Changes

abhayashrestha · ccf3446d
--- a/Administrator-Guide.md
+++ b/Administrator-Guide.md
@@ -9,6 +9,38 @@
 ### How Keycloak needs to be setup in order to work with Holocron?
  Keycloak needs an admin, and leadership group setup for it to work with Holocron.

+### App access control
+
+Holocron has the following access control groups and roles which are managed by some SSO service like keycloak and internally by the API. The roles are described below, and the access control matrix for the roles are shown below.
+
+1. **Admin**: This role has all the global rights to the app with the exception of seeing and updating pay data.
+2. **OrgLeadership**: This role only gives the permission to view and update pay data.
+3. **OrgAdmin** (Organization Admin): This role gives the permission to view metrics, update, and delete organization. It also give rights to create, view metrics, update, and delete teams and value streams within the organization the person is OrgAdmin for.
+4. **VSAdmin** (Value Stream Admin): This role gives the the permission to view metrics, update and delete value stream. It also gives rights to create, view, update, and delete teams within the value stream the person is VSAdmin for.
+5. **TeamAdmin** (Team Admin): This role gives the permission to view metrics, update, and delete team the person is TeamAdmin for.
+
+More on these roles access control is show in the matrix below.
+
+| Permissions     | Admin | Admin + OrgLeadership | Org admin | Org admin + OrgLeadership | VS Admin | VS Admin + OrgLeadership | Team Admin | Team Admin + OrgLeadership |
+| :--- | :----:  | :----: | :----: | :----: | :----: | :----: | :----: | ---:|
+Create Organization | **Y** | **Y** | | | | | | |
+Read Organization Metrics | **Y** | **Y** | if they are admin of Organization | if they are admin of Organization | | | | | |
+Read Organization Cost Metrics |  | **Y** |  | if they are admin of Organization | | | | |
+Update Organization |  **Y** | **Y** | if they are admin of Organization | if they are admin of Organization | | | | |
+Delete Organization | **Y** | **Y** | if they are admin of Organization | if they are admin of Organization | | | | |
+Create Value Stream | **Y** | **Y** | **Y** | **Y** | | | | |
+Read Value Stream Metrics | **Y** | **Y** | if the Value Stream falls under Organiztion they are admin of |  if the Value Stream falls under Organiztion they are admin of | if they are admin of Value Stream |  if they are admin of Value Stream | | |
+Read Value Stream Cost Metrics |  | **Y** | | if the Value Stream falls under Organization they are admin of | | if they are admin of Value Stream | | | |
+Update Value Stream | **Y** | **Y** | if the Value Stream falls under Organization they are admin of | if the Value Stream falls under Organization they are admin of | if they are Admin of Value Stream | if they are admin of Value Stream | | |
+Delete Value Stream | **Y** | **Y** | if the Value Stream falls under Organization they are admin of | if the Value Stream falls under Organization they are admin of | if they are Admin of Value Stream | if they are admin of Value Stream | | |
+Create Team | **Y** | **Y** | **Y** | **Y** | **Y** | **Y** | | |
+Read Team Metrics | **Y** | **Y** | if the Team falls under Organization they are admin of | if the Team falls under Organization they are admin of | if the Team falls under Value Stream they are admin of | if the Team falls under Value Stream they are admin of | if they are Team Admin | if they are Team Admin|
+Read Team Cost Metrics | | **Y** |  | if the Team falls under Organization they are admin of |  | if the Team falls under Value Stream they are admin of |  | if they are Team Admin|
+Update Team | **Y** | **Y** | if the Team falls under Organization they are admin of | if the Team falls under Organization they are admin of | if the Team falls under Value Stream they are admin of | if the Team falls under Value Stream they are admin of | if they are Team Admin | if they are Team Admin|
+Delete Team | **Y** | **Y** | if the Team falls under Organization they are admin of | if the Team falls under Organization they are admin of | if the Team falls under Value Stream they are admin of | if the Team falls under Value Stream they are admin of | if they are Team Admin | if they are Team Admin|
+Delete User | **Y** | **Y** | | | | | | |
+
+
 ## What are Collectors?
 Collectors can be thought of as an infinitely running background jobs. They constantly run within a set interval and collect data from sources (GitLab, Jira etc.), and transform the data into the data the backend API can understand.

@@ -55,4 +87,6 @@ The API can enable experimental features by setting the variable name that descr
 as true. For example, `FEATURE_XXX=true`. where `XXX` is the feature name.

 ## Collector Specifics
- **GitLab Workflow Collector**:
+- **GitLab Workflow Collector**: In addition to the setup needed for environmental variables, you will need the following requirements to be met in order to be able to use this collector:
+1. Your hosted GitLab's graphql query complexity must be a maximum of 234.
+