Roles

A role is a named bundle of Permissions. Users are assigned one or more roles; their effective permissions are the union of every role they hold.

Roles are the primary unit of authorization in GeoHazardWatch. The per-page rules (Page Private, Author Lock, Page Audience, access) act as overrides on top of the role-based defaults supplied by the global access policies.

Live Role Catalog

The table below is rendered from the live configuration at view time — it reflects the roles configured on this instance right now, not a hand-maintained list.

Reading the Table

• Role Name — the lowercase identifier used in code, configuration, and the audience / access frontmatter fields
• Display Name — how the role appears in admin UI
• Description — short summary of what the role is for
• Type — System roles are defined by GeoHazardWatch itself and cannot be removed; Custom roles are operator-defined
• Icon — the icon used wherever the role is rendered in the UI

How Roles Connect to Permissions

Each role lists a set of Permissions it grants. The mapping is defined in two places, both in the application configuration:

• ngdpbase.roles.definitions.<role>.permissions — the inline list on each role definition
• ngdpbase.access.policies — the global access policies that grant each role its permissions on the page:* resource

When evaluating whether a user may perform an action on a page, the access-control flow is:

1. Tier 0 — if the page is marked Private (private: true), only the page creator and admins are allowed; everything below is ignored. See Page Private.
2. Tier 1 — if the page has a per-page override (audience or access), use it. See Page Audience.
3. Tier 2 — fall back to the role-based global access policies (the catalog above).

See Also

• Permissions — the catalog of action keys roles can grant
• Page Private — strongest per-page override (Tier 0)
• Page Audience — per-page view-access override (Tier 1)
• Author Lock — per-page edit restriction