Services - Roles and Permissions¶
This document describes the roles and permissions defined for each service in the platform.
1. Sidra Service (Core)¶
The Sidra service is the main data platform service providing data catalog, data storage unit (DSU) management, integration hub, and pipeline capabilities.
Roles and Permissions¶
| Role Name | Description | Permissions |
|---|---|---|
| sidra_Admin | Grants full access to all Sidra platform features and resources | • CreateApplication • CreateDSU • DeleteFromDataCatalog • DeleteIntegrationHub • DeployPipeline • ImportExportDataCatalog • PublishToDSU • ReadAuthenticationServiceData • ReadDataCatalog • ReadIntegrationHub • SendNotification • TagDataCatalog • UnmaskData • WriteDataCatalog • WriteIntegrationHub |
| sidra_AppContributor | Allows creation and management of Client Applications within Sidra | • CreateApplication • ReadDataCatalog |
| sidra_AuthenticationReader | Allows retrieval of user-related data from the Authentication Service | • ReadAuthenticationServiceData |
| sidra_DataCatalogAdministrator | Grants full control over Data Catalog resources and operations | • DeleteFromDataCatalog • ImportExportDataCatalog • ReadDataCatalog • WriteDataCatalog • TagDataCatalog |
| sidra_DataCatalogAnnotator | Allows management of tags and annotations in the Data Catalog | • ReadDataCatalog • TagDataCatalog |
| sidra_DataCatalogContributor | Allows both reading and writing operations in the Data Catalog | • DeleteFromDataCatalog • ReadDataCatalog • WriteDataCatalog |
| sidra_DataCatalogReader | Permits read-only access to Data Catalog resources | • ReadDataCatalog |
| sidra_DSUContributor | Permits creation and management of Data Storage Units | • CreateDSU • PublishToDSU |
| sidra_MaskedDataReader | Permits reading and unmasking of sensitive data | • ReadDataCatalog • UnmaskData |
| sidra_Notifier | Permits sending notifications through the platform | • SendNotification |
| sidra_PipelineContributor | Allows deployment and updates of data processing Pipelines | • DeployPipeline |
| sidra_IntegrationHubContributor | Grants management capabilities for Integration Hub resources | • ReadIntegrationHub • WriteIntegrationHub • DeleteIntegrationHub |
| sidra_IntegrationHubReader | Permits read-only access to Integration Hub resources | • ReadIntegrationHub |
Permission Definitions¶
| Permission | Description |
|---|---|
| CreateApplication | User can create a new Client Application |
| CreateDSU | User can create a new Data Storage Unit |
| DeleteFromDataCatalog | User can remove data from Data Catalog |
| DeleteIntegrationHub | User can delete from Integration Hub |
| DeployPipeline | User can deploy new Pipelines |
| ImportExportDataCatalog | User can import/export the Data Catalog |
| PublishToDSU | User can publish resources into the Data Storage Unit |
| ReadAuthenticationServiceData | User can get user-related data from Authentication Service |
| ReadDataCatalog | User can read from Data Catalog |
| ReadIntegrationHub | User can read from Integration Hub |
| SendNotification | User can send Notifications |
| TagDataCatalog | User can manage tags on the Data Catalog |
| UnmaskData | User can unmask masked data |
| WriteDataCatalog | User can write in Data Catalog |
| WriteIntegrationHub | User can write in Integration Hub |
Client ID: corewebsite | Claim Type: sidra
2. Supervisor Service¶
The Supervisor service provides monitoring, supervision, and installation management capabilities for the platform.
Roles and Permissions¶
| Role Name | Description | Permissions |
|---|---|---|
| supervisor_Admin | Full access to the Supervisor service | • RegisterInstallation • InstallService • Supervise |
| supervisor_Supervisor | Limited access to the Supervisor service | • Supervise |
Permission Definitions¶
| Permission | Description |
|---|---|
| RegisterInstallation | User can register a new installation in Llagar |
| InstallService | User can install a service in an existing installation |
| Supervise | User can supervise an installation and its services |
Client ID: supervisorwebsite | Claim Type: supervisor
3. API Builder Service¶
The API Builder service enables deployment and configuration of APIs in Data Products using Microsoft Data API Builder.
