AETHER-2234 move and update aether-roc-umbrella

Change-Id: I7ca845b92dff1fce5fd87d42053a43d80cc55f34
diff --git a/aether-roc-umbrella/Chart.yaml b/aether-roc-umbrella/Chart.yaml
new file mode 100644
index 0000000..00d1281
--- /dev/null
+++ b/aether-roc-umbrella/Chart.yaml
@@ -0,0 +1,76 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+apiVersion: v2
+name: aether-roc-umbrella
+description: Aether ROC Umbrella chart to deploy all Aether ROC
+kubeVersion: ">=1.18.0"
+type: application
+version: 1.3.8
+appVersion: v0.0.0
+keywords:
+  - aether
+  - sdn
+home: https://www.opennetworking.org/aether/
+maintainers:
+  - name: Aether Ops team
+    email: support@opennetworking.org
+dependencies:
+  - name: onos-topo
+    condition: import.onos-topo.enabled
+    repository: https://charts.onosproject.org
+    version: 1.1.102
+  - name: config-model-aether
+    condition: onos-config.models.aether.v2_1.enabled
+    repository: "@aether"
+    version: 2.1.3
+    alias: config-model-aether-2-1-0
+  - name: config-model-aether
+    condition: onos-config.models.aether.v3.enabled
+    repository: "@aether"
+    version: 3.0.13
+    alias: config-model-aether-3-0-0
+  - name: onos-config
+    condition: import.onos-config.enabled
+    repository: https://charts.onosproject.org
+    version: 1.3.4
+  - name: onos-gui
+    condition: import.onos-gui.enabled
+    repository: https://charts.onosproject.org
+    version: 1.0.8
+  - name: onos-cli
+    condition: import.onos-cli.enabled
+    repository: https://charts.onosproject.org
+    version: 1.1.5
+  - name: aether-roc-api
+    condition: import.aether-roc-api.enabled
+    repository: "@aether"
+    version: 1.1.14
+  - name: aether-roc-gui
+    condition: import.aether-roc-gui.v3.enabled
+    repository: "@aether"
+    version: 3.0.23
+    alias: aether-roc-gui-v3
+  - name: sdcore-adapter
+    condition: import.sdcore-adapter.v3.enabled
+    repository: "@aether"
+    version: 3.0.15
+    alias: sdcore-adapter-v3
+  - name: subscriber-proxy
+    condition: import.subscriber-proxy.enabled
+    repository: "@aether"
+    version: 0.0.3
+  - name: nginx
+    alias: sdcore-test-dummy
+    condition: import.sdcore-test-dummy.enabled
+    repository: https://charts.bitnami.com/bitnami
+    version: 8.9.0
+  - name: grafana
+    condition: import.grafana.enabled
+    repository: https://grafana.github.io/helm-charts
+    version: 6.16.6
+  - name: prometheus
+    condition: import.prometheus.enabled
+    repository: https://prometheus-community.github.io/helm-charts
+    version: 14.6.1
diff --git a/aether-roc-umbrella/README.md b/aether-roc-umbrella/README.md
new file mode 100644
index 0000000..8c3df88
--- /dev/null
+++ b/aether-roc-umbrella/README.md
@@ -0,0 +1,84 @@
+<!--
+SPDX-FileCopyrightText: 2020 Open Networking Foundation <info@opennetworking.org>
+
+SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+-->
+
+## Aether ROC Umbrella chart
+
+First add repos to your Helm client
+```
+stable       	https://charts.helm.sh/stable                        
+cord         	https://charts.opencord.org                          
+atomix       	https://charts.atomix.io                             
+onosproject  	https://charts.onosproject.org                       
+sdran        	https://sdrancharts.onosproject.org                  
+aether       	https://charts.aetherproject.org                     
+cetic        	https://cetic.github.io/helm-charts                  
+bitnami      	https://charts.bitnami.com/bitnami
+```
+
+Provides a [Helm] chart for deploying
+
+* aether-roc-gui (2 versions)
+* aether-roc-api 
+* onos-topo
+* onos-config
+* sdcore-adapter (2 versions)
+* sdcore-test-dummy
+* grafana
+* prometheus
+
+to [Kubernetes].
+> See the [documentation] for more info.
+
+## Config models
+The Aether ROC Umbrella chart controls the Config Model Plugins that are enabled in `onos-config`
+Currently 2 versions of the `Aether` model are loaded:
+
+* aether-2.1.0
+* aether-3.0.0
+
+## Deploy with Authentication enabled
+
+1) install the helm Repo https://cetic.github.io/helm-charts
+2) deploy the [dex-ldap-umbrella](https://github.com/onosproject/onos-helm-charts/tree/master/dex-ldap-umbrella)
+
+Then run:
+```bash
+helm -n micro-onos install aether-roc-umbrella sdran/aether-roc-umbrella \
+--set onos-config.openidc.issuer=http://dex-ldap-umbrella:5556 \
+--set aether-roc-gui.openidc.issuer=http://dex-ldap-umbrella:5556
+```
+
+## Sample Data - MEGA Patch
+Some sample data that works with the `aether-3.0.0` models is available at
+https://github.com/onosproject/aether-roc-api/blob/master/examples/MEGA_Patch.curl
+
+This creates 2 sample enterprises `acme` and `starbucks` with corresponding `sites`,
+`applications`, `device-groups` and `vcs` etc.
+
+## sdcore-test-dummy 
+The chart includes the `sdcore-test-dummy` container for testing the `sdcore-adapter`
+
+> this may be disabled in the chart with `--set import.sdcore-test-dummy.enabled=false`
+
+This runs in the cluster at http://aether-roc-umbrella-sdcore-test-dummy (port 80)
+
+This is a simple nginx server that has been configured to accept POST requests and 
+log their contents. Use `kubectl -n <namespace> logs --follow <pod identifier>` to
+see the POST request contents.
+
+In a configuration of a `connectivity-service` for the 4G/5G model (aether-3.0.0)
+the following values should be set:
+* "core-5g-endpoint": "http://aether-roc-umbrella-sdcore-test-dummy/v1/config/5g",
+
+In a configuration of a `connectivity-service` for the 4G only model (aether-2.1.0)
+the following values should be set:
+* hss-endpoint http://aether-roc-umbrella-sdcore-test-dummy/v1/config/imsis
+* spgwc-endpoint http://aether-roc-umbrella-sdcore-test-dummy/v1/config
+* pcrf-endpoint http://aether-roc-umbrella-sdcore-test-dummy/v1/config policies
+
+[Kubernetes]: https://kubernetes.io/
+[Helm]: https://helm.sh/
+[documentation]: https://docs.onosproject.org/developers/deploy_with_helm/
diff --git a/aether-roc-umbrella/files/dashboards/ue/ue-connectivity.json b/aether-roc-umbrella/files/dashboards/ue/ue-connectivity.json
new file mode 100644
index 0000000..8bb0a7d
--- /dev/null
+++ b/aether-roc-umbrella/files/dashboards/ue/ue-connectivity.json
@@ -0,0 +1,230 @@
+{
+  "dashboard": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": "-- Grafana --",
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "editable": false,
+    "gnetId": null,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": "datasource-$ORG",
+        "description": "UE Connectivity",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "ue_throughput{id=\"$IMSI\"}",
+            "interval": "",
+            "legendFormat": "Throughput {{slice}} {{direction}} kb/s",
+            "queryType": "randomWalk",
+            "refId": "A"
+          },
+          {
+            "exemplar": true,
+            "expr": "ue_latency{id=\"$IMSI\"} * 1000",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Latency {{slice}} {{direction}} µs",
+            "refId": "B"
+          }
+        ],
+        "title": "UE $IMSI Throughput and Latency",
+        "type": "timeseries"
+      },
+      {
+        "datasource": "datasource-$ORG",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "hidden",
+              "barAlignment": 0,
+              "drawStyle": "bars",
+              "fillOpacity": 57,
+              "gradientMode": "hue",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 9,
+          "w": 12,
+          "x": 0,
+          "y": 8
+        },
+        "id": 2,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "smf_pdu_session_profile{id=\"$IMSI\",state=\"active\"}*2",
+            "interval": "",
+            "legendFormat": "Active",
+            "queryType": "randomWalk",
+            "refId": "A"
+          },
+          {
+            "exemplar": true,
+            "expr": "smf_pdu_session_profile{id=\"$IMSI\",state=\"idle\"}*1",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Idle",
+            "refId": "B"
+          },
+          {
+            "exemplar": true,
+            "expr": "smf_pdu_session_profile{id=\"$IMSI\",state=\"inactive\"}*-1",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Inactive",
+            "refId": "C"
+          }
+        ],
+        "title": "UE $IMSI Connectivity",
+        "type": "timeseries"
+      }
+    ],
+    "refresh": "",
+    "schemaVersion": 30,
+    "style": "light",
+    "tags": [],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-15m",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "",
+    "title": "UE $IMSI Connectivity and Throughput",
+    "uid": "ue-$IMSI",
+    "version": 1
+  },
+  "folderUid": "$ORG",
+  "message": "Made changes to $ORG"
+}
\ No newline at end of file
diff --git a/aether-roc-umbrella/files/dashboards/vcs/vcs-performance-all.json b/aether-roc-umbrella/files/dashboards/vcs/vcs-performance-all.json
new file mode 100644
index 0000000..7d0b484
--- /dev/null
+++ b/aether-roc-umbrella/files/dashboards/vcs/vcs-performance-all.json
@@ -0,0 +1,140 @@
+{
+  "dashboard": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": "-- Grafana --",
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "editable": false,
+    "gnetId": null,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": "datasource-$ORG",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 9,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "sum(vcs_jitter{vcs_id=~\"$ORG.*\"})/count(vcs_jitter{vcs_id=~\"$ORG.*\"})*1000",
+            "format": "time_series",
+            "interval": "",
+            "legendFormat": "Jitter (µs)",
+            "queryType": "randomWalk",
+            "refId": "A"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(vcs_latency{vcs_id=~\"$ORG.*\"})/count(vcs_latency{vcs_id=~\"$ORG.*\"})*1000",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Latency (µs)",
+            "refId": "B"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(vcs_throughput{vcs_id=~\"$ORG.*\"})/count(vcs_throughput{vcs_id=~\"$ORG.*\"})",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Throughput (kb/s)",
+            "refId": "C"
+          }
+        ],
+        "title": "VCS $ORG All",
+        "type": "timeseries"
+      }
+    ],
+    "schemaVersion": 30,
+    "style": "dark",
+    "tags": [],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-15m",
+      "to": "now"
+    },
+    "timepicker": {
+    },
+    "timezone": "",
+    "title": "VCS $ORG All",
+    "uid": "vcs-$ORG-all",
+    "version": 2
+  },
+  "folderUid": "$ORG",
+  "message": "Made changes to $ORG"
+}
\ No newline at end of file
diff --git a/aether-roc-umbrella/files/dashboards/vcs/vcs-performance.json b/aether-roc-umbrella/files/dashboards/vcs/vcs-performance.json
new file mode 100644
index 0000000..8a84890
--- /dev/null
+++ b/aether-roc-umbrella/files/dashboards/vcs/vcs-performance.json
@@ -0,0 +1,141 @@
+{
+  "dashboard": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": "-- Grafana --",
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "description": "",
+    "editable": false,
+    "gnetId": null,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": "datasource-$ORG",
+        "description": "",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "line",
+              "fillOpacity": 0,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "none"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 8,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "links": [],
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "vcs_jitter{vcs_id=\"$VCS\"}*1000",
+            "interval": "",
