# Role Based Access

{% hint style="info" %}
This feature allows administrators to restrict user access to a defined subset of PostgreSQL instances, providing precise and secure control over platform visibility.
{% endhint %}

## How Roles Work

{% stepper %}
{% step %}

### Define Instance tags

Ensure that your PostgreSQL clusters are tagged using existing tags or newly defined ones.
{% endstep %}

{% step %}

### Create a role

Create a role by defining one or more tag-based conditions. These conditions determine which PostgreSQL clusters are included in the role’s access scope.
{% endstep %}

{% step %}

### Assign the role to a user

Assign the role to one or more users. Once associated, users can access only the PostgreSQL clusters included in the role’s scope.

Access is updated dynamically as instance tags change or new instances are added.
{% endstep %}
{% endstepper %}

## Create a Role

{% hint style="info" %}
You can associate multiple tags to the same role and combine AND/OR conditions
{% endhint %}

### Through API

{% content-ref url="../../implementation/platform-usage/api-reference/role" %}
[role](https://docs.datasentinel.io/manual/implementation/platform-usage/api-reference/role)
{% endcontent-ref %}

### Through UI

<figure><img src="https://1072624949-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcWi6G1jtNuyGT9C0pkc%2Fuploads%2FtMkb67LF6nq76Apf2EHS%2Frole-based-access-multi.png?alt=media&#x26;token=a407c363-aea5-456a-8e6d-1209e78e7d31" alt=""><figcaption></figcaption></figure>

## Guide

{% content-ref url="../../how-to-guides/manage-users-and-role-based-access" %}
[manage-users-and-role-based-access](https://docs.datasentinel.io/manual/how-to-guides/manage-users-and-role-based-access)
{% endcontent-ref %}

## FAQ

<details>

<summary><strong>Can a user be assigned multiple roles?</strong></summary>

No, a user can only be assigned one role in Datasentinel

</details>

<details>

<summary><strong>What is the finest level of granularity for access control in Datasentinel?</strong></summary>

The finest granularity for access control in Datasentinel is at the level of the PostgreSQL instance name

</details>

<details>

<summary><strong>Can a role have multiple conditions based on the same tag?</strong></summary>

Yes, a role in Datasentinel can indeed have several conditions based on the same tag.

Let's say you have a team member who needs access to two specific applications within your PostgreSQL environment – for instance, a crm and a sales application.&#x20;

In Datasentinel, you can easily create a role that encompasses access to both these applications by setting up multiple conditions on the same tag.

In this example, you can define a role with the following conditions:&#x20;

`application=crm OR application=sales`.

</details>