RBAC & capabilities
Access in edgentia has three tiers: a platform tier, consumer users, and workspace roles. Authorization is capability-based — a single table maps each action to a minimum role, and both the API and the UI read it, so they never drift.
The three tiers
- Platform Admin — platform-wide. Manages ISA-95 groups (scope), the global
catalogue, platform broker/data-store config, and approves global proposals. In
Keycloak/Entra this is the
platform-adminrole. - Consumer User — any authenticated user who belongs to at least one group. Can create workspaces (becoming their Owner), pick in-scope assets, and propose topics.
- Workspace roles — within a workspace, a cumulative ladder: Viewer → Operator → Analyst → Co-Owner → Owner. A higher role inherits every capability beneath it.
Workspace capability matrix
Each capability is granted at its lowest qualifying role; higher roles inherit it.
| Capability | Viewer | Operator | Analyst | Co-Owner | Owner |
|---|---|---|---|---|---|
| View catalogue / dashboards / history (read) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Add comments / operator context | ✓ | ✓ | ✓ | ✓ | |
| Edit custom context properties | ✓ | ✓ | ✓ | ✓ | |
| Set asset API publication | ✓ | ✓ | ✓ | ||
| Author a workspace Control Module | ✓ | ✓ | ✓ | ||
| Set the shared default history view | ✓ | ✓ | ✓ | ||
| Create / edit dashboards | ✓ | ✓ | ✓ | ||
| Manage alert rules | ✓ | ✓ | ✓ | ||
| Share a dashboard (view-only) | ✓ | ✓ | |||
| Manage members | ✓ | ✓ | |||
| Manage share links | ✓ | ✓ | |||
| Elevate workspace scope | ✓ | ✓ | |||
| Rename workspace | ✓ | ||||
| Delete workspace | ✓ |
The ladder is intentionally cumulative: an Analyst can do everything an Operator can, plus authoring and dashboards. The Owner is immutable for a workspace.
Group scope
ISA-95 groups scope what a user can see in the global catalogue. A group has a
scope path (an ISA-95 prefix with subtree semantics, e.g. lyon.assembly) and a
member list. A user's visibility is the union of their groups' scope prefixes;
platform-admin sees everything. Workspaces are selections of assets within the
member's group scope — you can only add assets you're scoped to.
The invite ceiling
When granting a role to a member, you can grant any role up to your own — never higher. The workspace Owner role isn't assignable this way (ownership is the creator's, transferred deliberately). This prevents privilege escalation through invites.