+            "legendFormat": "Jitter (µs)",
+            "refId": "A"
+          },
+          {
+            "exemplar": true,
+            "expr": "vcs_latency{vcs_id=\"$VCS\"}*1000",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Latency (µs)",
+            "refId": "B"
+          },
+          {
+            "exemplar": true,
+            "expr": "vcs_throughput{vcs_id=\"$VCS\"}",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Throughput (kb/s)",
+            "refId": "C"
+          }
+        ],
+        "title": "VCS $VCS Performance",
+        "type": "timeseries"
+      }
+    ],
+    "refresh": "",
+    "schemaVersion": 30,
+    "style": "light",
+    "tags": [],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-15m",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "",
+    "title": "VCS $VCS Performance",
+    "uid": "vcs-$VCS",
+    "version": 1
+  },
+  "folderUid": "$ORG",
+  "message": "Made changes to $ORG"
+}
diff --git a/aether-roc-umbrella/files/dashboards/vcs/vcs-ue-connectivity.json b/aether-roc-umbrella/files/dashboards/vcs/vcs-ue-connectivity.json
new file mode 100644
index 0000000..7185d4a
--- /dev/null
+++ b/aether-roc-umbrella/files/dashboards/vcs/vcs-ue-connectivity.json
@@ -0,0 +1,139 @@
+{
+  "dashboard": {
+    "annotations": {
+      "list": [
+        {
+          "builtIn": 1,
+          "datasource": "-- Grafana --",
+          "enable": true,
+          "hide": true,
+          "iconColor": "rgba(0, 211, 255, 1)",
+          "name": "Annotations & Alerts",
+          "type": "dashboard"
+        }
+      ]
+    },
+    "editable": false,
+    "gnetId": null,
+    "graphTooltip": 0,
+    "links": [],
+    "panels": [
+      {
+        "datasource": "datasource-$ORG",
+        "description": "Stacked time-series of UE's connected to slice by active, inactive and idle",
+        "fieldConfig": {
+          "defaults": {
+            "color": {
+              "mode": "palette-classic"
+            },
+            "custom": {
+              "axisLabel": "",
+              "axisPlacement": "auto",
+              "barAlignment": 0,
+              "drawStyle": "bars",
+              "fillOpacity": 56,
+              "gradientMode": "none",
+              "hideFrom": {
+                "legend": false,
+                "tooltip": false,
+                "viz": false
+              },
+              "lineInterpolation": "linear",
+              "lineWidth": 1,
+              "pointSize": 5,
+              "scaleDistribution": {
+                "type": "linear"
+              },
+              "showPoints": "auto",
+              "spanNulls": false,
+              "stacking": {
+                "group": "A",
+                "mode": "normal"
+              },
+              "thresholdsStyle": {
+                "mode": "off"
+              }
+            },
+            "mappings": [],
+            "thresholds": {
+              "mode": "absolute",
+              "steps": [
+                {
+                  "color": "green",
+                  "value": null
+                },
+                {
+                  "color": "red",
+                  "value": 80
+                }
+              ]
+            }
+          },
+          "overrides": []
+        },
+        "gridPos": {
+          "h": 9,
+          "w": 12,
+          "x": 0,
+          "y": 0
+        },
+        "id": 1,
+        "options": {
+          "legend": {
+            "calcs": [],
+            "displayMode": "list",
+            "placement": "bottom"
+          },
+          "tooltip": {
+            "mode": "single"
+          }
+        },
+        "targets": [
+          {
+            "exemplar": true,
+            "expr": "sum(smf_pdu_session_profile{slice=\"$VCS\",state=\"active\"})",
+            "interval": "",
+            "legendFormat": "Active",
+            "queryType": "randomWalk",
+            "refId": "A"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(smf_pdu_session_profile{slice=\"$VCS\",state=\"inactive\"})",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Inactive",
+            "refId": "B"
+          },
+          {
+            "exemplar": true,
+            "expr": "sum(smf_pdu_session_profile{slice=\"$VCS\",state=\"idle\"})",
+            "hide": false,
+            "interval": "",
+            "legendFormat": "Idle",
+            "refId": "C"
+          }
+        ],
+        "title": "VCS $VCS UE Connectivity Stacked",
+        "type": "timeseries"
+      }
+    ],
+    "schemaVersion": 30,
+    "style": "light",
+    "tags": [],
+    "templating": {
+      "list": []
+    },
+    "time": {
+      "from": "now-15m",
+      "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "",
+    "title": "VCS $VCS UE Connectivity",
+    "uid": "$VCS-ue-conn",
+    "version": 1
+  },
+  "folderUid": "$ORG",
+  "message": "Made changes to $ORG"
+}
\ No newline at end of file
diff --git a/aether-roc-umbrella/files/opa-rbac/aether-2.1.0.rego b/aether-roc-umbrella/files/opa-rbac/aether-2.1.0.rego
new file mode 100644
index 0000000..9c2ec1b
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/aether-2.1.0.rego
@@ -0,0 +1,133 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+package aether_2_1_0
+
+echo[config] {
+    config := input
+}
+
+allowed[config] {
+    access_profile := access_profiles # refer to rule below
+    subscriber := subscribers
+    apn_profile := apn_profiles
+    connectivity_service := connectivityservices
+    enterprise := enterprises
+    qos_profile := qos_profiles
+    security_profile := security_profiles
+    service_profile := service_profiles
+    service_group := service_groups
+    service_policy := service_policies
+    service_rule := service_rules
+    up_profile := up_profiles
+    config := {
+        "access_profile": {
+            "access_profile": [
+                access_profile
+            ]
+        },
+        "subscriber": {
+            "ue": [
+                subscriber
+            ]
+        },
+        "apn_profile": {
+            "apn_profile": [
+                apn_profile
+            ]
+        },
+        "connectivity-service": {
+            "connectivity-service": [
+                connectivity_service
+            ]
+        },
+        "enterprise": {
+            "enterprise": [
+                enterprise
+            ]
+        },
+        "qos_profile": {
+            "qos_profile": [
+                qos_profile
+            ]
+        },
+        "security_profile": {
+            "security_profile": [
+                security_profile
+            ]
+        },
+        "service_profile": {
+            "service_profile": [
+                service_profile
+            ]
+        },
+        "service_group": {
+            "service_group": [
+                service_group
+            ]
+        },
+        "service_policy": {
+            "service_policy": [
+                service_policy
+            ]
+        },
+        "service_rule": {
+            "service_rule": [
+                service_rule
+            ]
+        },
+        "up_profile": {
+            "up_profile": [
+                up_profile
+            ]
+        },
+    }
+}
+
+access_profiles[access_profile] {
+    access_profile := input.access_profile.access_profile[_]
+}
+
+subscribers[subscriber] {
+    subscriber := input.subscriber.ue[_]
+}
+
+apn_profiles[apn_profile] {
+    apn_profile := input.apn_profile.apn_profile[_]
+}
+
+connectivityservices[connectivity_service] {
+    enterprise := input.enterprise.enterprise[_]
+    enterprise_cs := enterprise.connectivity_service[_]
+    connectivity_service := input.connectivity_service.connectivity_service[_]
+    ["AetherROCAdmin", enterprise.id][_] == input.groups[i]
+    enterprise_cs.connectivity_service == connectivity_service.id
+}
+
+enterprises[enterprise] {
+    enterprise := input.enterprise.enterprise[_]
+    ["AetherROCAdmin", enterprise.id][_] == input.groups[_]
+}
+
+qos_profiles[qos_profile] {
+    qos_profile := input.qos_profile.qos_profile[_]
+}
+security_profiles[security_profile] {
+    security_profile := input.security_profile.security_profile[_]
+}
+service_profiles[service_profile] {
+    service_profile := input.service_profile.service_profile[_]
+}
+service_groups[service_group] {
+    service_group := input.service_group.service_group[_]
+}
+service_policies[service_policy] {
+    service_policy := input.service_policy.service_policy[_]
+}
+service_rules[service_rule] {
+    service_rule := input.service_rule.service_rule[_]
+}
+up_profiles[up_profile] {
+    up_profile := input.up_profile.up_profile[_]
+}
\ No newline at end of file
diff --git a/aether-roc-umbrella/files/opa-rbac/aether-3.0.0.rego b/aether-roc-umbrella/files/opa-rbac/aether-3.0.0.rego
new file mode 100644
index 0000000..29df86e
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/aether-3.0.0.rego
@@ -0,0 +1,149 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+package aether_3_0_0
+
+echo[config] {
+    config := input
+}
+
+allowed[config] {
+    ap_list := ap_lists # refer to rule below
+    application := applications
+    connectivity_service := connectivityservices
+    device_group := devicegroups
+    enterprise := enterprises
+    ip_domain := ip_domains
+    network := networks
+    site := sites
+    template := templates
+    traffic_class := trafficclasses
+    upf := upfs
+    vcs := vcss
+    config := {
+        "ap-list": {
+            "ap-list": [
+                ap_list
+            ]
+        },
+        "application": {
+            "application": [
+                application
+            ]
+        },
+        "connectivity-service": {
+            "connectivity-service": [
+                connectivity_service
+            ]
+        },
+        "device-group": {
+            "device-group": [
+                device_group
+            ]
+        },
+        "enterprise": {
+            "enterprise": [
+                enterprise
+            ]
+        },
+        "ip-domain": {
+            "ip-domain": [
+                ip_domain
+            ]
+        },
+        "network": {
+            "network": [
+                network
+            ]
+        },
+        "site": {
+            "site": [
+                site
+            ]
+        },
+        "template": {
+            "template": [
+                template
+            ]
+        },
+        "traffic_class": {
+            "traffic_class": {
+                traffic_class
+            }
+        },
+        "upf": {
+            "upf": [
+                upf
+            ]
+        },
+        "vcs": {
+            "vcs": [
+                vcs
+            ]
+        }
+    }
+}
+
+ap_lists[ap_list] {
+    ap_list := input.ap_list.ap_list[_]
+    ["AetherROCAdmin", ap_list.enterprise][_] == input.groups[i]
+}
+
+applications[application] {
+    application := input.application.application[_]
+    ["AetherROCAdmin", application.enterprise][_] == input.groups[i]
+}
+
+connectivityservices[connectivity_service] {
+    connectivity_service := input.connectivity_service.connectivity_service[_]
+}
+
+devicegroups[device_group] {
+    device_group := input.device_group.device_group[_]
+    site := sites
+    device_group.site == site[_].id # allow only the device_groups of a known site
+}
+
+enterprises[enterprise] {
+    enterprise := input.enterprise.enterprise[_]
+    ["AetherROCAdmin", enterprise.id][_] == input.groups[i]
+}
+
+ip_domains[ip_domain] {
+    ip_domain := input.ip_domain.ip_domain[_]
