Access Management

Access Management


Access management in SaaS applications involves regulating who can access the application and what actions they are allowed to perform. This is accomplished through roles and permissions, which bestow varying levels of access to different users.

With ROQ's access management system, you can:

  • Specify roles (e.g., admin, member, clerk).
  • Assign these roles to users.
  • Decide what each role allows – maybe viewing certain pages or pressing specific buttons.
  • Control what data each role can see.
  • Set permissions and apply them to the application.

The Big Picture

The entire ROQ system works in coordination to ensure seamless access management. To better understand how ROQ Access Management, let's use an analogy.

🍾 ROQ Club Analogy

Imagine you're the club owner, and you decide who gets to enter and what they can do inside. Access Management for SaaS applications works similarly – it controls who enters an application and their actions inside. In our context, these rules are called roles and permissions.

The ROQ platform in this analogy is a secure club where members get special access based on their membership cards.

  • Membership Desk: At this desk, members get cards that determine where they can go and what they can do inside the club. This card-giving process is like assigning roles and permissions in the system, which decides what each user can see and do.

    In the ROQ platform this Membership Desk is the ROQ Console (opens in a new tab), specifically the access management section.

  • Tailored Club Experience: As club staff check your card before letting you into VIP areas or offering special services, the club system ensures users see only what their roles allow. Think of it as having doors within the club that are only open for specific cards, ensuring members have a unique experience tailored to their privileges.

    In the ROQ platform, database interaction and user customization heavily depend on the user's access.

  • Super-Efficient Clerk: Instead of manually selecting what each card can do, imagine an intelligent clerk at the desk who quickly gives out the best membership cards based on common choices.

    This is like AI Assistant on the ROQ platform, which auto-sets user roles and permissions based on predefined templates to make things quicker and easier.

ROQ's access management is like a high-tech club where your membership card determines your access and experience. Combines the power of user-configured roles and permissions with an AI-driven automatic setup to deliver a robust, flexible, and efficient access management system.

How It Works

Using our previous analogy, imagine you're at the entrance of our high-tech club, the ROQ Club, and let's explore how access management comes to life in a familiar setting.

🎫 Membership Desk

The ROQ Console (opens in a new tab) is like the club's Membership Desk. Here, various membership cards (roles and permissions) are crafted.

Just as a VIP card might grant its holder special privileges in a club, permissions in ROQ define what actions a user can perform. When setting up these permissions, you're essentially deciding what doors or areas each membership card can access – be it all rooms (all records), just their reserved lounge (own records), or spaces exclusive to their group or friends (tenant).

🚪 Access The Club

With a card in hand, your experience within the club is personalized. ROQ ensures that the boundaries set by each card are respected throughout the club, from the bar to the VIP lounge, including its various rooms and services (UI Components and APIs).

🎉 Customizing The Club

Remember, you can also customize the club's rules (permissions) to fit the unique theme of your event or in the ROQ point of view, the event is the project!

For more information on how to set up permissions for your project, please refer to the documentation on Project Permissions.

🔧 Behind the Scenes

Dive deeper into the club's operations:

On a more technical note, our club uses an advanced system called Query Plans that instantly knows what each member is allowed to do based on their membership card.

All member details and activities are kept safe in a main vault (think of this as the database). But when you're in the club, the kiosks you interact with (akin to ROQ's app or user interface) only show info that's relevant to member, ensuring a personal touch.

And here's the fun twist: While the club's main stage captures the broad strokes, the real action is on the dance floor. That's where all real-time interactions, or in techy terms queries, happen. In our tale, this dance floor symbolizes our app's environment.

Filter Down Data of A Query

In the ROQ Club, the way you retrieve information about attendees from your database mimics the club's special entrance system.

For instance, consider you have a digital guest list named /club-guests. This list gives details about everyone currently enjoying the club. The club system (query plan) filters this list based on the type of membership card:

  • An Admin cardholder (akin to club management) is granted full access to the list, seeing every guest present.
  • A VIP Member cardholder can view a filtered list featuring only those partying in the VIP lounge.
  • A Regular Member cardholder is granted a more limited view, seeing details of just their group and perhaps a few acquaintances.

This dynamic filtering ensures that each member gets a personalized and secure experience in the club, just as tailored queries ensure that each user interacts with the data meant for them. The complexity of managing these multiple views and permissions is made simple through the club's entrance system, or in our technical terms, the Query Plan.

For an in-depth dive into how the ROQ Query Plan works, check out this link.

Roles, Permissions, and Scopes


Roles are assigned directly to users. In our analogy, roles correspond to the types of membership cards a user holds in the ROQ Club or levels of access one might have.

Picture it this way:

  • Mary is our Club Manager, with the master key, overseeing everything.
  • Jane flaunts her VIP Member badge, granting her special privileges and access to elite zones.
  • John, with his Regular Member status, enjoys the main and some exclusive events.
  • Richard, as a Guest Attendee, is here to taste the ROQ Club experience but might not have the full access other members enjoy.

So, when discussing roles in the ROQ Club, consider them different membership tiers or categories: Club Manager, VIP Member, Regular Member, and Guest Attendee. Each has its own perks and access limits.

This documentation section explains more about roles on the ROQ Console. For a tutorial on how to assign or unassign roles from a user using ROQ's Node.js SDK API, please read this tutorial.


Permissions define the privileges associated with each user. Think of permissions as the exclusive benefits and experiences each club member is entitled to based on their membership type.

Imagine a Platinum Cardholder at the ROQ Club. This elite member would have special access to premium zones like the Platinum Lounge and might be invited to some behind-the-scenes events, all thanks to the perks tied to their card.

These club privileges (permissions) are broken down as follows:

  • The specific club zone or service (e.g., Platinum_Lounge),
  • The activity or benefit they can indulge in (entry, table booking, bring a friend, or attend private shows`),
  • And the range or span of that benefit (anytime access, personal, or with a crew privileges).

Access Levels

To specify access levels for your application, select an object type or entity.

Imagine you're planning a special night at the ROQ Club and want to determine who gets access to various parts of the club, like the Platinum_Lounge. Think of these parts as object types or entities. If a particular area of the club isn't listed, it's probably because it wasn't considered during the initial planning of the event.

Please read more about entity in this documentation.

For each club area (entity), you can decide the following access levels, which can be thought of as different privileges or activities members can engage in:

LevelClub Analogy
ReadLets the member peek into the area, like viewing the inside of the Plainum_Lounge
CreateAllows the member to set up a personal spot or reserve a table in that area
UpdateLets the member make changes to their spot or order in that area, like changing their drink or adding decorations
DeleteGives the member the authority to clear their space or remove their reservation in the area


In our analogy, the ROQ Club, the Scope is like the boundaries set for different members based on their membership cards. It decides the extent of the club they can explore and the events they can join.

Visualize the scopes as follows:

ScopeClub Analogy
AllA member can visit all areas and events within the club.
OwnA member is restricted to their reserved lounge or private event.
TenantAccess is confined to areas or events designated for their group or party.

In essence, just like different passes give varying access at a festival or event, these scopes determine how much of the ROQ Club's experience a member can enjoy.

You will find the necessary information in the following two documents regarding platform permissions and project permissions.


Use ROQ's Access Management API for custom application development or to enhance generated application access management.


These tutorials will explain many concepts and implementations of ROQ's Access Management API, such as how to cache query plans, protect API routes, deactivate access management for development, etc.