Exploring all System Roles

You can use the System roles appropriately by understanding the privileges tied to each of these roles.

The following System roles provide access to multiple services and are detailed as individual topics to cover all the relevant details:

Some System roles are either specific to an individual service, or, are a combination of two services. Such system roles are detailed as part of this topic itself. Click the following links to know more about these roles:

Note: System roles have restricted privileges associated with them. On duplicating the system roles, new customer-specific roles are created excluding these privileges. To get these privileges for the new roles, contact Customer Support. Also, the ROLE_READ and ROLE_READONLY roles are placeholder roles that are used with meta data security.

ROLE_ADMIN_SHIELD

The following image shows the available privileges on resources and sub-resources within the Shield Service in the User Management application in Console for the ROLE_ADMIN_SHIELD role:

Permissions Matrix for the ROLE_ADMIN_SHIELD role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 1. ROLE_ADMIN_SHIELD - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
shield.key Key CREATE/READ/UPDATE/DELETE Administration of crypto keys/policies used for FS level encryption
shield.encrypt Encrypt Operations CREATE Applying the encryption for the FS level data by applying the encryption policy
shield.encrypt.status Encrypt Operations Status READ Status of the encryption state

ROLE_ACTIVITIES

The following image shows the available privileges on resources and sub-resources within the MDM Service (Reltio Platform service) in the User Management application in Console for the ROLE_ACTIVITIES role:

Permissions Matrix for the ROLE_ACTIVITIES role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 2. ROLE_ACTIVITIES - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
mdm.data.activityLog Data - Activity Log READ Access for all the user activities in the tenants
mdm.data.activityLog.personal Personal Activities CREATE/READ/UPDATE Access for all the user activities in the tenants
mdm.data.activityLog.entity Entity Level All Activities READ Access for all user activities of particular entity

ROLE_DATALOADER

The following image shows the available privileges on resources and sub-resources within the MDM (Reltio Platform) service in the User Management application in Console for the ROLE_DATALOADER role:

Permissions Matrix for the ROLE_DATALOADER role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 3. ROLE_DATALOADER - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
mdm.data.entities.profile Data - Entities - Data Management CREATE/UPDATE Directly load entities by using REST API
mdm.data.relations Data - Relations CREATE/UPDATE Directly load relations by using REST API
mdm.tasks.periodic Tenant tasks - Periodic Tasks READ/UPDATE/EXECUTE Load data by using periodic task (big load case)

ROLE_TASKS_CONSISTENCY

Permissions Matrix for the ROLE_TASKS_CONSISTENCY role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 4. ROLE_TASKS_CONSISTENCY - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
mdm.environment.tasks   READ/UPDATE/EXECUTE All the different environment level tasks
mdm.environment.tasks.consistency   EXECUTE All the consistency check related APIs

ROLE_ADMIN_USER

This role is associated with a customer and has the following rights:
  • create/update/delete user account administrators
  • access to all user accounts for the specific customer

The following image shows the available privileges on resources and sub-resources within the MDM (Reltio Platform) and Authorization services in the User Management application in Console for the ROLE_ADMIN_USER role:

Permissions Matrix for the ROLE_ADMIN_USER role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 5. ROLE_ADMIN_USER - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
mdm.config.physical Tenant Configurations - Physical READ Tenant Physical configuration APIs
auth.reltioRoles Reltio Roles READ Read access to all the Reltio System roles
auth.reltioServices Reltio Services READ View all reltio services
auth.monitoring Monitoring READ View Auth Audit log
auth.customer.user Users CREATE/READ/UPDATE/DELETE User Management APIs

ROLE_EXTERNALMATCH_ADMIN

The following image shows the available privileges on resources and sub-resources within the MDM (Reltio Platform) service in the User Management application in Console for the ROLE_EXTERNALMATCH_ADMIN role:

Permissions Matrix for the ROLE_EXTERNALMATCH_ADMIN role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 6. ROLE_EXTERNALMATCH_ADMIN - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
mdm.tasks.periodic MDM Service - Tenant tasks - Periodic Tasks READ/UPDATE/EXECUTE Administrative access to External Match