+    ["AetherROCAdmin", ip_domain.enterprise][_] == input.groups[i]
+}
+
+networks[network] {
+    network := input.network.network[_]
+    ["AetherROCAdmin", network.enterprise][_] == input.groups[i]
+}
+
+sites[site] {
+    site := input.site.site[_]
+    ["AetherROCAdmin", site.enterprise][_] == input.groups[i]
+}
+
+templates[template] {
+    template := input.template.template[_]
+}
+
+trafficclasses[traffic_class] {
+    traffic_class := input.traffic_class.traffic_class[_]
+}
+
+upfs[upf] {
+    upf := input.upf.upf[_]
+    ["AetherROCAdmin", upf.enterprise][_] == input.groups[i]
+}
+
+vcss[vcs] {
+    vcs := input.vcs.vcs[_]
+    ["AetherROCAdmin", vcs.enterprise][_] == input.groups[i]
+}
+
+can_update_enterprise = true {
+    update_enterprise := input.updates.enterprise.enterprise[_]
+    ["AetherROCAdmin", update_enterprise.id][_] == input.groups[i]
+}
diff --git a/aether-roc-umbrella/files/opa-rbac/test/aether-2.1.0-example-get.json b/aether-roc-umbrella/files/opa-rbac/test/aether-2.1.0-example-get.json
new file mode 100644
index 0000000..385eb95
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/test/aether-2.1.0-example-get.json
@@ -0,0 +1,906 @@
+{
+  "groups": [
+    "mixedGroup",
+    "AetherROCAdmin",
+    "EnterpriseAdmin"
+  ],
+  "access_profile": {
+    "access_profile": [
+      {
+        "description": "access profile that allows all access",
+        "display_name": "Access All",
+        "filter": "null",
+        "id": "access_all",
+        "type": "allow_all"
+      },
+      {
+        "description": "access profile that only allows access to the apps network",
+        "display_name": "Only Apps Network",
+        "filter": "only^apps^network",
+        "id": "apps_only",
+        "type": "specific_network"
+      },
+      {
+        "description": "exclude an app from contacting a specific destination",
+        "display_name": "Exclude App By Name",
+        "filter": "exclude_app_name",
+        "id": "excluding_app",
+        "type": "excluding_this_app"
+      },
+      {
+        "description": "access profile that allows Internet access only",
+        "display_name": "Internet Access Only",
+        "filter": "No^private^network",
+        "id": "internet_only",
+        "type": "internet_only"
+      },
+      {
+        "description": "access profile that allows intranet access only",
+        "display_name": "Private Network Only",
+        "filter": "only^private^network",
+        "id": "intranet_only",
+        "type": "intranet_only"
+      },
+      {
+        "description": "access profile that allows internet only",
+        "display_name": "Access Profile 1",
+        "filter": "null",
+        "id": "profile_access_demo_1",
+        "type": "allow_all"
+      },
+      {
+        "description": "allow an app to contact a specific destination",
+        "display_name": "Allow App By Name",
+        "filter": "allow_app_name",
+        "id": "specific_app",
+        "type": "specific_destination_only"
+      }
+    ]
+  },
+  "apn_profile": {
+    "apn_profile": [
+      {
+        "apn_name": "internet",
+        "description": "Ciena Internet APN config",
+        "display_name": "Ciena Internet",
+        "dns_primary": "10.24.7.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_ciena",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "Cornell1 Internet APN config",
+        "display_name": "Cornell1 Internet",
+        "dns_primary": "10.68.128.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_cornell1",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "Default Internet APN config",
+        "display_name": "Default Internet",
+        "dns_primary": "1.1.1.1",
+        "dns_secondary": "8.8.8.8",
+        "gx_enabled": true,
+        "id": "apn_internet_default",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "Intel Internet APN config",
+        "display_name": "Intel Internet",
+        "dns_primary": "10.212.74.139",
+        "dns_secondary": "10.212.87.15",
+        "gx_enabled": true,
+        "id": "apn_internet_intel",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "ONF Menlo Internet APN config",
+        "display_name": "ONF Menlo Internet",
+        "dns_primary": "10.53.128.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_menlo",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "Princeton1 Internet APN config",
+        "display_name": "Princeton1 Internet",
+        "dns_primary": "10.70.128.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_princeton1",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "Stanford1 Internet APN config",
+        "display_name": "Stanford1 Internet",
+        "dns_primary": "10.65.128.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_stanford1",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "Stanford2 Internet APN config",
+        "display_name": "Stanford2 Internet",
+        "dns_primary": "10.67.128.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_stanford2",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "Telefonica Internet APN config",
+        "display_name": "Telefonica Internet",
+        "dns_primary": "10.82.128.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_tef",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "ONF Tucson Internet APN config",
+        "display_name": "ONF Tucson Internet",
+        "dns_primary": "10.59.128.11",
+        "dns_secondary": "1.1.1.1",
+        "gx_enabled": true,
+        "id": "apn_internet_tucson",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "the default APN profile",
+        "display_name": "APN Profile 1",
+        "dns_primary": "8.8.8.4",
+        "dns_secondary": "8.8.8.8",
+        "gx_enabled": true,
+        "id": "apn_profile1",
+        "mtu": 1460,
+        "service_group": "internet"
+      },
+      {
+        "apn_name": "internet",
+        "description": "the default APN profile",
+        "display_name": "APN Profile 1",
+        "dns_primary": "8.8.4.4",
+        "dns_secondary": "8.8.8.8",
+        "gx_enabled": true,
+        "id": "profile_apn_demo_1",
+        "mtu": 1460,
+        "service_group": "internet"
+      }
+    ]
+  },
+  "connectivity_service": {
+    "connectivity_service": [
+      {
+        "description": "Connectivity service endpoints",
+        "display_name": "Connectivity Service 1",
+        "hss_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/imsis",
+        "id": "connectivity_service_demo_1",
+        "pcrf_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/policies",
+        "spgwc_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config"
+      },
+      {
+        "description": "Connectivity service endpoints",
+        "display_name": "Connectivity Service v1",
+        "hss_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config",
+        "id": "connectivity_service_v1",
+        "spgwc_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config"
+      }
+    ]
+  },
+  "enterprise": {
+    "enterprise": [
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Aether _ Ciena",
+        "display_name": "Aether _ Ciena",
+        "id": "aether_ciena"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Aether _ Intel",
+        "display_name": "Aether _ Intel",
+        "id": "aether_intel"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Aether _ NTT",
+        "display_name": "Aether _ NTT",
+        "id": "aether_ntt"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Aether _ Open Networking Foundation",
+        "display_name": "Aether _ ONF",
+        "id": "aether_onf"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Aether _ Telefonica",
+        "display_name": "Aether _ Telefonica",
+        "id": "aether_tef"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_demo_1",
+            "enabled": true
+          }
+        ],
+        "description": "Enterprise configuration",
+        "display_name": "Enterprise 1",
+        "id": "enterprise_demo_1"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Pronto _ Cornell",
+        "display_name": "Pronto _ Cornell",
+        "id": "pronto_cornell"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Pronto _ Princeton",
+        "display_name": "Pronto _ Princeton",
+        "id": "pronto_princeton"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "connectivity_service_v1",
+            "enabled": true
+          }
+        ],
+        "description": "Pronto _ Stanford",
+        "display_name": "Pronto _ Stanford",
+        "id": "pronto_stanford"
+      }
+    ]
+  },
+  "qos_profile": {
+    "qos_profile": [
+      {
+        "apn_ambr": {
+          "downlink": 12345678,
+          "uplink": 12345678
+        },
+        "description": "qos profile for demo",
+        "display_name": "QOS Profile 1",
+        "id": "profile_qos_demo_1"
+      },
+      {
+        "apn_ambr": {
+          "downlink": 12345678,
+          "uplink": 12345678
+        },
+        "description": "low bitrate internet service",
+        "display_name": "QOS Profile 1",
+        "id": "qos_profile1"
+      }
+    ]
+  },
+  "security_profile": {
+    "security_profile": [
+      {
+        "description": "default security profile",
+        "display_name": "Default Security Profile",
+        "id": "profile_security_default_1",
+        "key": "000102030405060708090a0b0c0d0e0f",
+        "opc": "69d5c2eb2e2e624750541d3bbc692ba5",
+        "sqn": 135
+      },
+      {
+        "description": "security profile for demo",
+        "display_name": "Security Profile 1",
+        "id": "profile_security_demo_1",
+        "key": "465b5ce8b199b49faa5f0a2ee238a6bc",
+        "opc": "d4416644f6154936193433dd20a0ace0",
+        "sqn": 96
+      },
+      {
+        "description": "NTT security profile",
+        "display_name": "NTT Security Profile",
+        "id": "profile_security_ntt_1",
+        "key": "ACB9E480B30DC12C6BDD26BE882D2940",
+        "opc": "F5929B14A34AD906BC44D205242CD182",
+        "sqn": 135
+      },
+      {
+        "description": "Telefonica security profile",
+        "display_name": "Telefonica Security Profile",
+        "id": "profile_security_tef_1",
+        "key": "83BBE53DFA050D9648C1D14937FC1AC3",
+        "opc": "346EF56C902AF38E5E4C4E3A0B0C2497",
+        "sqn": 135
+      }
+    ]
+  },
+  "service_group": {
+    "service_group": [
+      {
+        "description": "Internet service",
+        "id": "internet",
+        "service_policies": [
+          {
+            "kind": "default",
+            "service_policy": "be_internet_access"
+          }
+        ]
+      },
+      {
+        "description": "Menlo high definition camera service",
+        "id": "iot_hd_camera_menlo",
+        "service_policies": [
+          {
+            "kind": "default",
+            "service_policy": "video_non_gbr_1"
+          }
+        ]
+      }
+    ]
+  },
+  "service_policy": {
+    "service_policy": [
+      {
+        "ambr": {
+          "downlink": 20000000,
+          "uplink": 100000
+        },
+        "arp": 1,
+        "id": "be_internet_access",
+        "qci": 9,
+        "rules": [
+          {
+            "enabled": true,
+            "rule": "best_effort_internet_access"
+          }
+        ]
+      },
+      {
+        "ambr": {
+          "downlink": 20000000,
+          "uplink": 100000
+        },
+        "arp": 1,
+        "id": "video_non_gbr_1",
+        "qci": 7,
+        "rules": [
+          {
+            "enabled": true,
+            "rule": "video_non_gbr_1"
+          }
+        ]
+      }
+    ]
+  },
+  "service_rule": {
