Caro logo

Role Based Access

Same as in most software products, Vera has a role-based access control system. This means that the access to certain resources is restricted to users with specific roles. To assign the different permissions, 5 roles were defined centered around 2 resource owner entities: the organization and the client.

Organization

The organization is the central entity that owns resources and can perform actions on them. Under resources, we have the following 3 categeries:

  • Management: Organization and access related resources: Organization settings, Organization Memberships and Organization Membership Invitations.
  • SSI: SSI related resources - Wallets, Credentials, Identifiers, Credential Acquisitions, Credential Issuances, Verification Requests, Verification Inquiries, Access Rules, Acquisition Rules and Presentation Rules.
  • CX: Catena-X related resources - Assets and Data Requests

Users that belong to an organization can have one of the following roles:

Admin

The admin role is the most powerful role in an organization. Admins can perform all actions on all resources owned by the organization. This includes creating and deleting resources, as well as assigning roles to other users:

Member

Members are users that belong to an organization but do not have the same permissions as admins. Members can perform read and write actions on resources owned by the organization that fall under the categeries SSI and CX, but they only have read access on the Management

Auditor

Auditors are restrictred to read-only access on the credentials and only from the credential registry (more on this in the Credential Access Restriction section).

Client

The client entity comes on top of the organization. They represent a "realm" within which solution providers that use Vera on behalf of their customers have management permissions over the organizations created by their customers. They also have additional permissions on templates and profiles. In this scope, the affected resources are:

  • SSI: Templates and Profiles - All organization resources for the organizations created using their auth client.
  • Management: Clients settings (that can affect all organizations under their client), Client Memberships and Client Membership Invitations - to manage users and user roles within their client realm.

NOTE: Although write operations on profiles and templates are now restricted, these entities are still considered public for the time being and can be seen by any authenticated user. this can however change in the future.

Client Admin

The client admin role is the most powerful role in a client realm. They can perform read and write operations on all resources owned by the client and their organizations as well as read and write operations on templates and profiles.

Designer

Designers can only perform read and write operations on templates and profiles.

Organization Membership Management

The organization membership management is done by the organization admin. They can invite users to the organization and assign them roles. The organization admin can also remove users from the organization.

Inviting a user to an organization is done by creating a membership invitation:

POST {{host}}/organization-memberships/invitations?organizationId={{organizationId}}

DATA
{
    "email": "<string - email of the user to be invited>",
    "role": "<enum: Admin, Member, Auditor - role to be assigned to the user>"
}

The response will contain the created invitation which can be used to accept the invitation:

GET {{host}}/organization-memberships/invitations/{{invitationId}}/claim

When an invitation is claimed, an organization membership is created for the user effectively adding them to the organization and assigning them the role specified in the invitation. Organization memberhsips can be updated and deleted by the organization admin.

NOTE: The invitation link can only be claimed by the user that was authenticated with the email address that was used to create the invitation.

NOTE: The invitation link is only valid for 24 hours.

NOTE: The invitation link can be discarded by the organization admin at any time PUT {{host}}/organization-memberships/invitations/{{invitationId}}/discard.

Was this page helpful?