Platform actors and roles

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. Registry users

1.1. Actors

Subcategory	Actor	Keycloak Realm	System role	System attribute	Description
Unauthorized users	Anonymous user	-	-	-	Unauthorized user. Has access to authentication page and public data only.
Service recipients	Person (Citizen)	citizen	citizen unregistered-individual individual	SUBJECT_TYPE=INDIVIDUAL	A person that receives services from an Officer (or the System). Has access to their own data.
Private Entrepreneur (PE)	citizen	citizen unregistered-entrepreneur entrepreneur	REPRESENTATIVE=false SUBJECT_TYPE=ENTREPRENEUR	A PE that receives services from an Officer (or the System). Has access to their own PE data.
PE representative	citizen	citizen unregistered-entrepreneur entrepreneur	REPRESENTATIVE=true SUBJECT_TYPE=ENTREPRENEUR	A PE representative that receives services from an Officer (or the System). Has access to their own PE data.
Legal Entity respresentative	citizen	citizen unregistered-legal legal	REPRESENTATIVE=true SUBJECT_TYPE=LEGAL	A Legal Entity representative that receives services from an Officer (or the System). Has access to their own Legal Entity data.
Service providers	Person (Officer)	officer	unregistered_officer	-	A person who registered as an officer, if that is supported by Registry configuration.
Officer	officer	officer	-	Service provider that interacts with the Registry to provide their designated services, and works via Platform interface.
Officer - HR	officer	officer Requires the realization of a dedicated role	-	Manages users via specialized Business Processes for the creation/change of users and their roles). Configures roles within their department
Officer - head of department	officer	officer Requires the realization of a dedicated role	-	Views the dashboard that displays the performance of other officers

Subcategory

Actor

Keycloak Realm

System role

System attribute

Description

Unauthorized users

Anonymous user

Unauthorized user. Has access to authentication page and public data only.

Service recipients

Person (Citizen)

citizen

citizen
unregistered-individual
individual

SUBJECT_TYPE=INDIVIDUAL

A person that receives services from an Officer (or the System). Has access to their own data.

Private Entrepreneur (PE)

citizen

citizen
unregistered-entrepreneur
entrepreneur

REPRESENTATIVE=false
SUBJECT_TYPE=ENTREPRENEUR

A PE that receives services from an Officer (or the System). Has access to their own PE data.

PE representative

citizen

citizen
unregistered-entrepreneur
entrepreneur

REPRESENTATIVE=true
SUBJECT_TYPE=ENTREPRENEUR

A PE representative that receives services from an Officer (or the System). Has access to their own PE data.

Legal Entity respresentative

citizen

citizen
unregistered-legal
legal

REPRESENTATIVE=true
SUBJECT_TYPE=LEGAL

A Legal Entity representative that receives services from an Officer (or the System). Has access to their own Legal Entity data.

Service providers

Person (Officer)

officer

unregistered_officer

A person who registered as an officer, if that is supported by Registry configuration.

Officer

officer

Service provider that interacts with the Registry to provide their designated services, and works via Platform interface.

Officer - HR

officer

officer
Requires the realization of a dedicated role

Manages users via specialized Business Processes for the creation/change of users and their roles). Configures roles within their department

Officer - head of department

officer

officer
Requires the realization of a dedicated role

Views the dashboard that displays the performance of other officers

1.2. System roles

All the system roles described below are represented in KeyCloak as Realm Roles

Name	Description
Citizen realm
citizen	Role given to all service recipients by default
unregistered-individual	Role given to service recipients who registered in the system, but didn’t complete onboarding Business Process
individual	Role given to service recipients who registered in the system and completed onboarding Business Process
unregistered-entrepreneur	Role given to PE service recipients who registered in the system, but didn’t complete onboarding Business Process
entrepreneur	Role given to PE service recipients who registered in the system and completed onboarding Business Process
unregistered-legal	Role given to Legal Entity representatives who registered in the system, but didn’t complete onboarding Business Process
legal	Role given to Legal Entity representatives who registered in the system and completed onboarding Business Process
Officer realm
unregistered_officer	Role given to all service providers by default, when they registered but didn’t complete onboarding Business Process
officer	Role given to all service providers by default
auditor	Gives the officer access to Redash audit log

