Group Roles and Permissions

To manage user access to specific artifacts (for example, to different namespaces in the Archival service), you can group users with the same roles and permissions together under user groups.

User Groups

When you create an organization account, the Smart Trading Cloud automatically creates the following default groups to differentiate user permissions:

  • All Users

    • The All Users group contains all the users belonging to your organization account. Users in this group have minimum permissions, such as logging into services, viewing general organization's information with no access to administrative part of the Smart Trading Cloud services.

    If you set up auto-registration through registered domains, all the self-registered users will be added to this group.

    When you add a user to another user group or remove this user from that group, you can still find this user in the All Users group. You cannot remove users from the All Users group.

  • Administrators

    • The Administrators group contains users with administrator permissions. Only administrators can modify account properties and add/remove users. To give administrator permissions to a user, add this user to the Administrators group.

  • Applications

    • The Applications group contains pseudo users created to facilitate interaction between Smart Trading Cloud applications and artifacts in the cloud environment. The purpose of this group is to provide a centralized way of managing and granting access to resources for other applications or services that need to interact with the system. By assigning permissions to a Applications group, administrators can control access to resources at a higher level, rather than individually managing permissions for each application or service.

    Some application users are created automatically when you subscribe to a specific service (for example, the MFT service), but you can also create application user accounts manually.

Note You cannot remove default user groups and change their names.

Service-specific user groups

When you subscribe to Smart Trading Cloud services, for some of them, the Smart Trading Cloud creates service-specific user groups with pre-defined permissions. These user-groups are used to manage, which users of your organization have access to a specific service rather than all services available to the organization.

For more information on service-specific groups, refer to the corresponding help topics for FHIR App Developer Portal for FHIR, Endpoint Directory, Compute service, and Member Account service.

You can create more user groups and add users to these groups depending on the roles you want to give them. One user can belong to several groups.

To create a new user group:

  1. On the User Management page ( on the left navigation bar), in Groups, click .
  2. Enter the user group name and click Create.

After you have created a new user group, you can add existing users to this group.

To add a user to a group:

  1. On the User Management page ( on the left navigation bar), in Groups, select the default user group All Users.
  2. In the right pane, under Users, select the check box next to the user(s) you want to add to the group and click Add To Another Group.

    3. - or -

    Select a user and then, in the right section with the list of groups the user belongs to, click .

  3. Select the user group(s) you want to add the user(s) to, and then click Add.

-or-

  1. On the User Management page ( on the left navigation bar), in Groups, select the group you want to add users to.
  2. In the right pane, under Users, click Add.
  3. Select the user(s) you want to add to this group and click Add.

-or-

  1. On the User Management page ( on the left navigation bar), in Groups, select the group from which you want to move a user.
  2. In the right pane, under Users, select the check box next to the user and click Move to Group.
  3. Select the group to which you want to move the user and click Move.

To view all the groups a user belongs to, select this user from the list. The groups will be displayed in the right section, where you can click next to a group to see all the roles assigned to this group, and then click to open this user group.

Roles and Permissions

The Smart Trading Cloud uses a role-based access control method to manage the access of user groups to specific actions in the Smart Trading Cloud services. The access level is defined by a role (namely, the permissions this role has) that can be assigned to one or more of your user groups.

When you (as an account administrator) activate a Smart Trading Cloud service, the following service-defined roles are automatically added to your default groups:

  • The Regular User role is assigned to the All Users group,
  • The Administrator role is assigned to the Administrators group.

To allow several of your regular users to access a specific service (not all the services) as administrators, create a dedicated group for them and add the role of the service administrator to this group.

To add a role to a user group:

  1. Go to the Role Management page ( on the left navigation bar).
  2. In the left pane where roles are listed, next to Service, select a service you want to manage access to.
  3. In the roles list, review what each role allows and select the required role.
  4. In the right pane, on the Groups tab, click Add and select a group to assign this role to.

    5. - or -

  1. Go to the User Management page ( on the left navigation bar).
  2. In User Groups, select the user group you need from the list.
  3. In the right pane, under the group name, expand Group Roles.
  4. Find the service you want to manage access to and click .
  5. On the Add Service Role dialog, select the role you want to assign to this user group and click Add.

Next time the users of this group open the service, they will be allowed to perform actions specified in role permissions.

To create a new role with permissions:

  1. Go to the Role Management page ( on the left navigation bar).
  2. In the left pane where roles are listed, next to Service, select a service you want to add roles to. Note that the service must allow adding custom roles.
  3. On the toolbar above the available roles, click Create.
  4. On the Create Role dialog, enter a role name, for example, Editor.
  5. In ID, enter a unique role ID, for example, Editor_1.

    6. Note The role ID can contain uppercase letters, lowercase letters, numbers, and symbols "-" (dash), "_" (underscore), and "." (dot).

  6. In description, briefly specify what this role allows to do (for example, The users who can make edits).
  7. Click Save.
  8. In the roles list, select the newly created role.
  9. In the right pane, go to the Permissions tab.
  10. Click Add and select the permissions you want to add to this role.

Group Attributes

Note The attribute-based access control method will be deprecated soon. To manage user permissions for the Smart Trading Cloud services, use the role-based access control method.

The Smart Trading Cloud uses an access control method based on attributes to manage the access of user groups to specific artifacts of a service activated for an organization account. An attribute is a string value that belongs to a specific (required) user group and its users to provide them with access to a specific URL. This access control method uses an intelligent, fine-grained, and context-aware authorization model that grants access to resources only if the user possesses the required attribute. The use of attributes allows you to provide additional context for the Smart Trading Cloud to evaluate if the request is legitimate and to grant or deny access.

In the Smart Trading Cloud, the attribute is automatically created when an account administrator activates a Smart Trading Cloud service. The user groups (all users) that belong to this account automatically get the attribute (for example, service/repository) that allows them to access the service.

As an administrator, you can also add attributes manually if you want to give specific user groups access to specific artifacts.

To add a new attribute:

  1. On the User Management page ( on the left navigation bar), in Groups, select the user group to which you want to add an attribute.
  2. In the right pane, under the group name, click next to Group Attributes.
  3. Enter the attribute you want to add, and then click Add.