Roles and Permissions¶
| Role Name | Description | Permissions |
|---|---|---|
| apibuilder_Admin | Full access to ApiBuilder operations | • ConfigureApiBuilder • DeployApiBuilder |
| apibuilder_Contributor | Can configure ApiBuilder settings without deployment rights | • ConfigureApiBuilder |
Permission Definitions¶
| Permission | Description |
|---|---|
| DeployApiBuilder | User can deploy an API in a Data Product (requires Data Product permissions) |
| ConfigureApiBuilder | User can modify configuration of an API already deployed in a Data Product (requires Data Product permissions) |
Client ID: apibuilderwebsite | Claim Type: apibuilder
4. Data Catalog Service¶
The Data Catalog service provides data catalog management capabilities with AI-powered features.
Roles and Permissions¶
| Role Name | Description | Permissions |
|---|---|---|
| datacatalog_Admin | Administrator role for Data Catalog service | • PublishToDSU |
Permission Definitions¶
| Permission | Description |
|---|---|
| PublishToDSU | User can publish resources into the Data Storage Unit |
Client ID: datacatalogwebsite | Claim Type: datacatalog
5. Data Quality Service¶
The Data Quality service provides data validation and quality monitoring capabilities.
Roles and Permissions¶
| Role Name | Description | Permissions |
|---|---|---|
| dataquality_DataQualityContributor | Can create, read, update, and delete validations | • WriteValidations • ReadValidations • DeleteValidations |
| dataquality_DataQualityReader | Can only read validation information | • ReadValidations |
Permission Definitions¶
| Permission | Description |
|---|---|
| WriteValidations | Allows creating/updating validations |
| ReadValidations | Allows reading validations |
| DeleteValidations | Allows removing validations |
Client ID: dataqualitywebsite | Claim Type: dataquality
6. DSU Manager Service¶
The DSU Manager service manages Data Storage Units (DSU) deployment and configuration.
Roles and Permissions¶
| Role Name | Description | Permissions |
|---|---|---|
| dsumanager_Admin | Administrator role for DSU Manager service | • PublishToDSU |
Permission Definitions¶
| Permission | Description |
|---|---|
| PublishToDSU | User can publish resources into the Data Storage Unit |
Client ID: dsuwebsite | Claim Type: dsumanager
7. FHIR Service¶
The FHIR service provides Fast Healthcare Interoperability Resources (FHIR) data management capabilities.
Roles and Permissions¶
| Role Name | Description | Permissions |
|---|---|---|
| fhir_Admin | Administrator role for FHIR service | • PublishToDSU |
Permission Definitions¶
| Permission | Description |
|---|---|
| PublishToDSU | User can publish resources into the Data Storage Unit |
Client ID: fhirwebsite | Claim Type: fhirmanager
Global Roles¶
The following role applies across all services:
| Role Name | Description |
|---|---|
| SidraGlobalAdministrator | Global administrative privileges across the entire Sidra platform |
Implementation Notes¶
Authorization Architecture¶
- IRolePermissionMappingProvider: Each service implements this interface to define role-permission mappings
SidraUIRolePermissionMappingProvider.csSupervisorUIRolePermissionMappingProvider.csApiBuilderUIRolePermissionMappingProvider.csDataCatalogUIRolePermissionMappingProvider.csDataQualityUIRolePermissionMappingProvider.csDsuManagerUIRolePermissionMappingProvider.csFhirUIRolePermissionMappingProvider.cs
Naming Conventions¶
- Role Names: Follow the pattern
{service}_{RoleName}(e.g.,sidra_Admin,supervisor_Supervisor) - Client IDs: Follow the pattern
{service}website(e.g.,corewebsite,supervisorwebsite) - Claim Types: Use lowercase service names or service-specific identifiers (e.g.,
sidra,supervisor,apibuilder)
Authorization Policies¶
- Permissions are enforced through ASP.NET Core Authorization Policies
- Each permission is defined as a policy in the service's
AuthorizationPoliciesclass - Policies are mapped to roles through the
IRolePermissionMappingProviderimplementation