Name

Description

Citizen realm

citizen

Role given to all service recipients by default

unregistered-individual

Role given to service recipients who registered in the system, but didn’t complete onboarding Business Process

individual

Role given to service recipients who registered in the system and completed onboarding Business Process

unregistered-entrepreneur

Role given to PE service recipients who registered in the system, but didn’t complete onboarding Business Process

entrepreneur

Role given to PE service recipients who registered in the system and completed onboarding Business Process

unregistered-legal

Role given to Legal Entity representatives who registered in the system, but didn’t complete onboarding Business Process

legal

Role given to Legal Entity representatives who registered in the system and completed onboarding Business Process

Officer realm

unregistered_officer

Role given to all service providers by default, when they registered but didn’t complete onboarding Business Process

officer

Role given to all service providers by default

auditor

Gives the officer access to Redash audit log

2. External systems

2.1. Actors

Actor	Keycloak Realm	System role	Description
An external system that interacts with the Registry via the Secure Exchange Gateway	external	trembita-invoker	Automatic actions/requests from an external system via the Secure Exchange Gateway, which weren’t caused by an internal Process/Subprocess
An external system that interacts with the Registry via REST API	external	-	Automatic actions/requests from an external system via REST API, which weren’t caused by an internal Process/Subprocess

Actor

Keycloak Realm

System role

Description

An external system that interacts with the Registry via the Secure Exchange Gateway

external

trembita-invoker

Automatic actions/requests from an external system via the Secure Exchange Gateway, which weren’t caused by an internal Process/Subprocess

An external system that interacts with the Registry via REST API

external

Automatic actions/requests from an external system via REST API, which weren’t caused by an internal Process/Subprocess

2.2. System roles

All the system roles described below are represented in KeyCloak as Realm Roles

Name	Description
trembita-invoker	The role for bp-webservice-gateway to access bpms and call Business Processes on requests by external system via the Secure Exchange Gateway. external system (call process) → trembita → bp-webservice-gateway (trembita-invoker initiates BP) → bpms

Name

Description

trembita-invoker

The role for bp-webservice-gateway to access bpms and call Business Processes on requests by external system via the Secure Exchange Gateway.

external system (call process) → trembita → bp-webservice-gateway (trembita-invoker initiates BP) → bpms

Actor	Keycloak Realm	System role	Description
An external system that interacts with the Registry via the Secure Exchange Gateway	external	trembita-invoker	Automatic actions/requests from an external system via the Secure Exchange Gateway, which weren’t caused by an internal Process/Subprocess
An external system that interacts with the Registry via REST API	external	-	Automatic actions/requests from an external system via REST API, which weren’t caused by an internal Process/Subprocess

Actor

Keycloak Realm

System role

Description

An external system that interacts with the Registry via the Secure Exchange Gateway

external

trembita-invoker

Automatic actions/requests from an external system via the Secure Exchange Gateway, which weren’t caused by an internal Process/Subprocess

An external system that interacts with the Registry via REST API

external

Automatic actions/requests from an external system via REST API, which weren’t caused by an internal Process/Subprocess

2.3. System roles

All the system roles described below are represented in KeyCloak as Realm Roles

Name	Description
trembita-invoker	The role for bp-webservice-gateway to access bpms and call Business Processes on requests by external system via the Secure Exchange Gateway. external system (call process) → trembita → bp-webservice-gateway (trembita-invoker initiates BP) → bpms

Name

Description

trembita-invoker

The role for bp-webservice-gateway to access bpms and call Business Processes on requests by external system via the Secure Exchange Gateway.

external system (call process) → trembita → bp-webservice-gateway (trembita-invoker initiates BP) → bpms

Currently, administrator actors variability is not represented physically on the Platform level (as composite roles, etc.), as well as the rules of role assigning according to compatibility/security requirements.

The single Administrator actor is used, with all system roles listed below assigned to it.

The following list displays the logical accordance of some actors service responsibilities and system roles supported by the Platform. It can be used as the base for assigning roles, depending on Registry requirements, etc.

