SiteGUI platform utilizes Role Based Access Control (RBAC) to restrict access to certain applications based on a staff's role within the organization (Site). Basically, a role is a collection of permissions that you can apply to your staff. Using roles makes it easier to add, remove, and adjust permissions than assigning permissions to staff individually. A staff may be assigned multiple roles, for example a Sales Manager can be assigned a Salesperson role (to access whatever a Salesperson can access), a Sales Manager role (to access what is applicable to only Sales Manager but not HR Manager) and a Manager role (to access whatever Managers like Sales Manager, HR Manager etc can both access). RBAC is an additive model, so if a staff has multiple roles, their effective permissions are the union of all the roles' permissions.

SiteGUI already defines common roles within an organization, they are called system roles. One of the special system roles is the API User role, this role must be enabled for staff accounts that require API access to the platform.

Site Managers can create a new Role if the system roles do not fit their access requirements. To create a new Role, click on the New menu and choose Role. Then enter the role name, description and enable suitable permissions for the role. Each permission indicates which apps and actions it is permitted to access, for example the Page::create permission can be enabled to allow Creating, Updating, Listing all Pages, Menus, Widgets, Collections and Apps.

Site Managers can assign only permissions they have to a new role, that means the new role's permissions are always less than or equal the permissions of the Site Manager creating it. When creating a new role, it's best practice to assign the fewest number of permissions that allow the associated operation gets done.

Clicking on the App Listing menu and choose Roles to see all available roles and their permissions. Non-system roles can be edited to add/remove permissions or deleted.

When editing a role, a list of staff having that role will also be shown. To remove a staff from that role, edit the staff account and uncheck that role from the checked roles.