Key user personas and roles
This section describes different user personas and roles in PaCE. These personas are defined with the application where PaCE is being used.
All roles except the super administrator role must be assigned to a calling service or application where PaCE is being used. The assigned calling service defines the scope for the user role.
| Role | High-level Permissions | Persona |
|---|---|---|
| sn_pace.execution_reader | A read-only user with view-only access. This user can view policies, categories, and executions. | Policy user, internal auditor. |
| sn_pace.code_reader | Can review PaCE versions, policy code, and run tests. | Internal auditor |
| sn_pace.code_editor | This user has all the sn_pace_code_reader permissions plus the ability to create PaCE policy versions. | Policy developer |
| sn_pace.policy_reader | This user has all the sn_pace_code_reader permissions plus the ability to review policy details and mapping information. | Policy user, internal auditor |
| sn_pace.policy_editor | This user has all the sn_pace_policy_reader and sn_pace.code_editor permissions plus the ability to create policies and mappings. | Policy developer |
| sn_pace.mapping_admin | This user can map policies and edit config parameters for policy mappings. | Mapping admin |
| sn_pace.admin | This user has the permissions of all the other roles plus the ability to create categories, policies, mappings, and code. | Policy admin |
| sn_pace.super_admin | This user has all the sn_pace.admin role permissions across all calling services. | Not applicable |
| Maint role | Internal user who can create default content. | Not applicable |