User Claims & Permissions
Table of contents
Accessing the Page
Click on your user initials in the top-right of the application to open the user menu, then select Claims & Permissions (shield icon). The page is available to every authenticated user.
Identity
The first card on the page summarises your authenticated identity:
| Field | Description |
|---|---|
| Username | The username returned by Keycloak. |
| Authenticated | A green Yes badge confirms the session is active. |
| Authentication Type | The authentication scheme used by the current request (typically oidc). |
Assigned Roles
The second card lists every Keycloak role currently mapped to your account, displayed as blue Info-style chips. Roles are assigned by an administrator from the User Administration (Keycloak) console.
Effective Permissions
The third card shows the full role × permission matrix that EORSA-DB derives from your roles. It contains three columns:
| Column | Description |
|---|---|
| Permission | The permission name. |
| Status | A green check-circle icon when the permission is granted; a red cancel icon otherwise. |
| Granted By Roles | The Keycloak roles that grant this permission, shown as chips. Empty when the permission is not granted. |
The matrix is searchable, sortable and filterable. The most important permissions are:
| Permission | What it grants |
|---|---|
AccessOtherDataButProgrammatics | Read access to Dashboard, Data, Timelines, Benchmarking and Policies & Requirements. |
AccessProgrammaticData | Read access to the Financial page. |
AddCoreData | Permission to create Core and Non-Core data; enables the floating + button. |
ModifyCoreData | Permission to edit and delete existing Core and Non-Core entities. |
ImportExportDatabase | Bulk import / export and access to PG Admin. |
QueryDatabase | Use of the Search page and running Reference Scenarios. |
ManageUsers | Access to the Administration page and the external Keycloak admin. |
ApprovePublicationOfWhatIfScenarios | Ability to promote a local what-if scenario to a published scenario visible to other users. |
CreateLocalWhatIfScenarios | Permission to create local what-if (fictional) entities. |
AccessPublishedWhatIfScenarios | Read access to published what-if scenarios. |
See Roles and Permissions for the complete role × permission matrix.
Raw Claims
The fourth card Raw Claims exposes all JWT token claims returned by Keycloak for the current session. This is useful for debugging authentication issues or verifying what information was received from the identity provider.
The grid shows three columns:
| Column | Description |
|---|---|
| Claim Type | The claim name (e.g. sub, email, preferred_username, realm_access). |
| Value | The claim value as returned by Keycloak. |
| Issuer | The issuer URI of the identity provider that issued the claim. |
Changing Your Password
Password and account management is delegated to Keycloak. Open the User Administration link in the navigation menu (visible to administrators) or use the Account console exposed by your Keycloak deployment.