# Users and Roles
To prepare the users to work with OE and Make, you need to configure their accounts and set the correct authorizations. The users have to be added to the tenant and assigned to proper user groups with sets of access rights for the roles they will perform.
To achieve this, open the **Users and Groups** dashboard, which allows you to manage the users’ data in general, both for Commerce Engine (CE) and for Orchestration Engine (OE). Using the dashboard, you can add, edit and delete users' data. You can also manage users by filtering or sorting by users’ first name, last name, e-mail address, department, or status.
The status types are:
* Green - the user is active
* Grey - the user account is locked
## Definitions
**User** - an employee using the Emporix Management Dashboard.
**User Group** - a group of users that share some common characteristics, like performing similar job. User group defines access controls for the users.
**Role** - a combination of predefined permissions that allow users to perform some actions on resources within the system. You can apply a role to a user group.
**Permission** - a mechanism for limiting what actions a user belonging to a role can perform on specific resources.
**Access controls** - a combination of roles and resources. For example, a user with a `manage` access control on product resources can view, create, delete, and edit product entities.
**Resource** or **Entity** - the object type within the Emporix Management Dashboard.
**Action** - the ability to perform an action on entities of specific type.
This diagram shows a high-level view of the relationships between users, groups, and roles:
```mermaid
---
config:
layout: fixed
theme: base
look: classic
themeVariables:
background: transparent
lineColor: "#9CBBE3"
arrowheadColor: "#9CBBE3"
edgeLabelBackground: "#FFC128"
edgeLabelTextColor: "#4C5359"
---
flowchart LR
Users["Users (registered OE tenant users)"]
UserGroups["User Groups (e.g., OE Editor)"]
AccessControls["Access Controls (e.g., Value Stream Editor)"]
Roles["Roles (e.g., Editor)"]
Permissions["Permissions (e.g., OE Edit)"]
Resources["Resources (e.g., OE Value Stream)"]
Users --- UserGroups
UserGroups --- AccessControls
AccessControls --- Roles
Roles --- Permissions
Permissions --- Resources
AccessControls --- Resources
%% Rounded shapes
Users@{ shape: rounded }
UserGroups@{ shape: rounded }
AccessControls@{ shape: rounded }
Roles@{ shape: rounded }
Permissions@{ shape: rounded }
Resources@{ shape: rounded }
%% Styling
Users:::NodeStyle
UserGroups:::NodeStyle
AccessControls:::NodeStyle
Roles:::NodeStyle
Permissions:::NodeStyle
Resources:::NodeStyle
classDef NodeStyle fill:#F2F6FA, stroke:#4C5359
```
## Creating a user
To create a user of Management Dashboard:
1. In **Management Dashboard**, go to the **Administration** module -> **Users and Roles**.
2. Click **Create New User** and fill in all the fields. They're all mandatory.
3. Choose **Save** to add your new user to the users list. The user automatically receives an email invitation to join the tenant.
If you decide to stop adding the new user, you can use the **Discard** option. It clears all the fields and removes the data you’d entered.
It's also possible to add **multiple users** to your tenant at one time. You can do that through the Developer Portal using the CSV import users feature. For more information, see the [Developer Portal](/ce/getting-started/developer-portal/manage-users.md) documentation.
{% hint style="warning" %}
If the user already had an active account, or is an existing user of a different tenant, they are visible as an active user right away, without the provisioning status.
{% endhint %}
## User groups and roles
To allow your user to access the Management Dashboard, you need to set up the correct access controls. To do this, assign the users to the right user groups. Every user group can be assigned roles with associated permissions. When you assign a user to a group, you give them the permissions that the roles have.
The default groups for OE are:
| User Group | Description - level of access and permissions | Access - Roles in Orchestration Engine | Access - Roles in Make |
| ---------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
| OE Viewer | The users in the viewers group have read access only, they cannot modify anything. | OE read access | Member |
| OE Editor | The users in the editors group can edit OE value stream and Make scenarios. | OE read and edit access |
Make application developer integromat.app\_developer
Make scenario editor integromat.scenario\_edit
|
| OE Manager | The users in the group can conduct the development tasks, such as creating applications in Make. | OE read, edit and manage access |
Make application developer integromat.app\_developer
Make scenario editor integromat.scenario\_edit
|
| OE Admin | The users in this group can conduct administration tasks such as adding users to the tenant or creating applications in Make. | OE read, edit, manage and admin access |
Make owner
Make scenario editor integromat.scenario\_edit
|
### Creating a user group
{% hint style="warning" %}
We recommend to use only the OE user groups that are provided by default. Still, it's possible to create custom user groups.
