The management of roles and permissions is a fundamental part of security management. It allows defining which actions and functionalities users can perform according to their role.
Instead of assigning permissions directly to users, permissions are managed through roles. These roles, assigned to users, control their access to actions in the Backoffice and also determine access to specific assistants from the Frontend.
When creating a project, four default roles are generated that allow different levels of access and functions:
-
This role grants access to the Backoffice for working with the project, including creating assistants, viewing requests, viewing and creating API tokens, and more.
-
This role includes the "Project Member" role; in addition, it allows working with the list of members and defining roles within the project.
-
This role grants Frontend access to all active project assistants.
-
This role provides access only to the Frontend and the assistants configured for it.
It is intended for situations where you need to give access to certain project assistants without the users being registered members of the project, so it cannot be assigned directly to the users.
Note: This role is only visible in GeneXus Enterprise AI environments that allow access to the Frontend for non-membership users, such as on-premises installations where access is managed through other mechanisms, such as membership in an Azure Entra ID group. If this option is not enabled at a general level in the environment, the role will not be visible.
Each project user is assigned one or more roles, and the management of users and permissions is carried out in the Members section. Here you can view the list of users with access to the project, modify the assigned roles, or revoke access completely.
In addition, new members can be added by entering their email address and selecting the corresponding roles. Invitations are processed automatically if the user is logged in to GeneXus Enterprise AI.
Keep in mind that the invitation is sent by email and is valid for 72 hours if the user has never logged in; after that, it expires and a new one must be generated.
The Invitation History records all actions related to the assignment and revoked roles, including the person responsible for each action.
Note: The management of Roles and Members is only available for users with 'Organization member' and 'Project Administrator' roles.
Migration to the new Roles and Permissions Management System