> ## Documentation Index
> Fetch the complete documentation index at: https://docs.activeviam.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How are user permissions managed in Atoti What-If?

This page explains how user permissions work in Atoti What-If simulations and Atoti Server branches. It covers built-in security managers, role-based access control, and how to implement custom permission logic.

***

## How to configure security with the Spring Boot Starter

When using the Spring Boot Starter, security is configured through properties:

```yaml theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
atoti:
  what-if:
    security:
      type: spring  # spring (default), none, or custom
      use-branch-permissions: true  # default: true
```

### Security type options

| Value    | Description                                                                 |
| -------- | --------------------------------------------------------------------------- |
| `spring` | Uses Spring Security context for user authentication. This is the default.  |
| `none`   | No security checks are performed. All operations are allowed for all users. |
| `custom` | You provide your own `IDatabaseSimulationsSecurityManager` bean.            |

### Disabling branch permissions

By default, the security manager delegates branch-level permission checks to the Atoti Server branch permissions manager. To disable this:

```yaml theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
atoti:
  what-if:
    security:
      type: spring
      use-branch-permissions: false
```

***

## What are Atoti Server branches?

Atoti Server uses branches to isolate data changes. Each branch can have:

* **Owners**: Users who can modify or delete the branch.
* **Readers**: Users who can view the branch.

If no owners or readers are specified, all users have full access. To restrict access, users must have the required roles.

For more information, head over to [the Atoti Server access control documentation](https://docs.activeviam.com/products/atoti/server/6.1.11/docs/security/database_access_control/) and [the Atoti Server branch permission manager documentation](https://docs.activeviam.com/products/atoti/server/6.1.11/docs/security/branch_permission/).

***

## How are simulations secured in Atoti What-If?

Simulations are grouped by branch and secured using an `IDatabaseSimulationsSecurityManager`. Two built-in managers are available:

### `NoOpDatabaseSimulationsSecurityManager`

* Allows all actions for every user.
* Intended for testing only.
* Enabled by setting `atoti.what-if.security.type: none`.

### `SpringDatabaseSimulationsSecurityManager`

* Integrates with Spring Security.
* Checks user roles.
* Delegates branch-level checks to the Atoti Server branch permissions manager.
* Enabled by default, or by setting `atoti.what-if.security.type: spring`.

**Default behavior:**

* Any user can create simulations.
* Only the creator or users with `ROLE_ADMIN` can update, delete, or execute simulations.

***

## How do I implement custom simulation permissions?

You can customize permissions by extending the Spring-based manager or implementing your own.

When using the Spring Boot Starter with a custom security manager, set `atoti.what-if.security.type: custom` and provide your bean. See [How to customize auto-configured beans](./customize-beans) for details.

### Option 1: Extend `SpringDatabaseSimulationsSecurityManager`

Use the `setDatabaseSimulationsRoles` method to define role-based access:

```java theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
public class CustomSimulationsSecurityManager extends SpringDatabaseSimulationsSecurityManager {
    @Override
    protected void setDatabaseSimulationsRoles(Map<Actions, Set<String>> actionsToGrantedRoles) {
        actionsToGrantedRoles.put(Actions.CREATE, Set.of("ROLE_USER", "ROLE_SIM_CREATOR"));
        actionsToGrantedRoles.put(Actions.UPDATE, Set.of("ROLE_ADMIN", "ROLE_SIM_EDITOR"));
        actionsToGrantedRoles.put(Actions.DELETE, Set.of("ROLE_ADMIN"));
        actionsToGrantedRoles.put(Actions.EXECUTE, Set.of("ROLE_USER", "ROLE_SIM_EXECUTOR"));
    }
}
```

### Option 2: Implement `IDatabaseSimulationsSecurityManager` directly

Use this for advanced logic, such as checking external services or user attributes:

```java theme={"languages":{"custom":["/engine/python-sdk/0.9/languages/pycon.tmLanguage.json"]}}
import com.activeviam.tech.mvcc.api.security.impl.BranchPermissions;

public class MyCustomSecurityManager implements IDatabaseSimulationsSecurityManager {
    @Override
    public boolean canCreate(IDatabaseSimulation simulation) {
        // Custom logic, e.g. check user attributes or external service
        return false;
    }

    @Override
    public IBranchPermissions createBranchPermissions(String branchName, String user) {
        // Delegate to Atoti Server branch permissions manager
        return BranchPermissions.openPermissions();
    }
    // Implement other methods as needed
}
```

***

## What should be checked for consistency?

To ensure correct branch-level permissions, verify that the permissions for Atoti Server and Atoti What-If are consistent.
