the global user directory.	View list of assigned users and user groups Add or remove users from assigned projects or groups Search users within the assigned scope No access to the global user list
Project Viewer	Read-only access to assigned projects and project groups.	View project and project group details View scan reports, configurations, and summaries No editing or user management rights

Compliance Alignment

The RBAC model aligns with standard access-control principles defined in ISO 27001: A.9 (Access Control) and NIST 800-53 (AC family), ensuring traceable, auditable, and least-privilege access throughout the platform.