3.1. Actors

Actor	Keycloak Realm	System role	Description
Regulations developer/modeller	admin	gerrit-administrators camunda-admin redash-admin jenkins-users (given by jenkins-admin on demand) nexus-user	Role for system regulations configuration, namely: Data model creation Entities description Fields, data types, and data formats description Connections description (within the Registry, and with other Registries) Creation and configuration of Business Processes and UI forms for end users (BPMN) Creation of interaction with other systems/Registries via API (SOAP based) Creation of Business Process roles (user types) and definition of their rights Statistic data processing: dashboards, reports
Regulations administrator	admin	gerrit-administrators	Verifies and confirms changes to the regulations proposed by developer/modeller
Registry technical administrator	openshift admin	openshift/cp-registry-mgmt-view (requires realization) openshift/grafana-viewer admin/realm-management client: view-users manage-users	Registry configuration management (number of virtual machines, number of microservice instances, system key change, API configuration without the Secure Exchange Gateway, wrate-limits Registry backup copying and restoring. Viewing monitoring dashboards for the Registry. All actions start on Control Plane. Can’t change Openshift configuration directly.
Officer administrator	admin	user-management admin/realm-management client: view-users manage-users (The client role in realm-management will be changed to system role after the creation of administrative portal for administrator-users management)	Provides access to other officer-users via CSV or one by one via adminstrator portal. Changes user attributes and roles. Deactivates users on contract termination or access levels change.
Access administrator	admin	realm-management client/realm-admin	Role for the chief administrator, required to designate Registry administrator class roles.
Security administrator	admin openshift	openshift/cp-cluster-mgmt-view (requires realization) openshift/grafana-viewer admin/redash-auditor (requires realization) admin/realm-management client roles: view-users manage-users view-events manage-events	Has access to transactions logs, audit logs, technical logs, and metrics Views performance and workload dashboards for analysis Blocks/unblocks users, including technical users of other system (via Secure Exchange Gateway or API) Has access to the dashboard with the number of officer API requests and requests to Registry Business Processes (and data search)
Data administrator	admin	Requires the realization of a dedicated role	Performs the initial upload of data to the registry.

Actor

Keycloak Realm

System role

Description

Regulations developer/modeller

admin

gerrit-administrators
camunda-admin
redash-admin
jenkins-users (given by jenkins-admin on demand)
nexus-user

Role for system regulations configuration, namely:

Data model creation
Entities description
Fields, data types, and data formats description
Connections description (within the Registry, and with other Registries)
Creation and configuration of Business Processes and UI forms for end users (BPMN)
Creation of interaction with other systems/Registries via API (SOAP based)
Creation of Business Process roles (user types) and definition of their rights
Statistic data processing: dashboards, reports

Regulations administrator

admin

gerrit-administrators

Verifies and confirms changes to the regulations proposed by developer/modeller

Registry technical administrator

openshift

admin

openshift/cp-registry-mgmt-view (requires realization)

openshift/grafana-viewer

admin/realm-management client:

view-users
manage-users

Registry configuration management (number of virtual machines, number of microservice instances, system key change, API configuration without the Secure Exchange Gateway, wrate-limits
Registry backup copying and restoring.
Viewing monitoring dashboards for the Registry.

All actions start on Control Plane. Can’t change Openshift configuration directly.

Officer administrator

admin

user-management

admin/realm-management client:

view-users
manage-users

(The client role in realm-management will be changed to system role after the creation of administrative portal for administrator-users management)

Provides access to other officer-users via CSV or one by one via adminstrator portal.
Changes user attributes and roles.
Deactivates users on contract termination or access levels change.

Access administrator

admin

realm-management client/realm-admin

Role for the chief administrator, required to designate Registry administrator class roles.

Security administrator

admin

openshift

openshift/cp-cluster-mgmt-view (requires realization)

openshift/grafana-viewer

admin/redash-auditor (requires realization)

admin/realm-management client roles:

view-users
manage-users
view-events
manage-events

Has access to transactions logs, audit logs, technical logs, and metrics
Views performance and workload dashboards for analysis
Blocks/unblocks users, including technical users of other system (via Secure Exchange Gateway or API)
Has access to the dashboard with the number of officer API requests and requests to Registry Business Processes (and data search)

Data administrator

admin

Requires the realization of a dedicated role

Performs the initial upload of data to the registry.

