| Name | Members | Maps to |
|---|---|---|
authentik Admins |
1 | Authentik admin role |
authentik Read-only |
0 | Authentik read-only role |
grp-wiki-admin |
3 | Wiki.js group grp-wiki-admin (manage:system) |
pdf-api-Admins |
1 | PDF API service (TBD documented; no Authentik application listed) |
portainer-Admins |
2 | Portainer admin (see Access / Authentik / portainer) |
proxmox-Admins |
1 | Proxmox VE admin (see Access / Authentik / proxmox) |
grp-{service}-{role} is the canonical naming. Apps with claim-name-based
group sync (Wiki.js, GitLab, etc.) get a corresponding group with the
exact same name; permissions are configured on the application side.
Seit 2026-05-01 ergänzt:
grp-pgadmin-user, grp-pgadmin-admingrp-databasement-user, grp-databasement-admingrp-harbor-user, grp-harbor-admingrp-gitlab-user, grp-gitlab-admingrp-nextcloud-user, grp-nextcloud-admingrp-uptime-kuma-admingrp-homepage-user, grp-homepage-admingrp-azuracast-adminAD-Side (für Print-ACLs aus policies/printer-access): GS-Print-Home, GS-Print-Lager, GS-Print-Admin.
Default-Members für jede grp-<app>-admin: A.Korff (pk=28) + L.Korff (pk=32) — siehe memory/policy_admin_groups.