ROLE_WORKFLOW

The following image shows the available privileges on resources and sub-resources within the Workflow service in the User Management application in Console for the ROLE_WORKFLOW role:

Permissions Matrix for the ROLE_WORKFLOW role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 7. ROLE_WORKFLOW - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
workflow.data Workflow Service - Data CREATE/READ/UPDATE/DELETE APIs to manage the process instances and tasks
workflow.jobs Workflow Service - Jobs READ/EXECUTE API to manage background tasks
workflow.monitoring Workflow Service - Monitoring READ Monitoring API
workflow.config.definition Workflow Service - Configuration - Process Definition CREATE/READ/DELETE APIs to deploy and manage the process definition
workflow.config.jar Workflow Service - Configuration - Custom Jars CREATE/READ/DELETE APIs to manage the custom jar files on a tenant level
workflow.environment.config.register   READ APIs for managing tenant registration
workflow.environment.config.jar   READ APIs to manage the custom jar files on environment level

ROLE_UI_ALL_READONLY

This role is related to UI features only, as specified in the UI configuration. All views and menu items are available as read-only for the user, regardless of the UI configuration properties. In other words, the user has all "canRead" view and menu permissions automatically.

Note: "canRead": false still hides a view for the user, no matter what roles the user has.
Tip: If you need to make a read-only user with no permissions to change any data in a tenant, you should not use ROLE_UI_ALL_READONLY. Instead, you should set up permissions on a tenant through metadata configuration and to provide a list of operations the role should support. For example, READ, UPDATE, DELETE, MERGE, and so on.

The following image shows the available privileges on resources and sub-resources within the MDM service in the User Management application in Console for the ROLE_UI_ALL_READONLY role:

Permissions Matrix for the ROLE_UI_ALL_READONLY role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 8. ROLE_UI_ALL_READONLY - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
mdm.data.graph MDM Service - Graphs READ All Graphs management APIs
mdm.data.helper MDM Service - Helper Data CREATE/READ/UPDATE The additional helper data management related APIs
mdm.data.entities MDM Service - Entities CREATE/READ/UPDATE/EXECUTE All entities management APIs
mdm.data.activityLog.personal MDM Service - Personal Activities CREATE/READ/UPDATE Access the personal activities in the tenants
mdm.data.groups MDM Service - Groups READ All Groups management APIs
mdm.data.categories MDM Service - Categories READ All Categories management APIs
mdm.data.relations MDM Service - Relations READ All relations management APIs
mdm.data.changeRequests MDM Service - Change Requests READ All ChangeRequests management APIs
mdm.data.interactions MDM Service - Interactions READ All Interactions management APIs
mdm.preference MDM Service - Preference READ User Preference related APIs
mdm.monitoring MDM Service - Monitoring READ APIs for monitoring the tenant
mdm.config MDM Service - Tenant Configurations READ All the tenant level configurations
mdm.tasks MDM Service - Tenant tasks READ All the tenant level tasks APIs
auth.customer.user.tenants User Tenants READ APIs for managing the user tenants
auth.customer.user.profile User Profile READ APIs for managing basic user profile information
export.data Export Service - Data Export EXECUTE Extract all data from tenant
export.config Export Configuration READ Get the export configuration
export.config.tasks Export Service - Tasks READ/UPDATE/EXECUTE APIs related to export tasks
validate.data Validation Service - Data validation EXECUTE Ability to run validation on data type

ROLE_UI_ALL

This role is related to UI features only, as specified in the UI configuration. All views and menu items are fully available for the user, regardless of UI configuration properties. User has all "canCreate", "canRead", "canUpdate", "canDelete" view and menu permissions automatically.

The following image shows the available privileges on resources and sub-resources within the MDM service in the User Management application in Console for the ROLE_UI_ALL role:

Permissions Matrix for the ROLE_UI_ALL role

In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:

Table 9. ROLE_UI_ALL - Details
Service.Resource.Sub-resource ID Label Allowed Privileges Purpose
mdm.preferences MDM Service - Preferences CREATE/READ/UPDATE/DELETE APIs to manage user preferences and UI states
mdm.notifications MDM Service - Notifications CREATE/READ/UPDATE/DELETE APIs to manage user UI notifications