End User Entry
Role Code: end_user
Default Mask: 0x00000000
Required Ability: basic login/session only
Entry Router
Route by permission domain instead of landing on 404.
[31..28]
AUTH
login, session, MFA, challenge, lock status
[27..24]
OAUTH
authorize, token, consent, device flow, introspect
[23..20]
CLIENT
oauth clients, redirect URIs, grant types, secrets
[19..16]
USER
user accounts, role assignment, account states
[15..12]
AUDIT
security events and audit trails
[11..8]
KEY
signing keys, JWKS, key rotation lifecycle
[7..4]
TENANT
organization boundary and tenant scope
[3..0]
OPS
platform controls and operational changes
Role Code: end_user
Default Mask: 0x00000000
Required Ability: basic login/session only
Role Code: support
Default Mask: 0xCC8C888C
Required Ability: OPS.READ + USER.READ
Role Code: oauth_admin
Default Mask: 0x8EEC8888
Required Ability: OAUTH.READ + CLIENT.READ
Role Code: security_admin
Default Mask: 0xEEEEEAEE
Required Ability: AUDIT.READ + KEY.READ
Role Code: super_admin
Default Mask: 0xFFFFFFFF
Required Ability: OPS.READ (manage actions require OPS.MANAGE)