Studio Roles
This document describes all the default roles you can select in Gataca Studio.
Gataca uses a scope-based strategy to manage roles and permissions. This means access to features in Studio is determined by the scopes assigned to a role, rather than the features being tied to specific roles.
By using scopes, you can precisely manage access and permissions, ensuring that each role has the appropriate level of access to Studio's features based on organizational needs.
Default Roles:
The scopes assigned to default roles are aligned with their descriptions, ensuring consistency and clarity in what each role can access.
Custom Roles:
When creating custom roles, you have the flexibility to tailor the roles to match your organization’s hierarchy and specific responsibilities.
Keep in mind that custom roles may not automatically align with predefined scopes, so you should carefully configure scopes to match the role’s intended access and functionality.
Roles
Provider Admin
This role manages a provider organization.
This kind of organization can manage its own platform, handling its clients and the organization stored there.
This role is accessible just to providers.
DeleteProviders, UpdateProviders, ReadProviders, CreateTenants, DeleteTenants, UpdateTenants, ReadTenants, CreateRoles, DeleteRoles, UpdateRoles, ReadRoles, CreateUsers, DeleteUsers, UpdateUsers, ReadUsers, CreateDids, DeleteDids, UpdateDids, RequestCatalogModifications, ReadDids, CreateSSIConfigs, DeleteSSIConfigs, UpdateSSIConfigs, ReadSSIConfigs, CreateApiKeys, DeleteApiKeys, UpdateApiKeys, ReadApiKeys
Organization Owner
This role manages a specific organization.
It has all the permissions needed to manage all the features attached to an organization, plus access to the billing and subscription section.
DeleteTenants, UpdateTenants, ReadTenants, CreateRoles, DeleteRoles, UpdateRoles, ReadRoles, CreateUsers, DeleteUsers, UpdateUsers, ReadUsers, CreateDids, DeleteDids, UpdateDids, RequestCatalogModifications, ReadDids, CreateSSIConfigs, DeleteSSIConfigs, UpdateSSIConfigs, ReadSSIConfigs, CreateApiKeys, DeleteApiKeys, UpdateApiKeys, ReadApiKeys, readSessions, validateSessions, issuanceProcesses, deleteSessions, readDataAgreements, updateDataAgreements, revokeDataAgreements, manageCredentials, manageSubscriptions
Tenant Admin
This role manages all the technical features in an organization.
This role has been created for the person in charge of the organization's technical area.
UpdateTenants, ReadTenants, CreateRoles, DeleteRoles, UpdateRoles, ReadRoles, CreateUsers, DeleteUsers, UpdateUsers, ReadUsers, CreateDids, DeleteDids, UpdateDids, RequestCatalogModifications, ReadDids, CreateSSIConfigs, DeleteSSIConfigs, UpdateSSIConfigs, ReadSSIConfigs, CreateApiKeys, DeleteApiKeys, UpdateApiKeys, ReadApiKeys
DID Owner
This role manages a specific DID in the organization. Depending on the organization's hierarchy, it could be used to split responsibilities between departments, companies, etc.
DeleteDids, UpdateDids, RequestCatalogModifications, ReadDids, CreateSSIConfigs, DeleteSSIConfigs, UpdateSSIConfigs, ReadSSIConfigs, CreateApiKeys, DeleteApiKeys, UpdateApiKeys, ReadApiKeys
SSI Config Manager
This role can manage SSI Configs attached to a particular logical area (Tenants, DIDs, SSI Configs..). Depending on the organization's hierarchy, it could be used to split responsibilities between departments, companies, etc.
CreateSSIConfigs, ReadSSIConfigs, UpdateSSIConfigs, DeleteSSIConfigs
API Key Manager
This role can manage API Keys attached to a concrete logical area (Tenants, DIDs, SSI Configs, API Keys..). Depending on the organization's hierarchy, it could split responsibilities between departments, companies, etc
CreateApiKeys, ReadApiKeys, UpdateApiKeys, DeleteApiKeys
Operator
This role can manage sessions attached to a concrete logical area (Tenants, DIDs, SSI Configs..). Depending on the organization's hierarchy, it could be used to split responsibilities between departments, companies, etc.
readSessions, validateSessions, issuanceProcesses, deleteSessions, readDataAgreements, updateDataAgreements, revokeDataAgreements, manageCredentials
Scopes
readProviders
It allows the user to read all the providers on the platform.
updateProviders
It allows the user to update the providers to it has permission.
deleteProviders
It allows the user to delete the providers to it has permission.
createTenants
It allows the user to create a new organization in the platform.
readTenants
It allows the user to read all organizations to it has permission.
updateTenants
It allows the user to update all organizations to it has permission.
deleteTenants
It allows the user to delete all organizations to which it has permission.
createRoles
It allows the user to create new custom roles. The new role created will be accessible in the tenant associated.
readRoles
It allows the user to read all the roles in the tenant to which it has permission.
updateRoles
It allows the user to update all the roles in the tenant to which it has permission.
deleteRoles
It allows the user to delete all the roles in the tenant to which it has permission.
createUsers
It allows the user to invite new users to a specific organization.
readUsers
It allows the user to read all users of an organization.
updateUsers
It allows the user to update all users of a specific organization.
deleteUsers
It allows the user to delete all users of a specific organization.
createDids
It allows the user to create new DIDs for a specific organization.
readDids
It allows the user to read the DIDs of a specific organization.
updateDids
It allows the user to update the DIDs of a specific organization.
deleteDids
It allows the user to delete the DIDs of a specific organization.
requestCatalogModifications
COMING SOON: It has already been developed in the backend but is not visible in the front (This scope is required to create “requests” to Gataca Admins).
createSSIConfigs
It allows the user to create issuance and verification templates for a specific organization.
readSSIConfigs
It allows the user to read issuance and verification templates of a specific organization.
updateSSIConfigs
It allows the user to update issuance and verification templates of a specific organization.
deleteSSIConfigs
It allows the user to delete issuance and verification templates of a specific organization.
createApiKeys
It allows the user to create API Keys for a specific organization.
readApiKeys
It allows the user to read the API Keys of a specific organization.
updateApiKeys
It allows the user to update the API Keys of a specific organization.
deleteApiKeys
It allows the user to delete API Keys of a specific organization.
readSessions
It allows the user to read sessions from issuance or verification requests of a specific organization. Reading all the instances of issuance and verification templates for an organization is possible.
validateSessions
It allows the user to validate issuance requests of an organization and fill the information related to that issuance process.
deleteSessions
It allows the user to delete sessions from issuance or verification requests of an organization.
readDataAgreements
It allows the user to read an organization's data agreements (consents).
updateDataAgreements
It allows the user to update a specific organization's data agreements (consents).
revokeDataAgreements
It allows the user to revoke a specific organization's data agreements (consents).
manageCredentials
It allows the user to change the status of a credential (issued, revoked, suspended).
manageSubscription
It allows the user to update the subscription and billing attached to the organization.
Last updated