Understanding roles and permissions

A permission (or privilege) is a granular task or ability to see or do something within PolicyCenter. A role is a named collection of permissions, and, typically, maps to a job function or job title.

PolicyCenter stores role information in file roles.csv and permission information in file roleprivileges.csv. Within Guidewire Studio Project window, these two files exist in the following location:
  • configuration > config > import > gen

PolicyCenter loads the contents of these two files into the database upon initial database upgrade, at first server startup after installation. See About the import directory for details on how PolicyCenter works with the files in the gen directory.

Role definitions

File roles.csv contains a list of PolicyCenter roles, along with a human-readable name and description for each role. Within this file, set the name and description fields to whatever is useful in uniquely identifying the role. PolicyCenter reads the file, starting with the first row that contains the entityid identifier and imports the data into the database.

The following code samples are examples of role definition entries:

Roles,
type,data-set,entityid,description,name,carrierinternalrole,roletype
Role,0,superuser,${AdminData.Role.Description.All_Permissions},${AdminData.Role.Name.All_Permissions},true,user
Role,0,underwriter_supervisor,${AdminData.Role.Description.Underwriter_Supervisor},${AdminData.Role.Name.Underwriter_Supervisor},true,user
Role,0,underwriter,${AdminData.Role.Description.Underwriter},${AdminData.Role.Name.Underwriter},true,user
Role,0,underwriter_asst,${AdminData.Role.Description.Underwriter_Asst},${AdminData.Role.Name.Underwriter_Asst},true,user
...

Notice the use of display keys inside the variable construction ${...} to set the role name and description. Guidewire recommends this approach as it permits the easy localization of these values.

Role permission definitions

File roleprivileges.csv contains the mappings that link roles to a set of permissions. PolicyCenter reads the file starting with the first row that contains the entityid identifier and imports the data into the database.

The following code samples are examples of permission definition entries:

type,data-set,entityid,permission,role
RolePrivilege,0,sample_data:2,abcreate,k
RolePrivilege,0,sample_data:3,abdelete,audit_examiner
RolePrivilege,0,sample_data:4,abedit,audit_examiner
RolePrivilege,0,sample_data:5,abview,audit_examiner
RolePrivilege,0,sample_data:6,anytagcreate,audit_examiner
,,,,

Each row in file roleprivileges.csv maps a single permission to a role. Each role has multiple permissions and thus multiple rows. For example, the abcreate entry grants permission to create a contact to the audit_examiner role.

The PolicyCenter Security Dictionary provides a full list of role permission, along with a brief description of each. It also provides a list of the correspondences between roles and permissions.