Authorization roles & permissions

Hi,

I have two questions.

  1. What is the limitations of each role on temporal web / server level, please describe me?
  • RoleReader
  • RoleWriter
  • RoleAdmin
  • RoleWorker
  1. Among of four temporal services (frontend, worker, metrics & history) which services gives the metrics in Prometheus?
  1. The roles are mostly open-ended placeholders at this point to allow for free interpretation of them by custom authorizers.
    The only exception is defaultAuthorizer uses definitions of read-only APIs.

  2. All of the services emit metrics.

Do we have a seperate tctl cli authorization?
Can u pls share examples for tctl authorization & claim mapper?