--- title: "Role-Based Access Control - DreamFactory Documentation" source: "https://wiki.dreamfactory.com/Security/Role_Based_Access" canonical_url: "https://wiki.dreamfactory.com/Security/Role_Based_Access" converted_at: "2026-04-05T00:28:37.447Z" format: "markdown" converted_by: "html-to-md-ai" --- []() # Security/Role Based Access From DreamFactory Wiki [Jump to navigation](#mw-head) [Jump to search](#searchInput) **Configure granular permissions for API access using DreamFactory's role-based access control system** ## Contents - [1 Role Based Access Control (RBAC)](#Role_Based_Access_Control_(RBAC)) - [2 Quick Reference](#Quick_Reference) - [3 Permission Hierarchy](#Permission_Hierarchy) - [4 Creating Role Based Access Controls](#Creating_Role_Based_Access_Controls) - [5 Example Role](#Example_Role) - [6 See also](#See_also) ## Role Based Access Control (RBAC) ## Quick Reference Concept Description **Role** A named set of permissions that define which services and operations are allowed **Service** An API endpoint (database, file storage, etc.) **Component** A specific resource within a service (e.g., `_table/employees`) **Access** HTTP methods allowed (GET, POST, PUT, PATCH, DELETE) **API Key** Authentication token associated with one or more roles ## Permission Hierarchy ``` API Key → Role(s) → Service Access → Component Access → HTTP Methods ``` ## Creating Role Based Access Controls Over time your DreamFactory instance will likely manage multiple APIs. Chances are you're going to want to silo access to these APIs, creating one or several API keys for each. These API keys will be configured to allow access to one or some APIs, but in all likelihood not all of them. To accomplish this, you'll create a *role* which is associated with one or more services, and then assign that role to an *API Key*. To create a role, in the left navbar click on the **Role Based Access** tab: [![](/images/e/e2/Role-navbar.png)](/File:Role-navbar.png) [](/File:Role-navbar.png)Creating a Role for your DreamFactory API Click the purple + button to create a new Role. You are prompted to enter a role name and description. Unlike the service name, the role name is only used for human consumption so be sure to give it a descriptive name such as `MySQL Role`. There is an **Access Overview** section to identify the API(s) which should be associated with this service. The default interface looks like this: [![](/images/5/5e/Role-access-overview.png)](/File:Role-access-overview.png) [](/File:Role-access-overview.png)Name your Role The **Service** select box contains all of the APIs you've defined thus far, including a few which are automatically included with each DreamFactory instance (`system`, `api_docs`, etc). Select the `mysql` service. Now here's where things get really interesting. After selecting the `mysql` service, click the **Component** select box. This select box contains a list of all assets exposed through this API! If you leave the **Component** select box set to `*`, then the role has access to all of the APIs assets. However, you're free to restrict the role's access to one or several assets by choosing for example `_table/employees/*`. This would limit this role's access to *just* performing CRUD operations on the `employees` table! Further, using the `Access` select box, you can restrict which methods can be used by the role, selecting only `GET`, only `POST`, or any combination of methods. If you want to add access to another asset, or even to another service, just click the plus sign next to the **Advanced Filters** header, and an additional row is added to the interface: [![](/images/2/28/Mysql-role-access.png)](/File:Mysql-role-access.png) [](/File:Mysql-role-access.png)Assign a Service to the Created Role Use the new row to assign another service and/or previously assigned service component to the role. In the screenshot you can see the role has been granted complete access to the `mysql` service's `employees` table, and read-only access to the `departments` table. Once you are satisfied with the role's configuration, click **Save** to create the role. With that done, it's time to create a new API Key and attach it to this role. ## Example Role Here is an example of a role that gives GET (read) level access to API Generation & Connections. [![](/images/4/48/Mysql-example-role.png)](/File:Mysql-example-role.png) [](/File:Mysql-example-role.png)Basic all access role for GETs This role is a good starting point for individuals that will be making API calls using API Docs. Being GET only the Database will not be permanently altered by accident. From here you can change or add additional permissons to fine tune the users permissions in the UI. For instance you could add PATCH or DELETE to the Access column if the user needs those for testing purposes. ## See also - [Configuring Windows Authentication for SQL Server](/Security/Sql_Server_Configuration) - [Authenticating your APIs](/Security/Authentication_Apis) - [Security FAQ](/Security/Security_Faq) - [Rate Limiting](/Security/Rate_Limiting) Retrieved from "[https://wiki.dreamfactory.com/index.php?title=Security/Role_Based_Access&oldid=822](https://wiki.dreamfactory.com/index.php?title=Security/Role_Based_Access&oldid=822)" [Categories](/Special:Categories): - [Rbac](/Category:Rbac) - [Role-Based Access](/Category:Role-Based_Access) - [Api Security](/Category:Api_Security) - [Security](/Category:Security) - [Difficulty Beginner](/Category:Difficulty_Beginner)