# Authorization

The Banking API uses role-based access control ([RBAC](https://en.wikipedia.org/wiki/Role-based_access_control)) for regulating access to API resources.

Access is managed through the [IAM](/apis/platform/iam/) service.

## RBAC

A client or user can be assigned access to any of the following resources. Child resources inherit all permissions assigned to parent resources.

The flowchart below describes the resource hierarchy of Banking resources:

Note
A tenant may have multiple subscriptions.


```mermaid
---
config:
  htmlLabels: false
---
flowchart TD
    subscription(Subscription)
    resourceGroup(Resource Group)
    bankAccount(Bank Account)
    otherResource(Other Aritma Resources)

    subscription --> resourceGroup
    resourceGroup --> bankAccount
    resourceGroup --> otherResource
```

## Roles

Roles describe what actions a client or user can execute on a resource.

Example
If a client has `banking.ais.read` access to an **account** or the parent **resource group** or **subscription**, the client or user will be able to `GET` requests to retrieve the account and transactions/balances for that account.

| Name | Parent | Title |
|  --- | --- | --- |
| **banking.manage** | owner | Banking manage |
| **banking.channels.all** |  | All channels |
| banking.channels.psd2 | banking.channels.all | PSD2 services |
| banking.channels.openbanking | banking.channels.all | Open-banking services |
| **banking.consents.manage** | banking.manage | Manage consents |
| banking.consents.create | banking.consents.manage | Create consents |
| banking.consents.read | banking.consents.manage | Read consents |
| banking.consents.update | banking.consents.manage | Update consents |
| banking.consents.delete | banking.consents.manage | Delete consents |
| **banking.ais.manage** | banking.manage | Manage accounts |
| banking.ais.create | banking.ais.manage | Create accounts |
| banking.ais.read | banking.ais.manage | Read accounts |
| **banking.pis.manage** | banking.manage | Manage payments |
| banking.pis.create | banking.pis.manage | Create payments |
| banking.pis.read | banking.pis.manage | Read payments |
| banking.pis.authorize | banking.pis.manage | Authorize payments |
| banking.pis.cancel | banking.pis.manage | Cancel payments |
| banking.mandates.manage | banking.manage | Manage Mandates |
| banking.mandates.write | banking.mandates.manage | Create mandates |
| banking.mandates.read | banking.mandates.manage | Read mandates |
| banking.mandates.delete | banking.mandates.manage | Delete mandates |