Holocron has the following access control groups and roles which are managed by some SSO service like keycloak and internally by the API. The roles are described below, and the access control matrix for the roles are shown below.
1.**Admin**: This role has all the global rights to the app with the exception of seeing and updating pay data.
2.**OrgLeadership**: This role only gives the permission to view and update pay data.
3.**OrgAdmin** (Organization Admin): This role gives the permission to view metrics, update, and delete organization. It also give rights to create, view metrics, update, and delete teams and value streams within the organization the person is OrgAdmin for.
4.**VSAdmin** (Value Stream Admin): This role gives the the permission to view metrics, update and delete value stream. It also gives rights to create, view, update, and delete teams within the value stream the person is VSAdmin for.
5.**TeamAdmin** (Team Admin): This role gives the permission to view metrics, update, and delete team the person is TeamAdmin for.
1.**Admin**: This role has all the global rights to the app with the exception of seeing and updating pay data. In order to obtain this role, user must be in the `SSO_ADMIN_GROUP` group (for more information on this group consult the **Collector Environmental Variables** section).
2.**OrgLeadership**: This role only gives the permission to view and update pay data. In order to obtain this role, user must be in the `SSO_LEADERSHIP_GROUP` group (for more information on this group consult the **Collector Environmental Variables** section).
3.**OrgAdmin** (Organization Admin): This role gives the permission to view metrics, update, and delete organization. It also give rights to create, view metrics, update, and delete teams and value streams within the organization the person is OrgAdmin for. This role is managed internally by the API.
4.**VSAdmin** (Value Stream Admin): This role gives the the permission to view metrics, update and delete value stream. It also gives rights to create, view, update, and delete teams within the value stream the person is VSAdmin for. This role is managed internally by the API.
5.**TeamAdmin** (Team Admin): This role gives the permission to view metrics, update, and delete team the person is TeamAdmin for. This role is managed internally by the API.
More on these roles access control is show in the matrix below.
