Access control
Overview
MATTR VII uses Role-Based Access Control (RBAC) to manage permissions and access within a tenant. Each role grants access to specific capabilities, ensuring that users or clients only have access to the functionalities they need. Below is a list of available roles and their descriptions:
- Tenant admin (
admin): Has full access to all tenant capabilities. This role is assigned to the default client when a new tenant is created. - Issuer (
issuer): Has access to capabilities required for issuing and managing credentials of different formats across different channels. - Verifier (
verifier): Has access to capabilities required for verifying credentials of different formats across different channels. - DTS provider (
dts-provider): Has access to capabilities required for managing a Digital Trust Service (DTS). - DTS consumer (
dts-consumer): Has access to capabilities required to consume DTS information from a tenant. - Auditor (
auditor): Has read-only access to analytics data.
Role permissions
The following sections detail the capabilities available for different roles. For an inclusive list of the endpoints and operations each role can access, please refer to the roles and permissions list.
Furthermore, the MATTR VII API reference details, for each endpoint, what roles can access it.
Tenant admin permissions
The following list details the MATTR VII capabilities available to users and clients assigned with the Tenant admin role. This includes all tenant capabilities:
Platform management
- Manage Custom domain
- Manage DIDs*
- Manage IACAs
- Manage Webhooks
- Monitor Analytics information
- Manage Messaging*
- Manage Tenants
Digital Trust Service
- Manage Ecosystems
- Manage Ecosystem participants
- Manage Ecosystem credential types
- Manage Ecosystem policies
Credential issuance
- OID4VCI:
- Manage Authentication providers
- Manage Interaction hooks
- Manage Claim sources
- Manage Credential configurations
- Creating Credential offers
- Issuing CWT, Semantic CWT, JSON and mDoc credentials via OID4VCI
- Direct issuance of CWT and JSON credentials*
- Managing PDF, Apple and Google Digital Pass templates for CWT and Semantic CWT credentials*
Credential management
- Revoking CWT, Semantic CWT, JSON and mDoc credentials*
Credential verification
- Verification of mDocs, JSON, CWT and Semantic CWT credentials*
- Configure workflows for remote (online) verification of mDocs and JSON credentials
Issuer permissions
The following list details the MATTR VII capabilities available to users and clients assigned with the Issuer role:
Platform management
- Manage Custom domain
- Manage DIDs*
- Manage IACAs
- Manage Webhooks
Digital Trust Service
- Retrieve Ecosystem policies
Credential issuance
- OID4VCI:
- Manage Authentication providers
- Manage Interaction hooks
- Manage Claim sources
- Manage Credential configurations
- Creating Credential offers
- Issuing CWT, Semantic CWT, JSON and mDoc credentials via OID4VCI.
- Direct issuance of CWT and JSON credentials*
- Managing PDF, Apple and Google Digital Pass templates for CWT and Semantic CWT credentials*
Credential management
- Revoking CWT, Semantic CWT, JSON and mDoc credentials*
Verifier permissions
The following list details the MATTR VII capabilities available to users and clients assigned with the Admin role:
Platform management
- Manage Custom domain
- Manage DIDs*
- Manage IACAs
- Manage Webhooks
- Manage Messaging*
Digital Trust Service
- Retrieve Ecosystem policies
Credential verification
- Verification of mDocs, JSON, CWT and Semantic CWT credentials*
- Configure workflows for remote (online) verification of mDocs and JSON credentials
DTS provider permissions
The following list details the MATTR VII capabilities available to users and clients assigned with the DTS provider role:
Platform management
- Manage Custom domain
- Manage DIDs*
- Manage IACAs
Digital Trust Service
- Manage Ecosystems
- Manage Ecosystem participants
- Manage Ecosystem credential types
- Manage Ecosystem policies
DTS consumer permissions
The following list details the MATTR VII capabilities available to users and clients assigned with the DTS consumer role:
Digital Trust Service
- Retrieve Ecosystem policies
Auditor permissions
The following list details the MATTR VII capabilities available to users and clients assigned with the Auditor role:
Platform management
- Monitor Analytics information
* Partial support or not available for users using MATTR Portal; users or clients using MATTR VII API are not affected.