Define access to learning instances using custom roles

Role-based access control (RBAC) enables or restricts access to new learning instances, related features, and functionality in IQ Bot based on permissions defined for various roles that are configured through the Control Room.

Users with the View and manage roles privilege can create custom roles and assign privileges to roles through the Control Room.

View learning instances
Users can decide to turn on permissions by selecting any of the following view permissions:
  • View my learning instances

    Allows users to view only the learning instances created by them.

  • View learning instances from the same role

    Allows users to only view learning instances created using a particular role.

  • View all learning instances

    A user with this privilege can view all learning instances created by all users across all roles.

Users can perform actions on learning instances they can access based on the following:
  • View permission selected for their roles.
  • Learning instances that are also assigned the same role as the user.
  • The user is assigned a role with relevant permissions selected.
Note:
  • Users can use the Delete learning instance option only if Edit learning instance is also selected for that role.
  • If users migrating from IQ Bot versions earlier than Version 11.3.5 are unable to view learning instances as before, an admin user with the Assign Roles privilege has to assign permissions to their custom roles and roles to learning instances as required.
View domains
Users with only this permission can view the Domains tab in IQ Bot but do not have the permission to import or export domains. Select Import Domains and Export Domains permissions to enable importing and exporting domains.
View administration
Users with only this permission can view the Administration tab in IQ Bot but do not have the permission to import or export learning instances. Select View and manage migration to enable importing and exporting learning instances.
The View and manage migration privilege allows users to only migrate learning instances they have access to based on the view permission. Therefore, permissions to view these learning instances are necessary.
Note: View domains and View administration permissions work as expected for the standard AAE_IQBOTAdmin role.

Example

The following example explains some of the combinations of permissions set in custom roles. These roles have specific permissions assigned to them that enable users to access learning instances and perform actions:

Roles
  • RoleA = View LI from the same role + Edit + Send learning instance to production
  • RoleB = View LI from the same role + Train
Learning Instance
The learning instance is in staging.
Scenario 1
  • Learning instance has RoleA assigned
  • User2 is assigned RoleA + RoleB

Result:

  • Only User1 will be able to access and perform actions on the learning instance.
  • User1 can only edit and send the learning instance to production.
Scenario 2
  • Learning instance has RoleA assigned
  • User1 is assigned RoleA
  • User2 is assigned RoleA + RoleB

Result:

  • Both User1 and User2 will be able to access the learning instance.
  • Both User1 and User2 can edit and send learning instance to production.
Scenario 3
  • Learning instance has RoleA + RoleB assigned
  • User1 is assigned RoleA
  • User2 is assigned RoleB

Result:

  • Both User1 and User2 will be able to access the learning instance.
  • User1 will be able to edit and send learning instance to production, while User2 will be able to only train the learning instance.
Scenario 4
  • Learning instance has RoleA + RoleB assigned
  • User1 is assigned RoleA + RoleB
  • User2 is assigned RoleB

Result:

  • Both User1 and User2 can access the learning instance.
  • User1 can edit, train, and send learning instance to production, while User2 will only be able to train the learning instance.
Note:
  • When the permissions of the current user role are changed or the user is assigned to a different role, the access control is updated to reflect the latest permissions configured for the assigned role.
  • If a role is deleted, the learning instances created by a user of that role are still accessible to other users with the following roles:
    • AAE_IQ Bot Admin
    • AAE_IQ Bot Services
    • A custom role with permission View all learning instances
    • A custom role assigned to those learning instances with permission View learning instances from the same role
  • Using the AAE_IQ Bot Admin role makes any other additional custom role redundant. An admin user has the default view of an administrator and has access to all learning instances.
  • Exporting or importing learning instances from one IQ Bot environment to another does not migrate roles. Users can use the Assign Roles feature to reassign roles to learning instances as required in the destination environment.

Views in IQ Bot

A user has the option of three views in IQ Bot based on the roles and permissions assigned to their roles:

Services
Accessible tabs: Dashboard, learning instances, and bots
Note: This is the standard IQ Bot view.
Validator
Accessible tabs: Learning instances (validation only)
Note: This view is visible to a user in the following scenarios:
  • The user is assigned only the AAE_IQ Bot Validator role.
  • The user is assigned custom roles with only Launch Validator action along with a view permission. If any of the assigned roles has any other actions selected, the default Services view will be visible.
Admin
Accessible tabs: Dashboard, learning instances, domains, bots, and administration