3.2. System roles

All the system roles described below are represented in KeyCloak as Admin Realm Roles. System roles with "openshift/" prefix are described below in the Infrastructure administrators/System roles section

Name	Description
administrator	A composite role that includes: gerrit-administrators jenkins-administrators
camunda-admin	Provides access to Camunda administrative console
gerrit-administrators	Provides administrative access to Gerrit repository
gerrit-users	Provides user access to Gerrit repository
jenkins-administrators	Provides administrative access to Jenkins
jenkins-users	Provides user access to Jenkins
nexus-admin	Provides administrative access to Nexus repository
nexus-user	Provides user access to Nexus repository
realm-admin	Full administrative access to realm management
redash-admin	Provides access to Redash administrative portal
user-management	User management via adminsitrative portal, including user import from file.

Name

Description

administrator

A composite role that includes:

gerrit-administrators
jenkins-administrators

camunda-admin

Provides access to Camunda administrative console

gerrit-administrators

Provides administrative access to Gerrit repository

gerrit-users

Provides user access to Gerrit repository

jenkins-administrators

Provides administrative access to Jenkins

jenkins-users

Provides user access to Jenkins

nexus-admin

Provides administrative access to Nexus repository

nexus-user

Provides user access to Nexus repository

realm-admin

Full administrative access to realm management

redash-admin

Provides access to Redash administrative portal

user-management

User management via adminsitrative portal, including user import from file.

4. Infrastructure administrators

4.1. Actors

Actor	Keycloak Realm	System role	Description
Platform technical administrator	openshift	cp-cluster-mgmt-admin + cluster-admins group (requires the creation of a more restricted role)	The role is required to perform Platform and Registry deployment operations, system updates, and cooperation with hardware administrator for resource estimations. The role includes: Registry Platform initial configuration Managing compute resources in the datacenter Adding compute resources to the Platform Testing Platform efficiency Deployment scenatios creation Operations with centralized logs aggregation, monitoring and notification logs: logs gathering, logs storing, information panel building, notifications configuration; Operations with metrics and monitoring performance and notifications; Automation processes introduction;
Platform support service (L2)	openshift	cp-cluster-mgmt-view (requires realization) grafana-viewer	Monitoring system technical metrics, incident reaction.
Root administrator	openshift	cp-cluster-mgmt-admin + cluster-admins group	Full access.
Hosting administrator		-	Access to physical and/or virtual infrastructure

Actor

Keycloak Realm

System role

Description

Platform technical administrator

openshift

cp-cluster-mgmt-admin + cluster-admins group (requires the creation of a more restricted role)

The role is required to perform Platform and Registry deployment operations, system updates, and cooperation with hardware administrator for resource estimations. The role includes:

Registry Platform initial configuration
Managing compute resources in the datacenter
Adding compute resources to the Platform
Testing Platform efficiency
Deployment scenatios creation
Operations with centralized logs aggregation, monitoring and notification logs: logs gathering, logs storing, information panel building, notifications configuration;
Operations with metrics and monitoring performance and notifications;
Automation processes introduction;

Platform support service (L2)

openshift

cp-cluster-mgmt-view (requires realization)

grafana-viewer

Monitoring system technical metrics, incident reaction.

Root administrator

openshift

cp-cluster-mgmt-admin + cluster-admins group

Full access.

Hosting administrator

Access to physical and/or virtual infrastructure

4.2. System roles

All the system roles described below are represented in KeyCloak as Openshift Realm Roles.

Name	Description
cp-cluster-mgmt-admin	Administrative access to Platform and OKD management
cp-registry-admin	Administrative access to Registry management via control-plane and OKD
cp-registry-reader	Read-only access to the Registry via control-plane and OKD
grafana-admin	Access to viewing and configuring Grafana metrics
grafana-viewer	Access to viewing Grafana metrics

Name

Description

cp-cluster-mgmt-admin

Administrative access to Platform and OKD management

cp-registry-admin

Administrative access to Registry management via control-plane and OKD

cp-registry-reader

Read-only access to the Registry via control-plane and OKD

grafana-admin

Access to viewing and configuring Grafana metrics

grafana-viewer

Access to viewing Grafana metrics