+    "service_rule": [
+      {
+        "charging_rule_name": "best_effort_internet_access",
+        "description": "rule for enabling best effort internet",
+        "flow": {
+          "specification": "permit out ip 0.0.0.0/0 to assigned"
+        },
+        "id": "best_effort_internet_access",
+        "qos": {
+          "aggregate_maximum_bitrate": {
+            "downlink": 10240000,
+            "uplink": 1024000
+          },
+          "arp": {
+            "preemption_capability": true,
+            "preemption_vulnerability": true,
+            "priority": 1
+          },
+          "guaranteed_bitrate": {
+            "downlink": 1,
+            "uplink": 1
+          },
+          "maximum_requested_bandwidth": {
+            "downlink": 5120000,
+            "uplink": 512000
+          },
+          "qci": 9
+        }
+      },
+      {
+        "charging_rule_name": "video_non_gbr_1",
+        "description": "rule for non_gbr video",
+        "flow": {
+          "specification": "permit out ip 0.0.0.0/0 to assigned"
+        },
+        "id": "video_non_gbr_1",
+        "qos": {
+          "aggregate_maximum_bitrate": {
+            "downlink": 5555,
+            "uplink": 4444
+          },
+          "arp": {
+            "preemption_capability": true,
+            "preemption_vulnerability": true,
+            "priority": 1
+          },
+          "guaranteed_bitrate": {
+            "downlink": 2222,
+            "uplink": 1111
+          },
+          "maximum_requested_bandwidth": {
+            "downlink": 3456,
+            "uplink": 2345
+          },
+          "qci": 9
+        }
+      }
+    ]
+  },
+  "subscriber": {
+    "ue": [
+      {
+        "display_name": "Telefonica subscriber match rule",
+        "enabled": true,
+        "enterprise": "aether_tef",
+        "id": "0debf047_8416_4539_9abf_02a0d7e7f9a3",
+        "imsi_range_from": "722070000002441",
+        "imsi_range_to": "722070000002450",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_tef",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_tef_1",
+          "up_profile": "tef"
+        },
+        "serving_plmn": {
+          "mcc": 722,
+          "mnc": 7,
+          "tac": 110
+        }
+      },
+      {
+        "display_name": "Stanford2 subscriber match rule",
+        "enabled": true,
+        "enterprise": "pronto_stanford",
+        "id": "1c6852e6_5b12_413a_9fa5_c631c644136c",
+        "imsi_range_from": "315010202000001",
+        "imsi_range_to": "315010202000020",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_stanford2",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "stanford2"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 603
+        }
+      },
+      {
+        "display_name": "Princeton1 subscriber match rule",
+        "enabled": true,
+        "enterprise": "pronto_princeton",
+        "id": "30f77900_18b1_480c_a419_031956d83a9c",
+        "imsi_range_from": "315010204000001",
+        "imsi_range_to": "315010204000020",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_princeton1",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "princeton1"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 605
+        }
+      },
+      {
+        "display_name": "Stanford1 subscriber match rule",
+        "enabled": true,
+        "enterprise": "pronto_stanford",
+        "id": "415d0496_6926_4a49_b0f1_69ef1742fd5d",
+        "imsi_range_from": "315010201000001",
+        "imsi_range_to": "315010201000020",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_stanford1",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "stanford1"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 601
+        }
+      },
+      {
+        "display_name": "Ciena subscriber match rule",
+        "enabled": true,
+        "enterprise": "aether_ciena",
+        "id": "4c814a64_c592_468e_9435_b60f225f97ff",
+        "imsi_range_from": "315010101000001",
+        "imsi_range_to": "315010101000010",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_ciena",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "ciena"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 5
+        }
+      },
+      {
+        "display_name": "Cornell1 subscriber match rule",
+        "enabled": true,
+        "enterprise": "pronto_cornell",
+        "id": "554b4c5b_de49_4868_ba7e_f428aefc0984",
+        "imsi_range_from": "315010203000001",
+        "imsi_range_to": "315010203000020",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_cornell1",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "cornell1"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 607
+        }
+      },
+      {
+        "display_name": "Subscriber Match Rule 1",
+        "enabled": true,
+        "enterprise": "enterprise_demo_1",
+        "id": "5fc0bfc8_4ecc_11eb_b8e7_6f6e6f732d63",
+        "imsi_range_from": "208014567891200",
+        "imsi_range_to": "208014567891300",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "profile_access_demo_1",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "profile_apn_demo_1",
+          "qos_profile": "profile_qos_demo_1",
+          "security_profile": "profile_security_demo_1",
+          "up_profile": "profile_up_demo_1"
+        },
+        "serving_plmn": {
+          "mcc": 208,
+          "mnc": 10,
+          "tac": 1
+        }
+      },
+      {
+        "id": "8d92f0cf_d83d_482c_866d_f53ee1426622",
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": false
+            }
+          ],
+          "apn_profile": "apn_internet_intel",
+          "qos_profile": "profile_qos_demo_1",
+          "security_profile": "profile_security_ntt_1",
+          "up_profile": "cornell1"
+        }
+      },
+      {
+        "display_name": "Intel subscriber match rule 1",
+        "enabled": true,
+        "enterprise": "aether_intel",
+        "id": "c6711eb4_5210_4d94_b83c_0f890dc21c31",
+        "imsi_range_from": "315010888812341",
+        "imsi_range_to": "315010888812346",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_intel",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "intel"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 101
+        }
+      },
+      {
+        "display_name": "ONF Tucson subscriber match rule",
+        "enabled": true,
+        "enterprise": "aether_onf",
+        "id": "cbdb20c1_c3d7_47e3_a1a1_7465c8ad6ff1",
+        "imsi_range_from": "315010999912301",
+        "imsi_range_to": "315010999912303",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_tucson",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "tucson"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 222
+        }
+      },
+      {
+        "display_name": "NTT subscriber match rule",
+        "enabled": true,
+        "enterprise": "aether_ntt",
+        "id": "e8b4f8ea_cd9c_4ae7_a1df_15ee82cc4dc6",
+        "imsi_range_from": "999002999970951",
+        "imsi_range_to": "999002999971950",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_default",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_ntt_1",
+          "up_profile": "ntt"
+        },
+        "serving_plmn": {
+          "mcc": 999,
+          "mnc": 2,
+          "tac": 1
+        }
+      },
+      {
+        "display_name": "ONF Menlo subscriber match rule",
+        "enabled": true,
+        "enterprise": "aether_onf",
+        "id": "f2ba8cc0_e593_403b_a130_f18a99018f6e",
+        "imsi_range_from": "315010999912341",
+        "imsi_range_to": "315010999912356",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_menlo",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "menlo"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 203
+        }
+      },
+      {
+        "display_name": "Intel subscriber match rule 2",
+        "enabled": true,
+        "enterprise": "aether_intel",
+        "id": "f5a0929f_b4a4_4f34_8bd5_52c57eeb4a50",
+        "imsi_range_from": "315010102000001",
+        "imsi_range_to": "315010102000002",
+        "priority": 5,
+        "profiles": {
+          "access_profile": [
+            {
+              "access_profile": "access_all",
+              "allowed": true
+            }
+          ],
+          "apn_profile": "apn_internet_intel",
+          "qos_profile": "qos_profile1",
+          "security_profile": "profile_security_default_1",
+          "up_profile": "intel"
+        },
+        "serving_plmn": {
+          "mcc": 315,
+          "mnc": 10,
+          "tac": 101
+        }
+      }
+    ]
+  },
+  "up_profile": {
+    "up_profile": [
+      {
+        "access_control": "none",
+        "description": "User plane profile for Ciena",
+        "display_name": "Ciena",
+        "id": "ciena",
+        "user_plane": "pfcp_agent.omec.svc.prd.ciena.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for Cornell1",
+        "display_name": "Cornell1",
+        "id": "cornell1",
+        "user_plane": "pfcp_agent.omec.svc.prd.cornell1.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for Intel",
+        "display_name": "Intel",
+        "id": "intel",
+        "user_plane": "upf.omec.svc.prd.intel.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for ONF Menlo",
+        "display_name": "ONF Menlo",
+        "id": "menlo",
+        "user_plane": "pfcp_agent.omec.svc.prd.menlo.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for NTT",
+        "display_name": "NTT",
+        "id": "ntt",
+        "user_plane": "upf.omec.svc.prd.ntt.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for Princeton1",
+        "display_name": "Princeton1",
+        "id": "princeton1",
+        "user_plane": "pfcp_agent.omec.svc.prd.princeton1.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "user_plane profile for spgwu1",
+        "display_name": "UP Profile 1",
+        "id": "profile_up_demo_1",
+        "user_plane": "upf_headless"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for Stanford1",
+        "display_name": "Stanford1",
+        "id": "stanford1",
+        "user_plane": "pfcp_agent.omec.svc.prd.stanford1.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for Stanford2",
+        "display_name": "Stanford2",
+        "id": "stanford2",
+        "user_plane": "pfcp_agent.omec.svc.prd.stanford2.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for Telefonica",
+        "display_name": "Telefonica",
+        "id": "tef",
+        "user_plane": "upf.omec.svc.prd.tef.aetherproject.net"
+      },
+      {
+        "access_control": "none",
+        "description": "User plane profile for ONF Tucson",
+        "display_name": "ONF Tucson",
+        "id": "tucson",
+        "user_plane": "upf.omec.svc.prd.tucson.aetherproject.net"
+      }
+    ]
+  }
+}
diff --git a/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-basic.json b/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-basic.json
new file mode 100644
index 0000000..7acd0cf
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-basic.json
@@ -0,0 +1,28 @@
+{
+  "groups": [
+    "mixedGroup",
+    "AetherROCAdmin"
+  ],
+  "template": {
+    "template": [
+      {
+        "description": "do",
+        "display-name": "laborum fugiat",
+        "downlink": 322694552,
+        "id": "aliquip",
+        "sd": 14628949,
+        "sst": 1,
+        "uplink": 1607714163
+      },
+      {
+        "description": "do",
+        "display-name": "quattro fugiat",
+        "downlink": 322694552,
+        "id": "quattro",
+        "sd": 14628949,
+        "sst": 1,
+        "uplink": 1607714163
+      }
