Predefined roles
Eligible plans: Enterprise
The PactFlow application comes with the following predefined roles. Each role is assigned a collection of permissions.
Administrator
The PactFlow tenant user will be assigned the Administrator role. They can then assign the Administrator role to other users.
Default permissions
authentication_settings:manage:*
contract_data:bulk_delete:*
contract_data:manage:*
deployment_and_release:record:*
environment:manage:*
role:manage:*
secret:manage:*
system_account:manage:*
system_preference:manage:*
team:manage:*
token:manage:own
user:invite
user:manage:*
webhook:manage:*
User
All new users are assigned the User
role (unless the default role has been updated in the system preferences). The User
role is intended to work in conjunction with team assignments, and therefore has manage:team
permissions (rather than manage:*
permissions) for all resources that can be associated with a team. The User
role should be assigned to all developers, testers and other users who create and verify contracts on the PactFlow platform.
Default permissions
ai:*
contract_data:bulk_delete:own
contract_data:bulk_delete:team
contract_data:manage:own
contract_data:manage:team
contract_data:read:*
environment:read:team*
role:read:*
secret:manage:team
system_account:manage:team
system_account:read:*
team:read:*
token:manage:own
user:read:*
webhook:manage:team
CI/CD
This is the default role associated with a system account.
Default permissions
contract_data:manage:own
contract_data:manage:team
contract_data:read:*
deployment_and_release:record:*
environment:read:*
Team Administrator
This role is automatically assigned to any user who is an administrator of a specific team. This role may not be edited or deleted and cannot be assigned directly via the user roles APIs or UIs.
Default permissions
Viewer
Default permissions
Guest
A user with the guest role can only view contract related data through the UI and has no API access.
The guest role permissions may not be modified.
Permissions
SwaggerHub
A user with the SwaggerHub role can provide an API Token for the SwaggerHub integration. This allows SwaggerHub to verify published pacts against live Swagger docs.
The SwaggerHub role permissions may not be modified.
Permissions
SCIM
For the System Account used by the PactFlow SCIM API.
The SCIM role permissions may not be modified.
Permissions
Test Maintainer (deprecated)
The Test Maintainer role has been replaced by the User role. The difference between the User and Test Maintainer roles is that the User role has team scoped permissions for Webhook and Secret management.
Default permissions
contract_data:bulk_delete:own
contract_data:manage:own
contract_data:manage:team
contract_data:read:*
role:read:*
secret:manage:*
system_account:read:*
team:read:*
token:manage:own
user:read:*
webhook:manage:*
Organization Administrator
A system-assigned role for users to administrator authentication and user access within PactFlow. It has no API or contract data access, and does not consume a paid seat.
The Organization Administrator permissions may not be modified and cannot be assigned to users from within PactFlow.
Default permissions
authentication_settings:manage:*
role:manage:*
system_account:manage:*
team:manage:*
user:invite
user:manage:*
Resetting permissions for predefined roles
Should you wish to reset the permissions assigned to each of the predefined roles back to their defaults as documented above (or upgrade from the globally scoped User role to the team scoped User role) you can follow these steps. Note that any custom roles will remain unaffected, and user/role assignments are unchanged.
- Click on the
API
button at the top right of the PactFlow dashboard. - In the
Links
section, scroll down to the line where therel
column has a value ofpf:admin-roles
. - Click on the green arrow in the
GET
column with the hover text "Follow link". - Scroll up to the top of the page.
- In the Links section, if you can see the line with a
rel
ofpf:reset
, you have the permissions required to reset the roles. If you cannot see this relation, you do not have the required permissions. - Click the yellow
!
button in theNON-GET
column. - Click the blue
Make Request
button. You will see a 200 OK response with the updated roles list.