# What is RBAC?

RBAC is a policy document that formally states one or more permissions. To assign permissions to a user, you create a policy, which is a document that explicitly lists permissions.

## Concepts

### Create roles

* Create roles can be done by root account only. *(Root account is the one you login using your email address.)*
* Create roles action can be performed through CLI, API or UI.
* Editing roles is simple and straightforward. All users under your root account will be able to view their roles that assigned to them.

### Attach roles to users or teams

* Role can be created by root account only.
* Role can be assigned to *Users* and *Teams.*
* *Users* or *Teams* can be attached with one Role only.
* Roles assigned on *Team* will overwrite the roles assigned on *User.*

### End user effect

* When users login to Mobingi ALM dashboard (or interacting through CLI or API), roles that attached to them will be evaluated on every action request.
* If an action isn't granted by the role definition, such action will be denied.
* If an action is grated by the role definition, the action will be allowed.

## How does RBAC work?

Before any requests goes in, the RBAC module will check for the current user's role settings first, then it passes or denies the request.

![](/files/-LErwhKLCL-u9U_G5uam)

For the requests being passed, there is no other actions need to perform.

For the requests been denied, the client (usually UI console, or API and CLI) will returned with the following error:

```javascript
HTTP Status Code 403
{
    "RBAC": "Action not allowed"
}
```

As an example, apply the following to your ALM user to allow performing every action excepts *deleting stacks*:

```javascript
{
    "version": "2017-05-05",
    "statement": [
        {
            "effect": "allow",
            "action": "*",
            "resource": "*"
        },
        {
            "effect": "deny",
            "action": "delete:alm.stack",
            "resource": "*"
        }
    ]
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.alphaus.cloud/v3.0-english/rbac/what-is-rbac.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.