+    ]
+  }
+}
diff --git a/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-get.json b/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-get.json
new file mode 100644
index 0000000..5341f75
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-get.json
@@ -0,0 +1,494 @@
+{
+  "groups": [
+    "mixedGroup",
+    "acme"
+  ],
+  "ap_list": {
+    "ap_list": [
+      {
+        "access_points": [
+          {
+            "address": "ap1^seattle^starbucks^com",
+            "enable": true,
+            "tac": 654
+          },
+          {
+            "address": "ap2^seattle^starbucks^com",
+            "enable": true,
+            "tac": 87475
+          }
+        ],
+        "description": "Seattle APs",
+        "display_name": "Seattle",
+        "enterprise": "starbucks",
+        "id": "starbucks_seattle_aps"
+      },
+      {
+        "access_points": [
+          {
+            "address": "ap2^newyork^starbucks^com",
+            "enable": true,
+            "tac": 8002
+          }
+        ],
+        "description": "New York APs",
+        "display_name": "New York",
+        "enterprise": "starbucks",
+        "id": "starbucks_newyork_aps"
+      },
+      {
+        "access_points": [
+          {
+            "address": "ap2^chicago^acme^com",
+            "enable": true,
+            "tac": 8002
+          }
+        ],
+        "description": "Chicago APs",
+        "display_name": "Chicago",
+        "enterprise": "acme",
+        "id": "acme_chicago_aps"
+      }
+    ]
+  },
+  "application": {
+    "application": [
+      {
+        "description": "Network Video Recorder",
+        "display_name": "NVR",
+        "enterprise": "starbucks",
+        "endpoint": [
+          {
+            "address": "nvr.starbucks.com",
+            "name": "rtsp",
+            "port_end": 3316,
+            "port_start": 3330,
+            "protocol": "UDP"
+          }
+        ],
+        "id": "starbucks_nvr"
+      },
+      {
+        "description": "Fidelio POS",
+        "display_name": "Fidelio",
+        "enterprise": "starbucks",
+        "endpoint": [
+          {
+            "address": "fidelio.starbucks.com",
+            "name": "fidelio",
+            "port_end": 7585,
+            "port_start": 7588,
+            "protocol": "TCP"
+          }
+        ],
+        "id": "starbucks_fidelio"
+      },
+      {
+        "description": "Data Acquisition",
+        "display_name": "DA",
+        "enterprise": "acme",
+        "endpoint": [
+          {
+            "address": "da.acme.com",
+            "name": "da",
+            "port_end": 7585,
+            "port_start": 7588,
+            "protocol": "TCP"
+          }
+        ],
+        "id": "acme_dataacquisition"
+      }
+    ]
+  },
+  "connectivity_service": {
+    "connectivity_service": [
+      {
+        "core_5g_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/5g",
+        "description": "5G Test",
+        "display_name": "ROC 5G Test Connectivity Service",
+        "id": "cs5gtest"
+      },
+      {
+        "description": "ROC 4G Test Connectivity Service",
+        "display_name": "4G Test",
+        "hss_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/imsis",
+        "id": "cs4gtest",
+        "pcrf_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/policies",
+        "spgwc_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config"
+      }
+    ]
+  },
+  "device_group": {
+    "device_group": [
+      {
+        "display_name": "Seattle Cameras",
+        "id": "starbucks_seattle_cameras",
+        "imsis": [
+          {
+            "imsi_range_from": 170029313275000,
+            "imsi_range_to": 170029313275003,
+            "name": "counters"
+          },
+          {
+            "imsi_range_from": 170029313275010,
+            "imsi_range_to": 170029313275014,
+            "name": "store"
+          }
+        ],
+        "ip_domain": "starbucks_seattle",
+        "site": "starbucks_seattle"
+      },
+      {
+        "display_name": "Seattle POS",
+        "id": "starbucks_seattle_pos",
+        "imsis": [
+          {
+            "imsi_range_from": 170029313275020,
+            "imsi_range_to": 170029313275022,
+            "name": "tills"
+          },
+          {
+            "imsi_range_from": 170029313275030,
+            "imsi_range_to": 170029313275034,
+            "name": "store"
+          }
+        ],
+        "ip_domain": "starbucks_seattle",
+        "site": "starbucks_seattle"
+      },
+      {
+        "display_name": "New York Cameras",
+        "id": "starbucks_newyork_cameras",
+        "imsis": [
+          {
+            "imsi_range_from": 170029313275040,
+            "imsi_range_to": 170029313275041,
+            "name": "front"
+          },
+          {
+            "imsi_range_from": 170029313275050,
+            "imsi_range_to": 170029313275055,
+            "name": "store"
+          }
+        ],
+        "ip_domain": "starbucks_newyork",
+        "site": "starbucks_newyork"
+      },
+      {
+        "display_name": "New York POS",
+        "id": "starbucks_newyork_pos",
+        "imsis": [
+          {
+            "imsi_range_from": 170029313275060,
+            "imsi_range_to": 170029313275061,
+            "name": "tills"
+          },
+          {
+            "imsi_range_from": 170029313275070,
+            "imsi_range_to": 170029313275073,
+            "name": "store"
+          }
+        ],
+        "ip_domain": "starbucks_newyork",
+        "site": "starbucks_newyork"
+      },
+      {
+        "display_name": "ACME Robots",
+        "id": "acme_chicago_robots",
+        "imsis": [
+          {
+            "imsi_range_from": 13698808332993000,
+            "imsi_range_to": 13698808332993003,
+            "name": "production"
+          },
+          {
+            "imsi_range_from": 13698808332993010,
+            "imsi_range_to": 13698808332993012,
+            "name": "warehouse"
+          }
+        ],
+        "ip_domain": "acme_chicago",
+        "site": "acme_chicago"
+      }
+    ]
+  },
+  "enterprise": {
+    "enterprise": [
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "cs5gtest",
+            "enabled": true
+          }
+        ],
+        "description": "ACME Corporation",
+        "display_name": "ACME Corp",
+        "id": "acme"
+      },
+      {
+        "connectivity_service": [
+          {
+            "connectivity_service": "cs5gtest",
+            "enabled": true
+          },
+          {
+            "connectivity_service": "cs4gtest",
+            "enabled": false
+          }
+        ],
+        "description": "Starbucks Corporation",
+        "display_name": "Starbucks Inc.",
+        "id": "starbucks"
+      }
+    ]
+  },
+  "ip_domain": {
+    "ip_domain": [
+      {
+        "admin_status": "ENABLE",
+        "description": "New York IP Domain",
+        "display_name": "New York",
+        "dns_primary": "8.8.8.1",
+        "dns_secondary": "8.8.8.2",
+        "id": "starbucks_newyork",
+        "mtu": 57600,
+        "subnet": "254.186.117.251/31"
+      },
+      {
+        "admin_status": "ENABLE",
+        "description": "Seattle IP Domain",
+        "display_name": "Seattle",
+        "dns_primary": "8.8.8.3",
+        "dns_secondary": "8.8.8.3",
+        "id": "starbucks_seattle",
+        "mtu": 12690,
+        "subnet": "196.5.91.0/31"
+      },
+      {
+        "admin_status": "DISABLE",
+        "description": "Chicago IP Domain",
+        "display_name": "Chicago",
+        "dns_primary": "8.8.8.4",
+        "dns_secondary": "8.8.8.4",
+        "id": "acme_chicago",
+        "mtu": 12690,
+        "subnet": "163.25.44.0/31"
+      }
+    ]
+  },
+  "network": {
+    "network": [
+      {
+        "description": "New York 21_32",
+        "display_name": "New York",
+        "id": "starbucks_newyork",
+        "enterprise": "starbucks",
+        "mcc": 21,
+        "mnc": 32
+      },
+      {
+        "description": "Seattle 265_122",
+        "display_name": "Seattle",
+        "id": "starbucks_seattle",
+        "enterprise": "starbucks",
+        "mcc": 265,
+        "mnc": 122
+      },
+      {
+        "description": "Chicago 123_456",
+        "display_name": "Chicago",
+        "id": "acme_chicago",
+        "enterprise": "acme",
+        "mcc": 123,
+        "mnc": 456
+      }
+    ]
+  },
+  "site": {
+    "site": [
+      {
+        "description": "ACME HQ",
+        "display_name": "Chicago",
+        "enterprise": "acme",
+        "id": "acme_chicago",
+        "network": "acme_chicago"
+      },
+      {
+        "description": "Starbucks Corp HQ",
+        "display_name": "Seattle",
+        "enterprise": "starbucks",
+        "id": "starbucks_seattle",
+        "network": "starbucks_seattle"
+      },
+      {
+        "description": "Starbucks New York",
+        "display_name": "New York",
+        "enterprise": "starbucks",
+        "id": "starbucks_newyork",
+        "network": "starbucks_newyork"
+      }
+    ]
+  },
+  "template": {
+    "template": [
+      {
+        "description": "VCS Template 1",
+        "display_name": "Template 1",
+        "downlink": 24669539,
+        "id": "template_1",
+        "sd": 10886763,
+        "sst": 158,
+        "traffic_class": "class_1",
+        "uplink": 23770218
+      },
+      {
+        "description": "VCS Template 2",
+        "display_name": "Template 2",
+        "downlink": 2791589,
+        "id": "template_2",
+        "sd": 16619900,
+        "sst": 157,
+        "traffic_class": "class_2",
+        "uplink": 24721051
+      }
+    ]
+  },
+  "traffic_class": {
+    "traffic_class": [
+      {
+        "description": "High Priority TC",
+        "display_name": "Class 1",
+        "id": "class_1",
+        "pdb": 577,
+        "pelr": 3,
+        "qci": 10
+      },
+      {
+        "description": "Medium Priority TC",
+        "display_name": "Class 2",
+        "id": "class_2",
+        "pdb": 831,
+        "pelr": 4,
+        "qci": 20
+      },
+      {
+        "description": "Low Priority TC",
+        "display_name": "Class 3",
+        "id": "class_3",
+        "pdb": 833,
+        "pelr": 4,
+        "qci": 30
+      }
+    ]
+  },
+  "upf": {
+    "upf": [
+      {
+        "address": "seattle.cameras_upf.starbucks.com",
+        "description": "Seattle Cameras UPF",
+        "display_name": "Seattle Cameras",
+        "id": "starbucks_seattle_cameras",
+        "enterprise": "starbucks",
+        "port": 9229
+      },
+      {
+        "address": "newyork.cameras_upf.starbucks.com",
+        "description": "New York Cameras UPF",
+        "display_name": "New York Cameras",
+        "id": "starbucks_newyork_cameras",
+        "enterprise": "starbucks",
+        "port": 6161
+      },
+      {
+        "address": "chicago.robots_upf.acme.com",
+        "description": "Chicago Robots UPF",
+        "display_name": "Chicago Robots",
+        "id": "acme_chicago_robots",
+        "enterprise": "acme",
+        "port": 6161
+      }
+    ]
+  },
+  "vcs": {
+    "vcs": [
+      {
+        "ap": "starbucks_newyork_aps",
+        "application": [
+          {
+            "allow": true,
+            "application": "starbucks_nvr"
+          }
+        ],
+        "description": "New York Cameras",
+        "device_group": [
+          {
+            "enable": true,
+            "device_group": "starbucks_newyork_cameras"
+          }
+        ],
+        "display_name": "NY Cams",
+        "downlink": 948091966,
+        "enterprise": "starbucks",
