Exploring all System Roles
Learn about the System roles you can assign privileges to.
You can use the System roles appropriately by understanding the privileges tied to each of these roles.
Some System roles are either specific to an individual service, or are a combination of two services. Follow these links to learn more about these roles:
- ROLE_ADMIN_SHIELD
- ROLE_DVF_ADMIN
- ROLE_DVF_USER
- ROLE_RDM
- ROLE_RDM_EDIT
- ROLE_RDM_REVIEW
- ROLE_RDM_SUGGEST
- ROLE_ANALYTICS
- ROLE_ANALYTICS_DEVELOPER
- ROLE_EXTERNAL_MATCH
- ROLE_USER_MATCHIQ_PUBLISH_MODEL
- ROLE_USER_MATCHIQ_EXTERNAL_MATCH
- ROLE_USER_MATCHIQ_TRAIN_MODEL
- ROLE_DNB_CONNECTOR_CONFIG
- ROLE_DTSS_CT_MANAGER
- ROLE_DTSS_DEPLOYER
- ROLE_DTSS_DT_MANAGER
- ROLE_SFDC_CONNECTOR_ADMIN
- ROLE_SFDC_CONNECTOR
- ROLE_ACTIVITIES
- ROLE_DATALOADER
- ROLE_TASKS_CONSISTENCY
- ROLE_ADMIN_USER
- ROLE_WORKFLOW
- ROLE_WORKFLOW_ADMIN
- ROLE_UI_ALL_READONLY
- ROLE_UI_ALL
- ROLE_EXTERNALMATCH_ADMIN
- ROLE_READ_ALL
- ROLE_STATISTICS_REPORTING
ROLE_READ and ROLE_READONLY roles are placeholder
roles that are used with meta data security. ROLE_ADMIN_SHIELD
The following image shows the available privileges on resources and sub-resources within the Shield Service in the User Management application in Console for the ROLE_ADMIN_SHIELD role:
Permissions Matrix for the ROLE_ADMIN_SHIELD role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| shield.key | Key | CREATE/READ/UPDATE/DELETE | Administration of crypto keys/policies used for FS level encryption |
| shield.encrypt | Encrypt Operations | CREATE | Applying the encryption for the FS level data by applying the encryption policy |
| shield.encrypt.status | Encrypt Operations Status | READ | Status of the encryption state |
ROLE_ACTIVITIES
The following image shows the available privileges on resources and sub-resources within the MDM Service (Reltio Platform service) in the User Management application in Console for the ROLE_ACTIVITIES role:
Permissions Matrix for the ROLE_ACTIVITIES role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| mdm.data.activityLog | Data - Activity Log | READ | Access for all the user activities in the tenants |
| mdm.data.activityLog.personal | Personal Activities | CREATE/READ/UPDATE | Access for all the user activities in the tenants |
| mdm.data.activityLog.entity | Entity Level All Activities | READ | Access for all user activities of particular entity |
ROLE_DATALOADER
The following image shows the available privileges on resources and sub-resources within the MDM (Reltio Platform) service in the User Management application in Console for the ROLE_DATALOADER role:
Permissions Matrix for the ROLE_DATALOADER role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| mdm.data.entities.profile | Data - Entities - Data Management | CREATE/UPDATE | Directly load entities by using REST API |
| mdm.data.relations | Data - Relations | CREATE/UPDATE | Directly load relations by using REST API |
| mdm.tasks.periodic | Tenant tasks - Periodic Tasks | READ/UPDATE/EXECUTE | Load data by using periodic task (big load case) |
ROLE_TASKS_CONSISTENCY
Permissions Matrix for the ROLE_TASKS_CONSISTENCY role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| mdm.environment.tasks | READ/UPDATE/EXECUTE | All the different environment level tasks | |
| mdm.environment.tasks.consistency | EXECUTE | All the consistency check related APIs |
ROLE_ADMIN_USER
- create/update/delete user account administrators
- access to all user accounts for the specific customer
The following image shows the available privileges on resources and sub-resources within the MDM (Reltio Platform) and Authorization services in the User Management application in Console for the ROLE_ADMIN_USER role:
Permissions Matrix for the ROLE_ADMIN_USER role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| mdm.config.physical | Tenant Configurations - Physical | READ | Tenant Physical configuration APIs |
| auth.reltioRoles | Reltio Roles | READ | Read access to all the Reltio System roles |
| auth.reltioServices | Reltio Services | READ | View all reltio services |
| auth.monitoring | Monitoring | READ | View Auth Audit log |
| auth.customer.user | Users | CREATE/READ/UPDATE/DELETE | User Management APIs |
ROLE_EXTERNALMATCH_ADMIN
The following image shows the available privileges on resources and sub-resources within the MDM (Reltio Platform) service in the User Management application in Console for the ROLE_EXTERNALMATCH_ADMIN role:
Permissions Matrix for the ROLE_EXTERNALMATCH_ADMIN role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| mdm.tasks.periodic | MDM Service - Tenant tasks - Periodic Tasks | READ/UPDATE/EXECUTE | Administrative access to External Match |
ROLE_WORKFLOW
The following image shows the available privileges on resources and sub-resources within the Workflow service in the User Management application in Console for the ROLE_WORKFLOW role.
