# Permissions and Access Controls

<figure><img src="https://3641609714-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5tYv0KixTaiEIz5F9uBB%2Fuploads%2F3OYmFAojI61VXKcMYkcO%2Fsessionmanagement.png?alt=media&#x26;token=29fdb737-0f94-42fe-b0e5-398450b72a2f" alt="" width="473"><figcaption></figcaption></figure>

## Overview

Who controls access to what is of paramount importance to the mission of the RAIR project.  Effectively all permissions in RAIR are governed by a valid sessionID that is generated either from valid onchain or offchain data by the RAIRnode.&#x20;

## On-chain vs Off-chain Checks

As currently configured:&#x20;

* Onchain checks (from blockchain data) are required for: Admin access. DRM unlocking of videos.&#x20;
* Offchain checks (from internal database) are required for: Superadmin access. Setting user flags like Yoti age verification.&#x20;

## SessionID

Browser cookies delineate access to RAIR. The process for validating all users is the same:&#x20;

1. Send a valid user's 0x address to the RAIRnode
2. Validate onchain or offchain the correct parameters
3. Pass a valid SessionID to the users browser.&#x20;

## User Types&#x20;

Successful RAIR Validation offers tooling for 3 types of user by default:

* **Type 1 - Basic user.** Low-level access. Users accessing deployed systems to buy/sell NFTs, consume content etc.
* **Type 2 - Admin/Creator.** Mid-level access. Users can deploy NFT collections, update their metadata, upload videos, etc.
* **Type 3 - Superadmin.** Top-level access. Full control over deployment of the system. Site wide UI/UX, showing and hiding collections, setting, site wide royalties etc.&#x20;