+        "id": "starbucks_newyork_cameras",
+        "sd": 8284729,
+        "sst": 127,
+        "template": "template_1",
+        "traffic_class": "class_1",
+        "upf": "starbucks_newyork_cameras",
+        "uplink": 38997335
+      },
+      {
+        "ap": "starbucks_seattle_aps",
+        "application": [
+          {
+            "allow": false,
+            "application": "starbucks_nvr"
+          }
+        ],
+        "description": "Seattle Cameras",
+        "device_group": [
+          {
+            "enable": true,
+            "device_group": "starbucks_seattle_cameras"
+          }
+        ],
+        "display_name": "Seattle Cams",
+        "downlink": 28492626,
+        "enterprise": "starbucks",
+        "id": "starbucks_seattle_cameras",
+        "sd": 2973238,
+        "sst": 79,
+        "template": "template_2",
+        "traffic_class": "class_2",
+        "upf": "starbucks_seattle_cameras",
+        "uplink": 13227287
+      },
+      {
+        "ap": "acme_chicago_aps",
+        "application": [
+          {
+            "allow": false,
+            "application": "acme_dataacquisition"
+          }
+        ],
+        "description": "Chicago Robots",
+        "device_group": [
+          {
+            "enable": true,
+            "device_group": "acme_chicago_robots"
+          }
+        ],
+        "display_name": "Chicago Robots VCS",
+        "downlink": 28492626,
+        "enterprise": "acme",
+        "id": "acme_chicago_robots",
+        "sd": 2973238,
+        "sst": 79,
+        "template": "template_2",
+        "traffic_class": "class_2",
+        "upf": "acme_chicago_robots",
+        "uplink": 13227287
+      }
+    ]
+  }
+}
diff --git a/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-set.json b/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-set.json
new file mode 100644
index 0000000..07f5914
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/test/aether-3.0.0-example-set.json
@@ -0,0 +1,362 @@
+{
+  "groups": [
+    "admin",
+    "dolor"
+  ],
+  "updates": {
+    "site": {
+      "site": [
+        {
+          "description": "pariatur culpa",
+          "display-name": "occaecat nostrud",
+          "enterprise": "dolor",
+          "id": "newsite",
+          "network": "irur"
+        }
+      ]
+    }
+  },
+  "deletes": {
+    "site": {
+      "site": [
+        {
+          "id": "officia"
+        }
+      ]
+    }
+  },
+  "ap-list": {
+    "ap-list": [
+      {
+        "access-points": [
+          {
+            "address": "laborum.commodo.incididunt",
+            "enable": false,
+            "tac": 69373985
+          },
+          {
+            "address": "id.ipsum",
+            "enable": false,
+            "tac": 87809475
+          }
+        ],
+        "description": "incididunt aliqua ex nulla",
+        "display-name": "cupidatat aliquip",
+        "id": "deserunt"
+      },
+      {
+        "access-points": [
+          {
+            "address": "labore.aliqua.dolor.consequat",
+            "enable": false,
+            "tac": 80083302
+          },
+          {
+            "address": "qui.sed",
+            "enable": false,
+            "tac": 13929603
+          }
+        ],
+        "description": "cupidatat tempor magna",
+        "display-name": "occaecat et deserunt consequat",
+        "id": "tempor"
+      }
+    ]
+  },
+  "application": {
+    "application": [
+      {
+        "description": "Ut velit est",
+        "display-name": "do",
+        "endpoint": [
+          {
+            "address": "mollit.ipsum",
+            "name": "esse",
+            "port-end": 33167231,
+            "port-start": 27761544,
+            "protocol": "UDP"
+          },
+          {
+            "address": "cupidatat.reprehend",
+            "name": "ullamco",
+            "port-end": 19527413,
+            "port-start": 28793871,
+            "protocol": "UDP"
+          }
+        ],
+        "id": "occaecat"
+      },
+      {
+        "description": "amet ad quis",
+        "display-name": "sit ex Ut aliqua",
+        "endpoint": [
+          {
+            "address": "ut.veniam.id.non",
+            "name": "consectetur",
+            "port-end": 31037585,
+            "port-start": 8018682,
+            "protocol": "TCP"
+          },
+          {
+            "address": "nulla.consectet",
+            "name": "sint",
+            "port-end": 25299216,
+            "port-start": 6645928,
+            "protocol": "TCP"
+          }
+        ],
+        "id": "incididunt"
+      }
+    ]
+  },
+  "connectivity-service": {
+    "connectivity-service": [
+      {
+        "core-5g-endpoint": "ut culpa velit",
+        "description": "magna in",
+        "display-name": "cillum occaecat amet ad adipisicing",
+        "hss-endpoint": "eu sed est nisi",
+        "id": "repre",
+        "pcrf-endpoint": "nostrud eiusmod Ut Lorem",
+        "spgwc-endpoint": "eiusmod aute quis"
+      },
+      {
+        "core-5g-endpoint": "voluptate consectetur ut",
+        "description": "Ut incididunt ex id labore",
+        "display-name": "qui Lorem elit",
+        "hss-endpoint": "adipisicing incididunt consequat mollit",
+        "id": "irure",
+        "pcrf-endpoint": "sit incididunt sunt Duis",
+        "spgwc-endpoint": "nisi magna do reprehenderit"
+      }
+    ]
+  },
+  "device_group": {
+    "device_group": [
+      {
+        "display-name": "tempor ut",
+        "id": "amet",
+        "imsis": [
+          {
+            "imsi-range-from": 170029313275000,
+            "imsi-range-to": 69764015096000,
+            "name": "enim"
+          },
+          {
+            "imsi-range-from": 116299798497000,
+            "imsi-range-to": 22297092854800,
+            "name": "ad"
+          }
+        ],
+        "ip-domain": "qui",
+        "site": "inc"
+      },
+      {
+        "display-name": "nisi mollit dolore dolor",
+        "id": "Lorem",
+        "imsis": [
+          {
+            "imsi-range-from": 13698808332993000,
+            "imsi-range-to": 7746018722749000,
+            "name": "magna"
+          },
+          {
+            "imsi-range-from": 4087876837971489000,
+            "imsi-range-to": 10492416481328000,
+            "name": "reprehenderit"
+          }
+        ],
+        "ip-domain": "labore",
+        "site": "officia"
+      }
+    ]
+  },
+  "enterprise": {
+    "enterprise": [
+      {
+        "connectivity-service": [
+          {
+            "connectivity-service": "repre",
+            "enabled": true
+          },
+          {
+            "connectivity-service": "irure",
+            "enabled": true
+          }
+        ],
+        "description": "minim et",
+        "display-name": "laborum in",
+        "id": "dolor"
+      },
+      {
+        "connectivity-service": [
+          {
+            "connectivity-service": "irure",
+            "enabled": false
+          },
+          {
+            "connectivity-service": "repre",
+            "enabled": false
+          }
+        ],
+        "description": "consequat minim magna",
+        "display-name": "laboris incididunt dolore",
+        "id": "labore"
+      }
+    ]
+  },
+  "ip-domain": {
+    "ip-domain": [
+      {
+        "admin-status": "DISABLE",
+        "description": "culpa enim exercitation sit consequat",
+        "display-name": "dolo",
+        "dns-primary": "8.8.8.1",
+        "dns-secondary": "8.8.8.2",
+        "id": "qui",
+        "mtu": 57600,
+        "subnet": "254.186.117.251/31"
+      },
+      {
+        "admin-status": "DISABLE",
+        "description": "nulla ut",
+        "display-name": "adipisicing",
+        "dns-primary": "8.8.8.3",
+        "dns-secondary": "8.8.8.3",
+        "id": "labore",
+        "mtu": 12690,
+        "subnet": "196.5.91.0/31"
+      }
+    ]
+  },
+  "network": {
+    "network": [
+      {
+        "description": "aliquip Lorem dolor",
+        "display-name": "minim labore ex",
+        "id": "elit",
+        "mcc": 21,
+        "mnc": 32
+      },
+      {
+        "description": "laborum occaecat ut",
+        "display-name": "consequat ea",
+        "id": "irur",
+        "mcc": 265,
+        "mnc": 122
+      }
+    ]
+  },
+  "site": {
+    "site": [
+      {
+        "description": "pariatur culpa",
+        "display-name": "occaecat nostrud",
+        "enterprise": "dolor",
+        "id": "inc",
+        "network": "irur"
+      },
+      {
+        "description": "in dolor",
+        "display-name": "consequat est",
+        "enterprise": "labore",
+        "id": "officia",
+        "network": "elit"
+      }
+    ]
+  },
+  "template": {
+    "template": [
+      {
+        "description": "enim ",
+        "display-name": "do labore laborum elit",
+        "downlink": 24669539,
+        "id": "magn",
+        "sd": 10886763,
+        "sst": 158,
+        "traffic-class": "consectetur in cillum",
+        "uplink": 23770218
+      },
+      {
+        "description": "aute dolore dolo",
+        "display-name": "quis pariatur dolore magna commodo",
+        "downlink": 2791589,
+        "id": "aliqua",
+        "sd": 16619900,
+        "sst": 157,
+        "traffic-class": "dolor in in et",
+        "uplink": 24721051
+      }
+    ]
+  },
+  "upf": {
+    "upf": [
+      {
+        "address": "sed.officia.magna.ut",
+        "description": "commodo ea ullamco Excepteur cillum",
+        "display-name": "in aliqua deserunt Ut",
+        "id": "dol",
+        "port": 77359229
+      },
+      {
+        "address": "incididunt",
+        "description": "veniam",
+        "display-name": "in laborum ut",
+        "id": "magna",
+        "port": 14326161
+      }
+    ]
+  },
+  "vcs": {
+    "vcs": [
+      {
+        "ap": "deserunt",
+        "application": [
+          {
+            "allow": true,
+            "application": "occaecat"
+          },
+          {
+            "allow": true,
+            "application": "incididunt"
+          }
+        ],
+        "description": "deserunt in magna Lorem",
+        "device_group": "amet",
+        "display-name": "quis e",
+        "downlink": 948091966,
+        "id": "quad",
+        "sd": 8284729,
+        "sst": 127,
+        "template": "magn",
+        "traffic-class": "non ut",
+        "upf": "magna",
+        "uplink": 38997335
+      },
+      {
+        "ap": "tempor",
+        "application": [
+          {
+            "allow": false,
+            "application": "occaecat"
+          },
+          {
+            "allow": false,
+            "application": "incididunt"
+          }
+        ],
+        "description": "elit Ut",
+        "device-group": "Lorem",
+        "display-name": "veniam exercitation ea",
+        "downlink": 28492626,
+        "id": "mollit",
+        "sd": 2973238,
+        "sst": 79,
+        "template": "aliqua",
+        "traffic-class": "eiusmod Ut ullamco laboris ea",
+        "upf": "dol",
+        "uplink": 13227287
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/aether-roc-umbrella/files/scripts/README.md b/aether-roc-umbrella/files/scripts/README.md
new file mode 100644
index 0000000..a576835
--- /dev/null
+++ b/aether-roc-umbrella/files/scripts/README.md
@@ -0,0 +1,30 @@
+<!--
+SPDX-FileCopyrightText: 2020 Open Networking Foundation <info@opennetworking.org>
+
+SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+-->
+
+# Creating new Org with VCS
+To create a new Organization and VCS, call the grafana-create-orgs.sh script
+
+> If you want to add at startup, instead add them to the `values.yaml` under `grafana.orgs`.
