Appearance
Role Matrix
This page consolidates the role vocabulary used across services and how roles map between services.
Status: INTERIM (AS-BUILT roles enforced today; target expansions noted below).
Where roles come from
- Human sessions: roles are resolved via OFM
member/resolvefor the caller's org. - Service-account API keys: roles are attached to the service account in USM and are validated via
POST /usm/api_key/validateby downstream services. - Owners: an owner is a privileged flag in OFM (owners are also members). Owner access is implicit across org-scoped services.
Canonical role catalog (AS-BUILT enforcement)
These are the role names enforced in code today.
| Service | Canonical roles (non-exhaustive) |
|---|---|
| UAS | uas_operator (internal only) |
| USM | usm_operator (internal only), service_account_admin |
| OFM | ofm_owner, ofm_member_admin, ofm_team_admin, ofm_channel_admin |
| MRS | mrs_reader, mrs_writer, mrs_operator (internal only) |
| PVM | pvm_view, pvm_edit, pvm_supplier_admin, pvm_approve |
| PMC | pmc_view, pmc_publish |
| ICS | ics_view, ics_operator, ics_planner, ics_transfer_approve, ics_adjust, ics_count, ics_cost_admin |
| SCM | scm_view, scm_order, scm_fulfillment, scm_returns, scm_credit, scm_discount_approve, scm_special_order_approve, scm_backorder_approve |
| PCM | pcm_view, pcm_buyer, pcm_po_approve, pcm_consignment |
| PPM | ppm_view, ppm_price_admin, ppm_promo_admin, ppm_approver, ppm_admin, ppm_approve, ppm_analyst |
| CRM/Loyalty | crm_view, crm_manage, crm_privacy_admin, crm_edit, loyalty_admin, giftcard_admin |
| Influencer | inf_view, inf_manage, inf_campaign_admin, inf_finance |
| Accounting | acct_view, acct_export_admin, ar_admin, commission_admin |
| IPM | integration_view, integration_admin |
| RBS | rbs_view, rbs_admin |
| UTL | utl_offboarding_admin, utl_export_admin |
| OPS | (no roles — secret-code and session auth) |
| UCP | ucp_admin |
| SLC | slc_view, slc_manage |
Cross-service roles:
- cost_view (facility-scoped cost visibility in ICS)
- finance_audit (org-wide audit and cost visibility) — grants read access across ICS, SCM, PCM, PPM, CRM, Influencer, and Accounting
Legacy role aliases (implemented services)
Legacy roles remain valid where noted, but SDKs and docs should use canonical names.
| Legacy role | Canonical role | Notes |
|---|---|---|
| pvv | pvm_view | Read + comment-only in PVM; accepted by PMC as pmc_view. |
| pma | pvm_edit | Accepted by PMC as pmc_publish and pmc_view. |
| vca | pvm_supplier_admin | Supplier/vendor mutations in PVM. |
Cross-service role mapping (high-level)
| Role | PVM (Product & Vendor) | PMC (Publish Control) | OFM (Org & Facility) |
|---|---|---|---|
| owner | Full access (all reads/writes) | Full access (pmc_view + pmc_publish) | Org governance + full access |
| pma (Product Model Admin) | Product model + taxonomy + brand + style + variant mutations | Publish rights (pmc_publish) + read | Member (non-owner) unless elevated |
| vca (Vendor Contract Admin) | Vendor/manufacturer mutations | Read-only (pmc_view via member role if granted) | Member (non-owner) unless elevated |
| pvv (Product & Vendor Viewer) | Read + comment-only | Read-only (pmc_view) | Member (non-owner) unless elevated |
| pmc_view | N/A | PMC reads (get/list/search/revision) | N/A |
| pmc_publish | N/A | PMC writes (publish runs, pointer/online control) | N/A |
Notes:
- PMC accepts pvv and pma as synonyms for
pmc_view, and pma as a synonym forpmc_publish(owner implied). - PVM write gating is split: VCA handles supplier ops; PMA handles non-supplier mutations; PVV is read/comment-only.
Scope and gating quick reference
Business-level view of where org, facility, and channel context is required.
| Service / Domain | Primary scope | Facility scoped? | Channel context? | Notes |
|---|---|---|---|---|
| UAS | Global identity | No | No | Operator-only actions; public stat uses credential check. |
| USM | Global sessions + org-bound API keys | No | No | API keys are org-scoped; downstream services enforce org status. |
| OFM | Org + facility | Yes | Yes (sales channels) | Defines org status, membership, and facility spine. |
| MRS | Org | Optional | Optional | Payload storage; org membership gating applies. |
| PVM | Org | No | Optional | Master product model; no facility writes. |
| PMC | Org | Yes (logical identity) | Yes | Published sellability per channel + logical facility. |
| ICS | Facility + org policy | Yes | Yes | Real-time stock and warehouse operations. |
| SCM | Facility | Yes | Yes (sales channel) | Orders reference sales-channel carts. |
| PCM | Facility | Yes | Yes (procurement channel) | Procurement worksheets drive POs. |
| PPM | Org with facility/channel overrides | Yes (overrides) | Yes | Temporal pricing and promotions. |
| CRM/Loyalty | Org | Optional | Optional | Customer and loyalty ledgers with context capture. |
| Influencer/Affiliate | Org | No | Yes | Attribution and earnings by channel. |
| Accounting/ERP | Org | Uses facility/channel dimensions | Yes | Exportable financial event views. |
| RBS | Org | No | Optional | Owner-only event subscriptions delivered to customer SQS queues. |
| External Master Data | Global reference plane | No | No | Operator-only direct Lambda + CLI access. |
See /common/request-context.html for the cross-service request context.
Planned roles (target expansions)
Status: TARGET (not enforced in code today; business-only).
- SCM: scm_tender_admin, scm_price_override (granular roles; current enforcement uses scm_order/scm_discount_approve/etc).
- PCM: pcm_receiver, pcm_match, pcm_vendor_admin, pcm_rtv (granular roles; current enforcement uses pcm_buyer/pcm_po_approve/pcm_consignment).
- Accounting: acct_reconcile (target for reconcile-only access; current enforcement uses acct_export_admin/finance_audit).
Owner-only mutations (examples)
These are representative categories; see each service surface for exact endpoints:
- OFM governance: org status changes, owner primary/secondary changes, member invitations/revokes, and service-account logical assignments.
- Facility lifecycle: dooming org-scoped records and facility-scoped resources (zones/facilities) is owner-only.
- Sales channel activation/dooming: publishing a draft channel or dooming an active channel is owner-only.
Facility-scoped delegation (OFM)
Some operations are facility-scoped and require an explicit logical assignment + facility grant for non-owners.
- Owners: implicit access across all logical facilities.
- Members: require a
member <-> logicalassignment for facility-scoped writes. - Service-account API keys: require a
service_account <-> logicalassignment for facility-scoped writes unless the API key has the owner role. - Delegable surfaces (examples): zones, logical-scoped teams, sales-channel drafts/config updates. Activation/dooming remains owner-only.
API key role usage (service accounts)
- API keys are org-bound. Downstream services verify the orgcode on each request.
- Role strings are canonicalized to
pvv | pma | vca | ownerfor service accounts. - Unknown roles are rejected at create time in USM.
See also:
- /common/member-access-roles.html for detailed role explanations with examples.
- /common/troubleshooting.html for 404 anti-enumeration behavior.
- /common/minimum-viable-flow.html for a full end-to-end example.