ROQ Platform is equipped with an advanced access management system that allows defining which user or user group can see or change data residing on ROQ platform.


Users are always saved on the project side and then synced to ROQ Platform. The mechanism is explained here: User management

User group

Like users, also user groups are maintained on the project side. To be able to use them on ROQ Platform side they need to be synced over, see User groups


A role is a set of permissions that can be related to a user or user group (see schema below). Usually, a role has a self-descriptive name like “user_admin”


A permission grants access to a resource of ROQ Platform (e.g. “file”).

How it works

Manage roles

You can create a new role in the console. A role is defined by its name, an optional description, and its set of permissions. Roles can be assigned to users and user groups as shown in this schema:

You can do this via GQL or in the console here:

Add permissions

For each role you can add multiple permissions. A permission is identified by the name of the resource and the action, ,file.write or file.delete

On each permission you can set the scope:




Everyone can perform the selected action on the resource.


Only the related user can perform the selected action on the resource.


Users of the same user group can perform the selected action on the resource.