Role Based Access Control(RBAC) is a feature that allows providing fine-grained access of RainMaker APIs to admin users.

RBAC is disabled by default and can be enabled using RainMaker API.

When RBAC is disabled, a flag-based approach is used to grant access to users. In the flag-based approach, there are three levels of authorization:

1. Super Admin- can perform all operations including admin operations and platform management operations
2. Admin - can perform user and admin operations
3. End user - can perform user operations

SuperAdmin user can create other admin users to grant them access to admin operations.

To provide more fine-grained access control, RBAC can be enabled. When RBAC is enabled, you can create policies, roles and attach roles to other users. When a user accesses any API, the roles attached to the user are evaluated to check if the user is authorized to access the API.

By default, the SuperAdmin user has a SuperAdmin role attached, which allows all operations on all the resources. SuperAdmin can create roles and policies to grant different permissions to users.

The user APIs that are intended for end users are accessible to all Rainmaker users regardless of roles attached to users. RBAC permissions are evaluated for Admin APIs and platform management APIs. Therefore, roles are meant to be assigned to admin users within the organization's internal structure.