Skip to main content

User Roles and Access Control

Role-Based Access Control (RBAC) is a foundational security principle in Raidiam Connect ecosystems, ensuring users always have the right permissions for their tasks. RBAC helps minimize the risk of unauthorized access and data misuse while supporting streamlined user management, operational security, and regulatory compliance.

By leveraging RBAC alongside default Organisation Administrators and Domain Users, platform owners are able to organize data and application access, enforce governance, and maintain a compliant, well-audited environment.

  • All organization administrators receive an e-mail whenever their own role or another user's role assignment changes, providing transparency for role management and enhanced security monitoring.

  • Every ecosystem or federation includes several built-in Domain User roles, such as Primary Technical Contact (PTC) and Primary Business Contact (PBC). These roles enable privileged access to the directory, authorization server registration, API publishing, software statement assertion requests, and broader platform interactions.

  • Additional roles may be available, depending on the specific Trust Framework and its configuration, as managed by your Trust Framework Administrator. The scope of access and available operations for these roles are determined by ecosystem policy.

  • Certain roles exist strictly for Single Sign-On use cases. These allow users managed in Connect to authenticate on integrated external platforms using their Connect account.

User access in Raidiam Connect is organized around clearly-defined human user roles, each with separately-scoped responsibilities and platform capabilities. This section provides a narrative and context for each role individually.

info

Every role described below is subject to the platform's RBAC enforcement, audit logging, and policy controls. Role assignments and changes are always communicated to super users/organization administrators, ensuring visibility and accountability throughout the ecosystem.

Super Users (Global Administrators)

Super Users–sometimes called Global Administrators–hold comprehensive control over the entire platform. Their authority spans all organizations, users, and system configurations.

  • Super Users are responsible for managing and maintaining the platform, overseeing its operational stability and security, and ensuring optimal functionality for all participants.

  • They can make critical decisions, adjustments, and respond rapidly to incidents across the ecosystem.

  • Only Super Users are able to create organizations, onboard initial administrators, change reference data, and update the platform’s most sensitive system-wide controls.

  • Their actions are heavily audited, and any change to the Super User roster is notified to all impacted admins to ensure transparency and trust.

→ Manage Super Users. Add, update, or remove users managing Raidiam Connect.

Data Administrators

The Data Administrator role exists within the ecosystem or federation and acts on behalf of the Trust Framework Administrator organization.

  • Data Administrators are responsible for managing organization-related data—handling onboarding, updating organization profiles, and lifecycle operations for participating entities.

  • Unlike Super Users, Data Administrators do not control Reference Data (which is restricted to Super Users only).

  • Data Administrators are provisioned by Super Users, either via the administration UI or API endpoints, and their actions are logged for compliance.

  • They are essential for maintaining up-to-date organization records in large federations.

→ Learn how to add and manage Data Administrators.

Organisation Administrators

Organisation Administrators hold the highest authority within their own organization. Their role is pivotal for local governance and operations.

  • Organisation Administrators can create and update organizational resources, onboard other admins, and manage the full spectrum of domain user roles configured in their company directory.

  • They are responsible for maintaining accurate user rosters, enforcing least-privilege assignment, and aligning user access with organizational policy.

  • When Single Sign-On (SSO) is enabled, the OpenID Client can verify, at user consent during the OAuth flow, whether an individual is an Organisation Administrator and document which organizations they administer (OrgAccessDetails with OrgAdmin=true).

  • All Organisation Admin role changes result in automatic email notifications for transparency and compliance within the org.

→ Delegate Organization Administration and manage Org Admins.

Domain Users

Domain Users support key operational and technical functions within the directory, representing granular, scoped permissions distinct from Organisation Administrators. (These are sometimes referred to as Technical Users, depending on the ecosystem configuration.)

  • Domain Users are assigned specific contact roles and scopes—commonly as Primary Technical Contact (PTC) or Primary Business Contact (PBC)—allowing access to functions like API registration, software statement issuance, or service desk integration.

  • Not all Domain Users will have direct privileges in the Connect directory. Some may only possess access scopes for external SSO-enabled platforms interfacing with the directory.

  • SSO-enabled ecosystems let the OpenID Client verify which organizations a Domain User is affiliated with by referencing OrgAccessDetails/DomainRoleDetails, specifying role type (ContactRole) and system (System).

  • For example, a Service Desk contact can be provisioned in the directory solely to be authorized on an external platform, without explicit directory-level permissions.

→ Add and manage Domain Users–regardless of their user role.

→ If you are a Super User, create a Domain User System. Define Permissions for Domain Users controlling access within the Trust Framework.
Open Book IconTABLE OF CONTENT