Skip to content

Authorization Service built-in roles

The Authorization Service API comes with a number of in-built roles that give various permissions to callers.

This document defines the built-in roles and what they grant to users, as well as what roles are assigned to CERN and non-CERN accounts by default.

List of API roles and their description

The following table contains all the roles defined for the Authorization Service and what they mean:

Role name Description
administrator Full control on the Authorization Service.
afs_auth_admin AFS Administrators can manage AFS resources for all users.
afs_user Authorization Service AFS resource user. Can own an AFS account and workspace.
application_manager Allowed to create and manage applications for other users.
application_reader Allowed to read applications.
application_user Allowed to create and own applications.
cern_account CERN account, applies to users that log in with the highest LoA provider (CERN). Allows account operations.
deny_password_reset Accounts which are not allowed to reset their passwords.
groups_administrator Full control on all groups in the Authorization Service.
groups_reader Allowed to read groups.
groups_user Allowed to create and own groups.
identity_administrator Full control on all identities and accounts in the Authorization Service.
identity_reader Allowed to read identities.
identity_user Allowed to create and own non-primary identities.
resource_administrator Full control on the Authorization Service resources.
security_team Security Team members can perform all service desk operations, including blocking and unblocking resources for security issues.
service_desk Service desk members can perform operations on behalf of other users in the Authorization Service Service Desk Portal.

Role mappings to groups

These are the groups that are mapped to each of the roles described above. We will be splitting the role-group mappings into two different tables.

Mappings to closed groups

First, we have the groups that users cannot request membership for. In case you need any roles that are mapped strictly to these closed groups, you should open a SNOW ticket stating your request.

Group identifier Role names
afs-resource-admins afs_auth_admin
authorization-service-administrators administrator
authorization-service-groups-administrators groups_administrator
authorization-service-identity-administrators identity_administrator
authorization-service-resource-administrators resource_administrator
authorization-service-security-team security_team
authorization-service-service-desk service_desk
cern-accounts-primary application_user, groups_user, identity_user
cern-accounts-secondary groups_user, identity_user
cern-accounts-service application_user, groups_user, identity_user
cern-active-users application_user, groups_user, identity_user
deny-password-reset deny_password_reset
secondary-identities application_user, groups_user, identity_user
service-identities application_user, groups_user, identity_user
authorization-service-applications-managers application_manager, application_reader, groups_reader, identity_reader
authorization-service-applications-readers application_reader
authorization-service-applications-users application_user
authorization-service-groups-readers groups_reader
authorization-service-groups-users groups_user
authorization-service-identity-readers identity_reader, identity_user

Mappings to groups that allow self-subscription

The second table contains the roles mapped to groups which allow self-subscription. You can either request membership in the groups-portal or on the application-portal group membership tab, in the case that you want to call the API using an application's client ID and secret.

For most of these groups, a request will be submitted to the Authorization Service team and you may be asked to clarify why you require that specific role.

Group identifier Role names
afs-resource-users afs_user

Roles assigned by default

Non-CERN accounts (guest, social accounts)

By default, no roles for the API are assigned to guest or social accounts. The applications and groups portals should not be functional for these accounts.

However, users can still view and modify information about their accounts on the users portal.

CERN accounts

The following roles are assigned by default to all the CERN account types (primary, secondary, service):

Role name
application_user
groups_user
identity_user
cern_account