SquizyAppearance
Roles
Roles are named collections of authorities that define access profiles. They act as the bridge between users and the fine-grained permission system.
INFO
App Tokens do not use roles — they have authorities assigned directly.
Creating Roles
Roles are created and managed via Management → Roles in the UI. When creating a role:
- Define a name (e.g.,
Admin,Viewer,ProductEditor) - Assign authorities from the auto-generated list
Squizy automatically generates the full set of available authorities based on your entity model. You pick which authorities to include in each role.
Designing Roles
When designing your role structure, consider the principle of least privilege: each role should contain only the authorities necessary for its intended use case. Since a user can hold multiple roles, you can compose fine-grained access by assigning several roles rather than creating one large role.
For example, instead of an "Editor" role with all write permissions, you might create:
- ProductEditor —
Product.create,Product.read,Product.update - CategoryViewer —
Category.read
A user assigned both roles can edit products and view categories, but cannot delete products or modify categories.
Default Roles
Squizy creates the following roles automatically on startup. They cover the most common access profiles out of the box:
| Role | Authorities | Use case |
|---|---|---|
| Admin | All authorities (including @AdminOnly entities) | Full system access |
| Editor | *.create, *.read, *.update, *.delete, *.export | Full CRUD on non-admin entities |
| Auditor | *.read, *.export, *.audit | Read-only with revision history access |
| User | *.read, *.export | Read-only access to non-admin entities |
INFO
The Editor, Auditor, and User roles only include authorities for non-admin entities. Only Admin has access to entities marked with @AdminOnly.
The @AdminOnly Annotation
@AdminOnly is an annotation that marks entities as accessible only by the Admin role when using the default roles. It controls which authorities are included or excluded from each default role during creation:
- The Admin role receives authorities for all entities, including those annotated with
@AdminOnly. - The Editor, Auditor, and User roles receive authorities only for entities not annotated with
@AdminOnly.
The four built-in framework entities (SquizyRole, SquizyAuthority, Oauth2SquizyUser, and AppToken) are already annotated with @AdminOnly. You can also annotate your own entities to restrict them to the Admin role:
java
@AdminOnly
@SquizyEntity(displayFormat = "${name}")
@Entity
public class SystemConfig { /* ... */ }WARNING
@AdminOnly only has effect when using the default roles created by DefaultSquizyRolesCreator. If you replace the default roles by providing a custom SquizyRolesCreator, @AdminOnly has no effect — your implementation has full control over which authorities each role receives.
Customizing Default Roles
The default roles are created by the DefaultSquizyRolesCreator bean. Since the bean is registered with @ConditionalOnMissingBean, you can replace it entirely by providing your own implementation of the SquizyRolesCreator interface:
java
@Bean
SquizyRolesCreator squizyRolesCreator(SquizyAuthorityService authorityService,
SquizyRoleService roleService) {
return () -> {
// Create your own roles with the desired authorities
roleService.getOrCreate("SuperAdmin", authorityService.findAll());
roleService.getOrCreate("Viewer",
authorityService.findSquizyEntityAuthoritiesByActions(false,
AuthorityAction.READ));
};
}When your custom bean is present, the default roles (Admin, Editor, Auditor, User) are not created — your implementation takes full control of role initialization.