# Access control policies
Ontopic Suite implements a hierarchical access control system with three distinct levels:
- Global level - System-wide permissions and administrative roles
- Project level - Access control for specific projects and their resources
- Endpoint level - Fine-grained access control for SPARQL and Semantic SQL endpoints
Access control policies can be configured using:
- Roles - Predefined permission sets (available at all levels)
- Groups - User groups from your identity provider (project and endpoint levels only)
- User IDs - Individual user identifiers (project and endpoint levels only)
All user information is sourced directly from your configured identity provider (e.g., Microsoft Entra).
# Global roles
The following global roles provide system-wide permissions:
| Role | Description |
|---|---|
ots-admin | Full system administrator with unrestricted access |
ots-project-creator | Can create new projects |
ots-full-deployer | Can deploy SPARQL and Semantic SQL endpoints independently of projects |
ots-rdf-materializer | Can materialize data into RDF independently of projects |
# Project level
Each project defines its own access control policy using roles, groups, and user IDs.
# Managing project access policies
Project access control policies can be configured through:
- User interface: Navigate to the project's
Settings > Sharingpage - Web API: Use the dedicated access control endpoint
All project users have administrative rights
Currently, all users granted access to a project receive full administrative privileges for that project. This behavior will be refined with more granular permissions in a future release.
Important considerations:
- Project users cannot see database credential values. However, they can modify these credentials due to their administrative privileges
- For simple data consumption, grant access at the endpoint level rather than the project level
# Endpoint level
See in the endpoint deployment page how access policies are assigned to SPARQL and SQL endpoints.