Auth Server Roles and Permissions
This page outlines the various roles and permissions used and managed by the Authorization Server.
In general, roles convey a particular set of permissions. The permissions control the actions that the role is then authorised to be carried out.
Each role has a set of available permissions providing bounds on what that role can do.
A default sub-set of the available permissions are assigned ‘out-of-the-box’. This sub-set of assigned permissions can be modified using the Authorization Server Admin API.
An up to date version of the page’s contents are held in the role-permissions.yml file. It should be considered the authoritative source of this information, with this page providing a convenient reference point.
Auth Server Roles
| Role | Description | Default permissions | Available permissions |
|---|---|---|---|
| USER | Standard user of the platform with data access to apps and APIs | api.knowledge.readapi.notifications.readapi.preferences.readapi.preferences.writeapi.ontology.readapi.catalog.read | api.knowledge.readapi.knowledge.writeapi.notifications.readapi.notifications.writeapi.preferences.readapi.preferences.writeapi.ontology.readapi.ontology.writeapi.catalog.readapi.catalog.write |
| ADMIN_USER | Admin user for user and attribute management | attributes.writeattributes.readgroups.readgroups.writepermissions.readpermissions.writeroles.readroles.writeusers.readusers.write | attributes.writeattributes.readgroups.readgroups.writepermissions.readpermissions.writeroles.readroles.writeusers.readusers.write |
| ADMIN_SYSTEM | Admin users for system controls, client configuration, backup etc | client.readbackup.readbackup.writebackup.restorevalidation.readapi.knowledge.compactapi.ontology.compactapi.catalog.compact | client.readclient.writebackup.readbackup.writebackup.restorebackup.deletevalidation.readapi.knowledge.compactapi.ontology.compactapi.catalog.compact |
Auth Server Permissions
| Permission | Description | Role | Action |
|---|---|---|---|
api.knowledge.read | Read from the knowledge dataset | USER | read |
api.knowledge.write | Write to knowledge dataset | USER | write |
api.knowledge.compact | Compact the knowledge dataset | ADMIN_SYSTEM | write |
api.notifications.read | Read notifications (own) | USER | read |
api.notifications.write | Write notifications | USER | write |
api.preferences.read | Read user preferences (own) | USER | read |
api.preferences.write | Write/Update own user preferences | USER | write |
api.ontology.read | Read from the ontology dataset | USER | read |
api.ontology.write | Write to ontology dataset | USER | write |
api.ontology.compact | Compact the ontology dataset | ADMIN_SYSTEM | write |
api.catalog.read | Read from the catalog dataset | USER | read |
api.catalog.write | Write to catalog dataset | USER | write |
api.catalog.compact | Compact the catalog dataset | ADMIN_SYSTEM | write |
client.read | Read the clients configured | ADMIN_SYSTEM | read |
client.write | Write manage and configure the clients | ADMIN_SYSTEM | write |
attributes.write | Write a users attributes | ADMIN_USER | write |
attributes.read | Read the user attributes | ADMIN_USER | read |
groups.read | Read the groups groups available | ADMIN_USER | read |
groups.write | Create and manage the groups | ADMIN_USER | write |
backup.read | View all available backups within CORE | ADMIN_SYSTEM | read |
backup.write | Create backups in CORE | ADMIN_SYSTEM | write |
backup.restore | Restore backups in CORE | ADMIN_SYSTEM | restore |
backup.delete | Delete backups in CORE | ADMIN_SYSTEM | delete |
validation.read | Trigger and view validation of the knowledge dataset | ADMIN_SYSTEM | read |
permissions.read | View all permissions | ADMIN_USER | read |
permissions.write | Not used | ADMIN_USER | write |
roles.read | View all roles | ADMIN_USER | read |
roles.write | Not used | ADMIN_USER | write |
users.read | View all users | ADMIN_USER | read |
users.write | Update user details and permissions | ADMIN_USER | write |