To assign or unassign roles to a user, we can use ROQ's Node.js SDK API. For a step-by-step guide on how to accomplish this, please read this tutorial.
Depending on their user, roles and permission, users will have varying levels of access to different entities. ROQ offers access management that operates through a query plan that is computed based on the user's current permissions and the database tables. To understand how this provides access to different entities, check out this tutorial on filtering data by user roles.
To make changes to user roles and permissions, you can use the ROQ Console. It's important to note that these changes will impact query plans and should be applied to both generated and custom applications. ROQ offers several methods for updating query plans, and you can find a tutorial on how to do so at how to cache query plans.
When using an application generated by ROQ, it's important to secure the API routes. This can be achieved by verifying the user's level of authorization or role-based access and permissions. For more information on how to secure the API routes, check out how to protect API routes tutorial.
In the client-side generated application, we must implement security measures to ensure that only users with the appropriate access and permissions are authorized to access the pages. You can read How to protect application pages tutorial to learn more about protecting application pages.
When working on local development, it is possible to disable access management. This allows you to bypass any user permission settings, allowing users to act as super administrators. This can be particularly helpful during development. Please look into this documentation on how to skip authorization.