The basic built-in roles and their functions are:
GH_ROLE_ADMIN: An administrative role for everything related to roles. Users assigned this role are able to run rhpctl verb role commands.
GH_SITE_ADMIN: An administrative role for everything related to Rapid Home Provisioning Clients. Users assigned this role are able to run rhpctl verb client commands.
GH_SERIES_ADMIN: An administrative role for everything related to image series. Users assigned this role are able to run rhpctl verb series commands.
GH_SERIES_CONTRIB: Users assigned this role can add images to a series using the rhpctl insertimage series command, or delete images from a series using the rhpctl deleteimage series command.
GH_WC_ADMIN: An administrative role for everything related to working copies. Users assigned this role are able to run rhpctl verb workingcopy commands.
GH_WC_OPER: A role that enables users to create a working copy for themselves or others using the rhpctl add workingcopy command with the -user option (when creating for others). Users assigned this role do not have administrative privileges and can only administer the working copies that they create.
GH_WC_USER: A role that enables users to create a working copy using the rhpctl add workingcopy command. Users assigned this role do not have administrative privileges and can only delete working copies that they create.
GH_IMG_ADMIN: An administrative role for everything related to images. Users assigned this are role are able to run rhpctl verb image commands.
GH_IMG_USER: A role that enables users to create an image using the rhpctl add | import image. Users assigned this role do not have administrative privileges and can only delete images that they create.
GH_IMG_TESTABLE: A role that enables users to add a working copy only when an image is in the TESTABLE state. Users assigned this role must also be assigned either the GH_WC_ADMIN role or the GH_WC_USER role to add a working copy.
GH_IMG_RESTRICT: A role that enables users to add a working copy only when an image is in the RESTRICTED state. Users assigned this role must also be assigned either the GH_WC_ADMIN role or the GH_WC_USER role to add a working copy.
GH_IMG_PUBLISH: Users assigned this role can promote an image to another state or retract an image from the PUBLISHED state to either the TESTABLE or RESTRICTED state.
GH_IMG_VISIBILITY: Users assigned this role can modify access to promoted or published images using the ghctl allow | disallow image commands.