Fixed Roles¶
This document defines the fixed role names recognized by Floecat and the permissions each role grants.
Source of truth: service/src/main/java/ai/floedb/floecat/service/security/RolePermissions.java.
Role Matrix¶
| Role name | Purpose | Granted permissions |
|---|---|---|
default |
Baseline read-only tenant access. Used when no roles are provided in normal (oidc) mode. |
account.read, catalog.read, namespace.read, table.read, view.read |
administrator |
Full tenant-scoped administration of metadata and connectors. | account.read, catalog.read, catalog.write, namespace.read, namespace.write, table.read, table.write, view.read, view.write, connector.manage, system-objects.read, account.delete |
developer |
Development-role equivalent of administrator. |
account.read, catalog.read, catalog.write, namespace.read, namespace.write, table.read, table.write, view.read, view.write, connector.manage, system-objects.read, account.delete |
platform-admin (or configured value of floecat.auth.platform-admin.role) |
Platform-level account management role from IdP. | account.read, account.write, account.delete |
init-account |
Bootstrap role used to initialize account + initial resources. | account.write, catalog.read, catalog.write, namespace.read, namespace.write, connector.create |
delete-account |
Narrow internal role used to trigger account teardown. Floecat performs the implied cleanup internally. | account.delete |
system-objects |
Minimal role for SystemObjects/GetSystemObjects access. | system-objects.read |
Behavior Notes¶
- Role comparison is case-insensitive.
- Unknown roles are ignored.
- If no effective roles are present:
oidcmode falls back todefault.devmode falls back todeveloper.- In
devmode,account.writeis always added. init-accountalso bypasses strict account existence validation during inbound context building.account.deleteis the dedicated destructive permission for account teardown. It is intentionally separate from broad catalog/table/connector management permissions.