Set up your first role
Boldo splits permissions into two layers. A role says what a user can do — view, edit, delete, manage access. An access domain says where those rights apply — Finance, HR, one project, one perimeter. The real permission unit is the pair of the two. A role on its own is too broad; an access domain on its own does nothing.
Open Rights and create a role
Click your avatar in the top-right and pick Organization settings. In the left sidebar, open Rights and select Roles. Click Create role, give it a name (for example, Architect), add a key and an optional description, and confirm.
The Rights area holds two tabs: Roles and Access domains. Effective access requires both — start with the role, then scope it with a domain in the next step.
The role's name is what shows up on the user's profile. The key is used in the API and stays stable even if you rename the role later. Description is for your own bookkeeping.
Configure what the role can do
Open the role you just created. The role page shows a rights table — one row per access domain (including the system row No access domain), one column per asset type. Click a cell to cycle through the access levels: No access, View, Edit, Delete, Edit access domain.
For example, click the cell where Architecture domain meets Legal Entities to give the Architect role View access on Legal Entities in that perimeter. Click again to upgrade to Edit, and again for Delete. Open Properties on any asset type to refine rights down to individual properties.
Scope the role with access domains
Roles answer what; access domains answer where. Open the Access domains tab in the same Rights area to manage them. Each domain represents a business perimeter — Finance, HR, the ERP project, one geography — that you assign to assets and shared content.
The list page shows every existing domain plus the system row No access domain. That row defines the fallback for items and assets that carry no domain. Clicking into a domain opens the same rights table layout as a role. The data is sliced the other way: one row per role, one column per asset type.
Click Create access domain to add a new perimeter. Give it a name (for example, Finance), add a key, and confirm. A new domain starts with no access configured for any role. Until you fill in the rights table, no one can act on assets carrying it.
Assign the role to a user
Open the Users tab in Organization settings. Pick a user, click into their profile, and assign one or more roles. A user can have several roles — if more than one matches the same access domain, Boldo keeps the highest level granted.
Effective access depends on two things. The user's global type — Viewer, Editor, Administrator — caps what any role can grant. The role + access domain pairs then decide which objects the user can act on. If the result looks wrong, review these layers in order.
Next steps
- Decide your access domains before mass-importing assets, so domains are assigned at import time rather than backfilled.
- Use the No role and No access domain system rows to set defaults for new users and items without a domain.
- Refine property-level rights from any asset type's Properties column when individual fields need to be hidden.
Go further
Watch the recorded demo for the full flow. It covers role creation, cell-by-cell configuration, access domain scoping, user assignment, and what a user without a property right sees.
Pause anywhere to mirror the steps in your own organization. The demo also shows side-by-side what a restricted user sees vs. a user with full rights, on the same asset.