Permissions Matrix for the ROLE_WORKFLOW role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| workflow.data | Workflow Service - Data | CREATE/READ/UPDATE/DELETE | APIs to manage the process instances and tasks |
| workflow.jobs | Workflow Service - Jobs | READ/EXECUTE | API to manage background tasks |
| workflow.monitoring | Workflow Service - Monitoring | READ | Monitoring API |
| workflow.config.definition | Workflow Service - Configuration - Process Definition | CREATE/READ/DELETE | APIs to deploy and manage the process definition |
| workflow.config.jar | Workflow Service - Configuration - Custom Jars | CREATE/READ/DELETE | APIs to manage the custom jar files on a tenant level |
| workflow.environment.config.register | READ | APIs for managing tenant registration | |
| workflow.environment.config.jar | READ | APIs to manage the custom jar files on environment level |
ROLE_WORKFLOW_ADMIN
This role provides access to the Workflow service and grants privileges to deploy/undeploy jars on a tenant and to publish/remove process definitions.
This screenshot shows the ROLE_WORKFLOW_ADMIN privileges for resources and sub-resources in the Workflow service displayed in .
This table lists all of the resources, sub-resources, and permissions for ROLE_WORKFLOW_ADMIN in the Reltio Permissions Framework.
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| workflow.jobs | Workflow Service - Jobs | READ/EXECUTE | API to manage background tasks |
| workflow.monitoring | Workflow Service - Monitoring | READ | Monitoring API |
| workflow.config.definition | Workflow Service - Configuration - Process Definition | CREATE/READ/DELETE | APIs to deploy and manage the process definition |
| workflow.config.jar | Workflow Service - Configuration - Custom Jars | CREATE/READ/DELETE | APIs to manage the custom jar files on a tenant level |
| workflow.environment.config.register | READ | APIs for managing tenant registration | |
| workflow.environment.config.jar | READ | APIs to manage the custom jar files on environment level |
ROLE_UI_ALL_READONLY
This role is related to UI features only, as specified in the UI configuration. All views and menu items are available as read-only for the user, regardless of the UI configuration properties. In other words, the user has all "canRead" view and menu permissions automatically.
"canRead": false still hides a view for the user, no matter what
roles the user has.ROLE_UI_ALL_READONLY. Instead, you should set up
permissions on a tenant through metadata configuration and to provide a list of
operations the role should support. For example, READ, UPDATE, DELETE,
MERGE, and so on.The following image shows the available privileges on resources and sub-resources within the MDM service in the User Management application in Console for the ROLE_UI_ALL_READONLY role:
Permissions Matrix for the ROLE_UI_ALL_READONLY role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| mdm.data.graph | MDM Service - Graphs | READ | All Graphs management APIs |
| mdm.data.helper | MDM Service - Helper Data | CREATE/READ/UPDATE | The additional helper data management related APIs |
| mdm.data.entities | MDM Service - Entities | CREATE/READ/UPDATE/EXECUTE | All entities management APIs |
| mdm.data.activityLog.personal | MDM Service - Personal Activities | CREATE/READ/UPDATE | Access the personal activities in the tenants |
| mdm.data.groups | MDM Service - Groups | READ | All Groups management APIs |
| mdm.data.categories | MDM Service - Categories | READ | All Categories management APIs |
| mdm.data.relations | MDM Service - Relations | READ | All relations management APIs |
| mdm.data.changeRequests | MDM Service - Change Requests | READ | All ChangeRequests management APIs |
| mdm.data.interactions | MDM Service - Interactions | READ | All Interactions management APIs |
| mdm.preference | MDM Service - Preference | READ | User Preference related APIs |
| mdm.monitoring | MDM Service - Monitoring | READ | APIs for monitoring the tenant |
| mdm.config | MDM Service - Tenant Configurations | READ | All the tenant level configurations |
| mdm.tasks | MDM Service - Tenant tasks | READ | All the tenant level tasks APIs |
| auth.customer.user.tenants | User Tenants | READ | APIs for managing the user tenants |
| auth.customer.user.profile | User Profile | READ | APIs for managing basic user profile information |
| export.data | Export Service - Data Export | EXECUTE | Extract all data from tenant |
| export.config | Export Configuration | READ | Get the export configuration |
| export.config.tasks | Export Service - Tasks | READ/UPDATE/EXECUTE | APIs related to export tasks |
| validate.data | Validation Service - Data validation | EXECUTE | Ability to run validation on data type |
ROLE_UI_ALL
This role is related to UI features only, as specified in the UI configuration. All views and menu items are fully available for the user, regardless of UI configuration properties. User has all "canCreate", "canRead",
"canUpdate", "canDelete" view and
menu permissions automatically.
The following image shows the available privileges on resources and sub-resources within the MDM service in the User Management application in Console for the ROLE_UI_ALL role:
Permissions Matrix for the ROLE_UI_ALL role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| mdm.preferences | MDM Service - Preferences | CREATE/READ/UPDATE/DELETE | APIs to manage user preferences and UI states |
| mdm.notifications | MDM Service - Notifications | CREATE/READ/UPDATE/DELETE | APIs to manage user UI notifications |
ROLE_STATISTICS_REPORTING
The following image shows the available privileges on resources and sub-resources within the Statistics Reporting service in the User Management application in Console for the ROLE_STATISTICS_REPORTING role:
Permissions Matrix for the ROLE_STATISTICS_REPORTING role
In the Permissions Framework, these same resources, sub-resources, and permissions would translate to the following information:
| Service.Resource.Sub-resource ID | Label | Allowed Privileges | Purpose |
|---|---|---|---|
| reportingservice.statisticsdata | Statistics Data | READ | Read Statistics Data |