search
CommunityLicense

RBAC Roles and Permissions

Roles, permissions, and role-permission mappings for the OpenG2P Registry module, managed via Keycloak under the 'staff' realm.

hashtag
Overview

The OpenG2P Registry enforces role-based access control (RBAC) through Keycloak. All roles and permissions listed on this page are scoped to:

Property
Value

Realm

staff

Client

registry-staff-portal

Roles are organised into two classifications — Operations and Configurations — each serving a distinct functional area of the registry.

circle-info

The roles and permissions listed here are the defaults shipped with OpenG2P Registry. They can be customised during installation via the Registry Helm chart.

hashtag
Roles

hashtag
Operations roles

Operations roles govern day-to-day data management workflows such as intake, editing, verification, and integration monitoring.

Role
Technical name
Description

Intake Officer

registry-ops-intake-officer

Handles initial data entry and submission of new records into the registry.

Intake Validator

registry-ops-intake-verifier

Validates and verifies the accuracy of newly submitted intake records before further processing.

Data Editor

registry-ops-registry-editor

Edits and updates existing registry records as part of ongoing data maintenance.

Data Validator

registry-ops-registry-verifier

Reviews and verifies changes made to registry records to ensure correctness and compliance.

Data Supervisor

registry-ops-registry-approver

Approves verified registry changes, making them final and officially accepted.

Integration Manager

registry-ops-integration-manager

Manages and monitors data exchange between the registry and external systems.

Operations Administrator

registry-ops-super-operator

Has full operational control across the registry.

hashtag
Configuration roles

Configuration roles control how the registry itself is set up — schemas, integrations, and reference data.

Role
Technical name
Description

Schema Designer

registry-config-registry-configurator

Configures core registry settings such as domain schemas, fields, and validation rules.

Integration Specialist

registry-config-integration-configurator

Sets up and manages configurations for integrations with external systems and APIs.

Reference Data Specialist

registry-config-reference-data-configurator

Maintains and updates reference/master data used across the registry.

Technical Administrator

registry-config-super-configurator

Has full control over all configuration aspects, including registry, integrations, and reference data.

hashtag
Permissions

Below is the complete set of fine-grained permissions available within the openg2p-registry client.

Permission
Description

intakeForm:create

Create a new intake form

intakeForm:view

View intake forms

verificationIntakeForm:create

Create an intake verification

verificationIntakeForm:view

View intake verifications

hashtag
Role–permission mapping

hashtag
Operations roles

Technical name: registry-ops-intake-officer

Permission

intakeForm:create

intakeForm:view

hashtag
Configuration roles

Technical name: registry-config-registry-configurator

Permission

registryConfiguration:view

registryConfiguration:edit

registerDefinition:view

registerDefinition:create

registerDefinition:edit

registerDefinition:delete

registerTab:view

registerTab:create

registerTab:edit

registerTab:delete

registerSection:view

registerSection:create

registerSection:edit

registerSection:delete

circle-info

The Operations Administrator role is a superset of all operations roles. Similarly, the Technical Administrator role is a superset of all configuration roles.

PreviousRegistrant Authentication - OIDC WidgetNextVersions

Last updated

Was this helpful?