Available roles

The permissions to access and use tools, services, or solutions in your tenant are bundled in roles.

Roles can be assigned to users, user groups, and technical clients through the Multitenant Access Control portal. See also How-to guides for tenant management.

This reference page lists all default Bosch Semantic Stack roles. Additionally, you can also create customized roles.

Battery Passport

Name Description Role key

Name	Description	Role key
Battery Passport Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can view battery passport information and download it.	`BATTERY_PASSPORT_VIEWER`
Battery Passport Manager	Additionally, with this role, users can create new battery passports.	`BATTERY_PASSPORT_MANAGER`

Battery Passport Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can view battery passport information and download it.

BATTERY_PASSPORT_VIEWER

Battery Passport Manager

Additionally, with this role, users can create new battery passports.

BATTERY_PASSPORT_MANAGER

Product Explorer

Name Description Role key

Name	Description	Role key
Access UI Role	Required to see the application and its contents in your tenant’s workspace. With only that role, users can just see the Product Explorer user interface, without any product data.	`access_ui_role`
View All Product Types	Additionally, with this role, users have Read permission for all Product Types on the tenant and can browse product data in the Product Explorer.	`view_all_product_types`

Access UI Role

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can just see the Product Explorer user interface, without any product data.

access_ui_role

View All Product Types

Additionally, with this role, users have Read permission for all Product Types on the tenant and can browse product data in the Product Explorer.

view_all_product_types

Digital Twin Registry

Digital Twin Registry for Twins:

Name Description Role key

Name	Description	Role key
Twin Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can browse the Digital Twin Registry for Twins.	`VIEWER`
Twin Manager	Additionally, with this role, users have Write permissions for Twins.	`TWIN_MANAGER`
Aspect Operator	With this role, users have Write permissions for the Aspect APIs of the Twins.	`ASPECT_OPERATOR`

Twin Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can browse the Digital Twin Registry for Twins.

VIEWER

Twin Manager

Additionally, with this role, users have Write permissions for Twins.

TWIN_MANAGER

Aspect Operator

With this role, users have Write permissions for the Aspect APIs of the Twins.

ASPECT_OPERATOR

Digital Twin Registry for Asset Administration Shells:

Name Description Role key

Name	Description	Role key
AAS Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can browse the Digital Twin Registry for Asset Administration Shells.	`AAS_VIEWER`
AAS Manager	Additionally, with this role, users have Write permissions for Asset Administration Shells.	`AAS_MANAGER`
Submodel Access Reader	With this role, users have Read permission for the AAS submodel-descriptor access endpoint. Only required for Eclipse Dataspace Connector (EDC) clients.	`SUBMODEL_ACCESS_READER`
AAS EDC BPN Viewer	With this role, users have access-controlled Read permission for AAS resources in combination with EDC-BPN Header. Resource visibility depends on defined access rules. Only required for Eclipse Dataspace Connector (EDC) clients.	`AAS_EDC_BPN_VIEWER`

AAS Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can browse the Digital Twin Registry for Asset Administration Shells.

AAS_VIEWER

AAS Manager

Additionally, with this role, users have Write permissions for Asset Administration Shells.

AAS_MANAGER

Submodel Access Reader

With this role, users have Read permission for the AAS submodel-descriptor access endpoint. Only required for Eclipse Dataspace Connector (EDC) clients.

SUBMODEL_ACCESS_READER

AAS EDC BPN Viewer

With this role, users have access-controlled Read permission for AAS resources in combination with EDC-BPN Header. Resource visibility depends on defined access rules. Only required for Eclipse Dataspace Connector (EDC) clients.

AAS_EDC_BPN_VIEWER

Async Digital Twin Registry:

Name

Description

Role key

Message Operator

With this role, users have Read permission for message client credentials.

MESSAGE_OPERATOR

Aspect on Demand

Name Description Role key

Name	Description	Role key
Aspect on Demand Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can view the list of existing Aspect APIs.	`AOD_VIEWER`
Aspect on Demand Manager	Additionally, with this role, users can work with Aspect on Demand and generate new Aspect APIs.	`AOD_MANAGER`

Aspect on Demand Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can view the list of existing Aspect APIs.

AOD_VIEWER

Aspect on Demand Manager

Additionally, with this role, users can work with Aspect on Demand and generate new Aspect APIs.

AOD_MANAGER

Data Browser

Coming soon — Data Browser roles in Multitenant Access Control

Data Onboarding

Name Description Role key

Name	Description	Role key
Data Onboarding Service Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can view the list of existing data onboardings.	`DATA_ONBOARDING_VIEWER`
Data Onboarding Service Editor	Additionally, with this role, users can work with Data Onboarding and add further data to the tenant’s semantic data lakehouse.	`DATA_ONBOARDING_EDITOR`

Data Onboarding Service Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can view the list of existing data onboardings.

DATA_ONBOARDING_VIEWER

Data Onboarding Service Editor

Additionally, with this role, users can work with Data Onboarding and add further data to the tenant’s semantic data lakehouse.

DATA_ONBOARDING_EDITOR

Aspect Model Catalog

Name Description Role key

Name	Description	Role key
Model Viewer	Required to see the application and its contents in your tenant’s workspace. With only that role, users can browse the Aspect Model Catalog.	`VIEWER`
Model Editor	Additionally, with this role, users have Write permission for Aspect Models.	`EDITOR`
Model Manager	Additionally, with this role, users can release Aspect Models and namespaces.	`MODEL_MANAGER`

Model Viewer

Required to see the application and its contents in your tenant’s workspace.
With only that role, users can browse the Aspect Model Catalog.

VIEWER

Model Editor

Additionally, with this role, users have Write permission for Aspect Models.

EDITOR

Model Manager

Additionally, with this role, users can release Aspect Models and namespaces.

MODEL_MANAGER

How-to guides

For further information on how to grant access and give permissions for your tenant, refer to our how-to guides: