Skip to main content

roleScopeCatalog

The role-definition vocabulary (valid scopes per tenancy level, entity types, tenancy levels) used to populate the role editor's pickers. Static domain metadata derived from the Go authz scope sets — no Keycloak call. Gated by the same change-user-roles permission as the roles query.

roleScopeCatalog(
organizationId: String!
): RoleScopeCatalog!

Arguments

roleScopeCatalog.organizationId ● String! non-null scalar

Type

RoleScopeCatalog object

The authoritative vocabulary an admin picks from when defining a custom role. Derived server-side from the Go authorization source of truth (authz group / workspace scope sets, via the scope registry) rather than hard-coded on the client, so the role editor's pickers can never drift from what the platform actually authorizes (ADR-0066).