+
+Call the script like:
+
+`grafana-create-orgs.sh <ADMINUSER> <ADMINPASS> <umbrella-chart-name> <grafana-server> <dashboard-folder> orgs...`
+
+e.g.
+```bash
+PATH=$PATH:. grafana-create-orgs.sh admin Ts8k0hvsZZD058JsqOl8w332YUNs8GAAEpYWCmJu aether-roc-umbrella localhost:8183/grafana \
+  ../dashboards/vcs "siemens[siemens-munich-cameras siemens-mannheim-cameras siemens-mannheim-labs]"
+```
+
+1) cd in to this `scripts` directory
+
+1) specify the Org and VCS's like `"org1[vcs1 vcs2]" "org2[vcs1 vcs2]"` 
+
+1) To get the Grafana password use
+    1) `kubectl get secret --namespace micro-onos aether-roc-umbrella-grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo`
+
+1) Port forward `aether-roc-gui` to get grafana on `localhost:8183/grafana`
+    1) `kubectl -n micro-onos port-forward $(kubectl -n micro-onos get pods -l type=arg -o name) 8183:80`
diff --git a/aether-roc-umbrella/files/scripts/grafana-create-device-group.sh b/aether-roc-umbrella/files/scripts/grafana-create-device-group.sh
new file mode 100755
index 0000000..7a136e6
--- /dev/null
+++ b/aether-roc-umbrella/files/scripts/grafana-create-device-group.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+# script to create Grafana VCS dashboards
+# Usage:
+# grafana-create-vcs.sh <ADMINUSER> <ADMINPASS> <grafana-server> <dashboards-folder> <org> <list of vcs>...
+set -e
+#set -x
+set -o pipefail
+set -u
+
+if [ "$#" -lt 6 ]; then
+  echo "At least 6 args are needed. Got $#"
+  exit 1
+fi
+ADMINUSER=$1
+ADMINPASS=$2
+SERVICE=$3
+FOLDER=$4
+export ORG=$5
+shift
+shift
+shift
+shift
+shift
+for dg in "$@"; do
+  DG=${dg%:map\[*\]} # Remove DG details from end
+  DG=${DG#map[} # Remove "map[" from the front
+  DGASCII=${DG//[^a-zA-Z0-9]/_} # Convert to underscore
+  IMSIS=${dg#map[${DG}:map\[} # Remove DG name from start
+  IMSIS=${IMSIS%\]\]} # Remove ] from the end
+  IMSIS=${IMSIS//;/ }
+  echo "Creating Device Group $DG ($DGASCII) in $ORG"
+  for imsirange in $IMSIS; do
+    echo "Creating Imsi Range $imsirange in $DG"
+    RANGENAME=${imsirange%:*} # Remove range from end
+    RANGEVALUE=${imsirange#*:}
+    declare -i RANGESTART=${RANGEVALUE%-*} # Remove the finish
+    declare -i RANGEFINISH=${RANGEVALUE#*-} # Remove the start
+    COUNTER=$RANGESTART
+    f=$FOLDER/ue-connectivity.json
+    while [  $COUNTER -le $RANGEFINISH ]; do
+        echo "Creating Dashboard from $f for $COUNTER"
+        export IMSI=$COUNTER
+        DASHBOARD=$(envsubst < $f)
+        /usr/bin/curl -s -o /tmp/curlout -H "Content-Type: application/json" -d "$DASHBOARD" http://$ADMINUSER:$ADMINPASS@$SERVICE/api/dashboards/db
+        SUCCESS=`echo $?`
+        echo "SUCCESS $SUCCESS"
+        cat /tmp/curlout
+      let COUNTER=COUNTER+1
+    done
+  done
+  SUCCESS=-1
+  ORGID=-1
+
+done
diff --git a/aether-roc-umbrella/files/scripts/grafana-create-orgs.sh b/aether-roc-umbrella/files/scripts/grafana-create-orgs.sh
new file mode 100755
index 0000000..a6e14e1
--- /dev/null
+++ b/aether-roc-umbrella/files/scripts/grafana-create-orgs.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+# script to create Grafana Orgs
+# Usage:
+# grafana-create-orgs.sh <ADMINUSER> <ADMINPASS> <umbrella-chart-name> <grafana-server> <dashboard-folder> orgs...
+# where org is a quoted string containing org name and then in square brackets a list of vcs
+# e.g. "acme[acme-chicago-robots acme-chicago-cameras]"
+set -e
+#set -x
+set -o pipefail
+set -u
+
+if [ "$#" -lt 6 ]; then
+  echo "At least 6 args are needed. Got $#"
+  exit 1
+fi
+ADMINUSER=$1
+ADMINPASS=$2
+BASE=$3
+SOURCE=$BASE-prometheus-server
+SERVICE=$4
+DASHBOARDS=$5
+shift
+shift
+shift
+shift
+shift
+for orgWithVcs in "$@"
+do
+  ORGASCII=${orgWithVcs%%map\[*\]} # Drop the [*] off the end
+  echo "Creating $orgWithVcs as $ORGASCII"
+  VCSLIST=${orgWithVcs##${ORGASCII}map\[*\]\ vcs:\[} # Drop everything off the front until "] vcs:["
+  VCSLIST=${VCSLIST%\]\]} # Drop the ]] off the end
+  DGLIST=${orgWithVcs##${ORGASCII}map\[devicegroup:\[} # Drop everything off the front until "devicegroup:[map["
+  DGLIST=${DGLIST%\]\ vcs:*\]\]}
+  DGLIST1=${DGLIST//" map["/";map["} # Replace all occurrence of " map["
+  IFS=';' read -r -a DGARRAY <<< $DGLIST1
+  for idx in ${!DGARRAY[@]}; do
+    DGARRAY[$idx]=${DGARRAY[$idx]// /;} # Replace all instances of space with ;
+  done
+  SUCCESS=-1
+  ORGID=-1
+  # Commented out for the moment - keeping everything in the Main Org. - see aether-roc-gui/docs/grafana.md
+  #      echo "Calling /usr/bin/curl -H "Content-Type: application/json" -d '{"name":"$ORGASCII"}' http://$ADMINUSER:####@$SERVICE/api/orgs"
+  #      while [ $SUCCESS -ne 0 ];
+  #      do
+  #        DATA={\"name\":\"$ORGASCII\"}
+  #        echo "Creating Org $ORGASCII"
+  #        /usr/bin/curl -o /tmp/curlout -H "Content-Type: application/json" -d "$DATA" http://$ADMINUSER:$ADMINPASS@$SERVICE/api/orgs
+  #        SUCCESS=`echo $?`
+  #        echo "SUCCESS $SUCCESS"
+  #        if [ $SUCCESS -ne 0 ]
+  #        then
+  #          sleep $SLEEP
+  #          echo "Waiting $SLEEP seconds for Grafana to start"
+  #        else
+  #          ORGID=$(grep -o "[0-9]*" /tmp/curlout)
+  #          echo "Successful! Result $ORGID"
+  #        fi
+  #      done
+
+  #      echo "Calling /api/user/using/$ORGID"
+  #      /usr/bin/curl -s -X POST http://$ADMINUSER:$ADMINPASS@$SERVICE/api/user/using/$ORGID
+  #      SUCCESS=`echo $?`
+  #      echo "SUCCESS $SUCCESS"
+
+  echo "Creating folder in $ORGASCII"
+  FOLDER={\"uid\":\"$ORGASCII\",\"title\":\"$ORGASCII\"}
+  /usr/bin/curl -o /tmp/curlout -H "Content-Type: application/json" -d "$FOLDER" http://$ADMINUSER:$ADMINPASS@$SERVICE/api/folders
+  SUCCESS="$?"
+  echo "SUCCESS $SUCCESS"
+  cat /tmp/curlout
+
+  echo "Creating datasource in $ORGASCII"
+  DATASOURCE={\"name\":\"datasource-$ORGASCII\",\"type\":\"prometheus\",\"url\":\"http://$SOURCE\",\"access\":\"proxy\",\"basicAuth\":false}
+  /usr/bin/curl -s -o /tmp/curlout -H "Content-Type: application/json" -d "$DATASOURCE" http://$ADMINUSER:$ADMINPASS@$SERVICE/api/datasources
+  SUCCESS=`echo $?`
+  echo "SUCCESS $SUCCESS"
+  cat /tmp/curlout
+
+  echo "now create Dashboards with "$VCSLIST
+  grafana-create-vcs.sh $ADMINUSER $ADMINPASS $SERVICE $DASHBOARDS $ORGASCII $VCSLIST
+  grafana-create-device-group.sh $ADMINUSER $ADMINPASS $SERVICE $DASHBOARDS $ORGASCII $DGARRAY
+
+done
+
diff --git a/aether-roc-umbrella/files/scripts/grafana-create-vcs.sh b/aether-roc-umbrella/files/scripts/grafana-create-vcs.sh
new file mode 100755
index 0000000..2d09aab
--- /dev/null
+++ b/aether-roc-umbrella/files/scripts/grafana-create-vcs.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+# script to create Grafana VCS dashboards
+# Usage:
+# grafana-create-vcs.sh <ADMINUSER> <ADMINPASS> <grafana-server> <dashboards-folder> <org> <list of vcs>...
