Each service has a set of permissions defined. When a service access another service, the user needs those permissions too. Each permission can come in the flavors READ, WRITE, and DELETE. If you give a user a permission in a service, you should give them all the permissions in the other services that one permission depends on. This page documents those permissions and their dependencies to make this easier:
provisioner
All provisioner endpoints are permissioned as system permissions. The provisioner provides no other permissions, and no service depends on provisioner permissions.
identity
Identity does not depend on other services.
identity__v1__users
flavors: READ, WRITE
identity__v1__roles
flavors: READ, WRITE, DELETE
identity__v1__self
A user's ability to change their own password, and to permit services to act on their behalf. This permission cannot be withdrawn.
flavors: READ, WRITE, DELETE
identity__v1__app_self
A service's ability to request permissions to other services
flavors: READ, WRITE
rhythm
All rhythm endpoints have system permissions. Creating a beat for a tenant requires the identity__v1__app_self permission.
accounting
Accounting does not depend on other services.
accounting__v1__ledger
flavors: READ, WRITE, DELETE
accounting__v1__account
flavors: READ, WRITE, DELETE
accounting__v1__journal
flavors: READ, WRITE
accounting__v1__tx_types
flavors: READ, WRITE
accounting__v1__income_stmt
flavors: READ
accounting__v1__fin_condition
flavors: READ
office
The office service relies on the user ids from identity, but does not access any other services. Office is not dependent on any other permissions.
office__v1__offices
flavors: READ, WRITE, DELETE
office__v1__employees
flavors: READ, WRITE, DELETE
office__v1__self
The ability for an employee to edit their own details including contact details.
flavors: READ, WRITE, DELETE
customer
The customer service is not dependent on any other services.
customer__v1__customer
flavors: READ, WRITE
customer__v1__portrait
flavors: READ, WRITE, DELETE
customer__v1__identifications
flavors: READ, WRITE, DELETE
customer__v1__task
flavors: READ, WRITE
catalog__v1__catalog
The ability to add custom properties for customers.
flavors: READ, WRITE, DELETE
group
Permission modeling of the group service is incomplete.
deposit-account-management
Depends on the services accounting, and customer.
deposit__v1__definition
flavors: READ, WRITE, DELETE
deposit__v1__instance
flavors: READ, WRITE
portfolio
Depends on the services rhythm, accounting, and customer. The dependency to rhythm has no influence on configurable permissions.
portfolio__v1__products__enable
flavors: READ, WRITE
portfolio__v1__products__enable.WRITE requires
- accounting__v1__account.READ
- accounting__v1__ledger.READ
portfolio__v1__products__enable.READ requires
- accounting__v1__account.READ
- accounting__v1__ledger.READ
portfolio__v1__products__lossprv
flavors: READ, WRITE
portfolio__v1__products
flavors: READ, WRITE, DELETE
portfolio__v1__case
flavors: READ, WRITE
portfolio__v1__case.WRITE dependent on:
- customer__v1__customer.READ
- accounting__v1__journal.WRITE
- accounting__v1__ledger.WRITE
- accounting__v1__ledger.READ
teller
teller__v1__management
flavors: READ, WRITE, DELETE
teller__v1__operation
flavors: READ, WRITE
reporting
Reporting does not depend on other services.
reporting__v1__general
flavors: READ, WRITE
String DEFINITION_MANAGEMENT = "deposit__v1__definition";
String INSTANCE_MANAGEMENT = "deposit__v1__instance";