Goal
Limit a Fusion user’s access so they can only view and manage rules in the Rules UI for a single application, without visibility into other apps or administrative features.
Environment
Fusion 5.5.x and later
Self-hosted deployments using the Fusion Access Control role editor.
Guide
Create a custom role
In the Fusion UI, navigate to Access Control > Roles.
Create a new role (for example,
rules-app-specific).Assign the following permissions, replacing
YourAppNamewith the exact name of your application.
GET,PUT:/apps/*/query-profiles/**
PUT,GET,POST,PATCH,DELETE,HEAD:/apps/*/query-rewrite/**
GET,PUT:/solr/**
GET,PUT:/query/**
GET,PUT:/collections/**
GET,HEAD,POST,PUT,DELETE:/apps/YourAppName/**
GET,PUT:/apps/
PUT,GET,POST,PATCH,DELETE,HEAD:/business-rules**
PUT,GET,POST,PATCH,DELETE,HEAD:/rules/**
GET:/license
GET:/blobs/**
GET:/sessionAssign the role to a user
Go to Access Control > Users.
Select the target account.
Add the new
rules-app-specificrole.
Accessing the Rules UI
Users can open the Rules UI directly at:
http://<fusion-host>:6764/rules/apps/YourAppName/Accessing the Rules UI for any other app will be blocked.
Users will be able to add, edit, and delete rules only within the assigned app.
Notes on UI behavior
The Fusion UI may still display options to “Add new app” or delete an application. However, when attempted, these actions will return an unauthorized error.
This ensures that users cannot create or remove applications, even if the buttons are visible.