docs/docs/en/users-permissions/acl/union.md
Role Union is a permission management mode. According to system settings, system developers can choose to use Independent roles, Allow roles union, or Roles union only, to meet different permission requirements.
By default, the system uses independent roles. Users must switch between the roles they possess individually.
System developers can enable Allow roles union, allowing users to simultaneously have permissions of all assigned roles while still permitting users to switch roles individually.
Users are enforced to only use Role Union and cannot switch roles individually.
Role union grants the maximum permissions across all roles. Below are the explanations for resolving permission conflicts when roles have different settings on the same permission.
Example:
Role1 is configured to Allows to configure interface and Role2 is configured to Allows to install, activate, disable plugins
When logging in with the Full Permissions role, the user will have both permissions simultaneously.
Scenario 1: Multiple roles setting conditions on the same field
Role A filter: Age < 30
| UserID | Name | Age |
|---|---|---|
| 1 | Jack | 23 |
| 2 | Lily | 29 |
Role B filter: Age > 25
| UserID | Name | Age |
|---|---|---|
| 2 | Lily | 29 |
| 3 | Sam | 32 |
After merging:
| UserID | Name | Age |
|---|---|---|
| 1 | Jack | 23 |
| 2 | Lily | 29 |
| 3 | Sam | 32 |
Scenario 2: Different roles setting conditions on different fields
Role A filter: Age < 30
| UserID | Name | Age |
|---|---|---|
| 1 | Jack | 23 |
| 2 | Lily | 29 |
Role B filter: Name contains "Ja"
| UserID | Name | Age |
|---|---|---|
| 1 | Jack | 23 |
| 3 | Jasmin | 27 |
After merging:
| UserID | Name | Age |
|---|---|---|
| 1 | Jack | 23 |
| 2 | Lily | 29 |
| 3 | Jasmin | 27 |
Role A visible columns: Name, Age
| UserID | Name | Age |
|---|---|---|
| 1 | Jack | 23 |
| 2 | Lily | 29 |
Role B visible columns: Name, Sex
| UserID | Name | Sex |
|---|---|---|
| 1 | Jack | Man |
| 2 | Lily | Woman |
After merging:
| UserID | Name | Age | Sex |
|---|---|---|---|
| 1 | Jack | 23 | Man |
| 2 | Lily | 29 | Woman |
Role A filter: Age < 30, columns Name, Age
| UserID | Name | Age |
|---|---|---|
| 1 | Jack | 23 |
| 2 | Lily | 29 |
Role B filter: Name contains "Ja", columns Name, Sex
| UserID | Name | Sex |
|---|---|---|
| 3 | Jade | Woman |
| 4 | James | Man |
After merging:
| UserID | Name | Age | Sex |
|---|---|---|---|
| 1 | Jack | 23 | <span style="background-color:#FFDDDD">Man</span> |
| 2 | Lily | 29 | <span style="background-color:#FFDDDD">Woman</span> |
| 3 | Jade | <span style="background-color:#FFDDDD">27</span> | Woman |
| 4 | James | <span style="background-color:#FFDDDD">31</span> | Man |
Note: Cells with red background indicate data invisible in individual roles but visible in the merged role.
Role merging data-scope rules: