roleScopeCatalog
The role-definition vocabulary (valid scopes per tenancy level, entity types, tenancy levels) used to populate the role editor's pickers. Static domain metadata derived from the Go authz scope sets — no Keycloak call. Gated by the same change-user-roles permission as the roles query.
roleScopeCatalog(
organizationId: String!
): RoleScopeCatalog!
Arguments
roleScopeCatalog.organizationId ● String! non-null scalar
Type
RoleScopeCatalog object
The authoritative vocabulary an admin picks from when defining a custom role. Derived server-side from the Go authorization source of truth (authz group / workspace scope sets, via the scope registry) rather than hard-coded on the client, so the role editor's pickers can never drift from what the platform actually authorizes (ADR-0066).