{% endhint %}
The groups are created in the **Groups** tab. You need to provide a group name with a description, plus set the relevant access controls.
1. In the **Administration** module, go to **Users and Groups**.
2. Go to the **Groups** tab and click the **Create New Group**.
3. In **General** section, provide the group's name and description.
4. For roles specific to OE, choose the **Standard** role and select **Orchestration Engine** from the drop-down menu. You can then select one of the predefined access rights - Viewer, Editor, Manager or Administrator.
5. Set up the group access rights in the **Management Dashboard Settings** section. For sole OE groups, choose **OE** in **Access** to define permissions for OE-specific resources:
* **Read** access selected: a user is able to see entities of a specific type
* **Edit** access selected: a user is able to see and edit entities of a specific type
* **Manage** access selected: a user is able to see, edit, create, and delete entities of a specific type
* **Administrate** access selected: a user is able to do all available actions on the entities of a specific type
* none selected: a user is not able to see entities of a specific type
Use the checkboxes to define the access rights only for the particular types the group is supposed to have access to. If a group is not supposed to manage or even see a particular entity in the Management Dashboard, don't select any permission.
{% hint style="warning" %}
You can see that the access controls are correlated and selecting one of the available access controls for a specific entity automatically selects the same access control for another one. This behavior ensures that users get the same access to the related resources.\
To disable existing access rights for an entity, uncheck the checkbox.
{% endhint %}
6. Confirm with **Save**.
When creating a new group, or editing an existing one, you can add the group’s users right away in the **Members** tab.
### Permissions
To see the permissions assigned to a specific group, open a particular group in **Administration** -> **Users and Groups** and check the **Management Dashboard Settings**.
{% hint style="info" %}
Set the relevant users permissions at the group level. Users can belong to several groups with different access rights. By assigning users to relevant groups, you control what they are able to see and/or edit in the Management Dashboard. Bear in mind that if you assign a user to two groups that have different permissions set for a specific resource, the manage overwrites read permission and the user is able to manage the resource, not only view it.
{% endhint %}
Check the diagram below to see the details of the relationship between user groups, roles, access controls and permissions in OE:
{% hint style="info" %}
To learn more about the way how identity and access management work in Emporix, see [Identity and access management (IAM)](/ce/system-management/authentication-and-authorization/authorization/iam.md) and [IAM Service](/api-references/api-guides/users-and-permissions/iam.md) API documentation.
{% endhint %}
{% hint style="info" %}
To learn more about the roles in Make, see [Make - Organization Roles](https://www.make.com/en/help/access-management/organizations#organization-roles).
{% endhint %}
## Synchronizing users between OE and Make
Prerequisites:
* The user must be a part of one or more OE user groups.
* The user must have at least one of the following roles assigned within the OE user group: `integromat.scenario_edit` or `integromat.app_developer`.
To start with the synchronization:
1. Choose the users that you want to have access to Make and assign them to the right groups as defined in the prerequisites section. The system automatically scans all OE users' permissions and identifies those users who have the `integromat.scenario_edit` or `integromat.app_developer` roles.
2. Add the selected users to your Make organization (tenant). Once the eligible users are identified, the system automatically adds them to the list of authorized users of their corresponding Make organization as **member** users.
When you add a user to your Make organization, they receive an email notification with instructions how to access and set up their accounts.
{% hint style="info" %}
To learn more about managing users in Make, see [Make - Adding Users to Organizations](https://www.make.com/en/help/access-management/organizations#adding-users-to-organizations).
{% endhint %}
When any changes are made to the groups a OE user belongs to, the synchronization process is triggered to ensure that the user's access to the Make organization is up-to-date. Users receive a new email invitation whenever their group membership is altered.
{% hint style="danger" %}
If a user's group membership is modified and the user no longer has one of the two specified roles assigned (Integromat Scenario Editor or Integromat App Developer), the user still retains access to the Make organization. In this case, an administrator should manually remove the user's entry from the Make organization to maintain a consistent and secure environment.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://developer.emporix.io/oe/management-dashboard/configuring-oe-tenant/users-and-roles.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.