+set -e
+#set -x
+set -o pipefail
+set -u
+
+if [ "$#" -lt 6 ]; then
+  echo "At least 6 args are needed. Got $#"
+  exit 1
+fi
+ADMINUSER=$1
+ADMINPASS=$2
+SERVICE=$3
+FOLDER=$4
+export ORG=$5
+shift
+shift
+shift
+shift
+shift
+for vcs in "$@"; do
+  VCSASCII=${vcs//[^a-zA-Z0-9]/_}
+  SUCCESS=-1
+  ORGID=-1
+
+  echo "Creating vcs $vcs ($VCSASCII) in $ORG"
+  for f in $FOLDER/*.json; do
+    if [ -f "$f" ]; then
+      echo "Creating Dashboard from $f"
+      export VCS=$vcs
+      DASHBOARD=$(envsubst < $f)
+      /usr/bin/curl -s -o /tmp/curlout -H "Content-Type: application/json" -d "$DASHBOARD" http://$ADMINUSER:$ADMINPASS@$SERVICE/api/dashboards/db
+      SUCCESS=`echo $?`
+      echo "SUCCESS $SUCCESS"
+      cat /tmp/curlout
+    else
+      echo "No dashboards found"
+    fi
+  done
+
+done
diff --git a/aether-roc-umbrella/templates/NOTES.txt b/aether-roc-umbrella/templates/NOTES.txt
new file mode 100644
index 0000000..e7d3256
--- /dev/null
+++ b/aether-roc-umbrella/templates/NOTES.txt
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2021 Open Networking Foundation
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+Thank you for installing {{ .Chart.Name }} Helm chart.
+
+Your release is named {{ .Release.Name }} in namespace {{.Release.Namespace}}.
+See https://docs.onosproject.org/developers/deploy_with_helm/
+
+To learn more about the release, try:
+  $ helm -n {{.Release.Namespace}} status {{ .Release.Name }}
+  $ helm -n {{.Release.Namespace}} get all {{ .Release.Name }}
+  $ watch kubectl -n {{.Release.Namespace}} get pods
+
+You can attach to:
+* Aether CLI pod with
+$ kubectl -n {{.Release.Namespace}} exec -it $(kubectl -n {{.Release.Namespace}} get pods -l type=cli -o name) -- /bin/sh
+* Aether Portal at http://<server_IP>:31190
+
+If you are using KinD as a Kubernetes server, you will have to use a "port-forward" to access the Aether ROC GUI e.g.
+$ kubectl -n {{.Release.Namespace}} port-forward $(kubectl -n {{.Release.Namespace}} get pods -l type=arg -o name) 8183:80
+and then access the GUI at
+* http://localhost:8183
+
+The aether-roc-api is then available at http://localhost:8183/aether-roc-api
diff --git a/aether-roc-umbrella/templates/_helpers.tpl b/aether-roc-umbrella/templates/_helpers.tpl
new file mode 100644
index 0000000..96089e8
--- /dev/null
+++ b/aether-roc-umbrella/templates/_helpers.tpl
@@ -0,0 +1,81 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+Expand the name of the chart.
+*/}}
+{{- define "global.name" -}}
+{{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "global.fullname" -}}
+{{- if .Values.global.fullnameOverride -}}
+{{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.global.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "global.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "global.labels" -}}
+helm.sh/chart: {{ include "global.chart" . }}
+{{ include "global.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "global.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "global.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+global consensus image name
+*/}}
+{{- define "global.store.consensus.imagename" -}}
+{{- if .Values.global.store.consensus.image.tag -}}
+{{- if .Values.global.store.consensus.image.registry -}}
+{{- printf "%s/" .Values.global.store.consensus.image.registry -}}
+{{- end -}}
+{{- printf "%s:" .Values.global.store.consensus.image.repository -}}
+{{- .Values.global.store.consensus.image.tag -}}
+{{- else -}}
+""
+{{- end -}}
+{{- end -}}
+
+{{/*
+global consensus store name
+*/}}
+{{- define "global.store.consensus.name" -}}
+{{- if .Values.global.store.consensus.name -}}
+{{- printf "%s" .Values.global.store.consensus.name -}}
+{{- else -}}
+{{- printf "%s-consensus-store" ( include "global.fullname" . ) -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/aether-roc-umbrella/templates/alertmanager-configmap.yaml b/aether-roc-umbrella/templates/alertmanager-configmap.yaml
new file mode 100644
index 0000000..cbbcfe3
--- /dev/null
+++ b/aether-roc-umbrella/templates/alertmanager-configmap.yaml
@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-alertmanager
+  namespace: {{ .Release.Namespace }}
+data:
+  alertmanager.yml: |-
+    global: {}
+      # slack_api_url: ''
+
+    receivers:
+      - name: default-receiver
+        webhook_configs:
+        - url: {{ .Values.prometheus.alertmanager.webhook_url }}
+
+    route:
+      group_wait: 10s
+      group_interval: 1m
+      receiver: default-receiver
+      repeat_interval: 3h
diff --git a/aether-roc-umbrella/templates/dashboards-templated.yaml b/aether-roc-umbrella/templates/dashboards-templated.yaml
new file mode 100644
index 0000000..01cadbb
--- /dev/null
+++ b/aether-roc-umbrella/templates/dashboards-templated.yaml
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-dashboards-templated
+  namespace: {{ .Release.Namespace }}
+data:
+{{ (.Files.Glob "files/dashboards/**/*.json").AsConfig | indent 2 }}
diff --git a/aether-roc-umbrella/templates/grafana-post-install-sh.yaml b/aether-roc-umbrella/templates/grafana-post-install-sh.yaml
new file mode 100644
index 0000000..3a7b3a9
--- /dev/null
+++ b/aether-roc-umbrella/templates/grafana-post-install-sh.yaml
@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-grafana-post-install
+  labels:
+    app: {{ template "aether-roc-api.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+{{ (.Files.Glob "files/scripts/*.sh").AsConfig | indent 2 }}
diff --git a/aether-roc-umbrella/templates/opa-rbac-configmap.yaml b/aether-roc-umbrella/templates/opa-rbac-configmap.yaml
new file mode 100644
index 0000000..e123fa5
--- /dev/null
+++ b/aether-roc-umbrella/templates/opa-rbac-configmap.yaml
@@ -0,0 +1,16 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+{{ if ".Values.onos-config.openpolicyagent.enabled" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-opa-rbac
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+{{ (.Files.Glob "files/opa-rbac/*.rego").AsConfig | indent 2 }}
+{{end}}
\ No newline at end of file
diff --git a/aether-roc-umbrella/templates/post-install-job-grafana.yaml b/aether-roc-umbrella/templates/post-install-job-grafana.yaml
new file mode 100644
index 0000000..d31e3c6
--- /dev/null
+++ b/aether-roc-umbrella/templates/post-install-job-grafana.yaml
@@ -0,0 +1,72 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+{{ if .Values.import.grafana.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    # This is what defines this resource as a hook. Without this line, the
+    # job is considered part of the release.
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "-5"
+    {{- if .Values.grafana.tidyUpPostInstall }}
+    "helm.sh/hook-delete-policy": hook-succeeded
+    {{- end}}
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}"
+      labels:
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        app.kubernetes.io/instance: {{ .Release.Name | quote }}
+        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: post-install-job
+          image: "onosproject/onos-cli:v0.7.32"
+          env:
+            - name: GF_SECURITY_ADMIN_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-grafana
+                  key: admin-user
+            - name: GF_SECURITY_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-grafana
+                  key: admin-password
+          command: ["/usr/local/bin/grafana-create-orgs.sh"]
+          args:
+            - "$(GF_SECURITY_ADMIN_USER)"
+            - "$(GF_SECURITY_ADMIN_PASSWORD)"
+            - "{{ .Release.Name }}"
+            - "{{ .Release.Name }}-grafana"
+            - "/usr/local/dashboards/templated"
+            {{- range $org, $vcs := .Values.grafana.orgs }}
+            - {{ printf "%s%s" $org $vcs | quote }}
+            {{- end}}
+          volumeMounts:
+            - name: post-install
+              mountPath: /usr/local/bin
+              readOnly: true
+            - name: dashboards-templated
+              mountPath: /usr/local/dashboards/templated
+              readOnly: true
+      volumes:
+        - name: post-install
+          configMap:
+            name: {{ .Release.Name }}-grafana-post-install
+            defaultMode: 0555
+        - name: dashboards-templated
+          configMap:
+            name: {{ .Release.Name }}-dashboards-templated
+
+  {{end}}
diff --git a/aether-roc-umbrella/templates/sdcore-test-dummy-config.yaml b/aether-roc-umbrella/templates/sdcore-test-dummy-config.yaml
new file mode 100644
index 0000000..5adedae
--- /dev/null
+++ b/aether-roc-umbrella/templates/sdcore-test-dummy-config.yaml
@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-sdcore-test-dummy
+  namespace: {{ .Release.Namespace }}
+data:
+  sdcore-test-dummy.conf: |-
+    log_format client '$remote_addr - $remote_user $request_time $upstream_response_time '
+                      '[$time_local] "$request" $status $body_bytes_sent $request_body "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    server {
+      listen 0.0.0.0:8080;
+      default_type application/json;
+      access_log /opt/bitnami/nginx/logs/access.log client;
+
+      # You can provide a special subPath or the root
+      location = /v1/config {
+        root /;
+        proxy_pass http://127.0.0.1:8080/post_dummy;
+      }
+      location = /v1/config/policies {
+        root /;
+        proxy_pass http://127.0.0.1:8080/post_dummy;
+      }
+      location = /v1/config/imsis {
+        root /;
+        proxy_pass http://127.0.0.1:8080/post_dummy;
+      }
+      location /v1/config/5g {
+        rewrite ^/v1/config/5g/.* /v1/config/5g break;
+        proxy_pass http://127.0.0.1:8080/post_dummy;
+      }
+      location = /post_dummy {
+        # turn off logging here to avoid double logging
+        access_log off;
+        return 200;
+      }
+      error_page  405     =200 $uri;
+    }
diff --git a/aether-roc-umbrella/templates/store.yaml b/aether-roc-umbrella/templates/store.yaml
new file mode 100644
index 0000000..9de9669
--- /dev/null
+++ b/aether-roc-umbrella/templates/store.yaml
@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+{{- if .Values.global.store.consensus.enabled }}
+apiVersion: atomix.io/v2beta1
+kind: Store
+metadata:
+  name: {{ template "global.store.consensus.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  protocol:
+    apiVersion: storage.atomix.io/v2beta2
+    kind: MultiRaftProtocol
+    spec:
+      replicas: {{ .Values.global.store.consensus.replicas }}
+      groups: {{ .Values.global.store.consensus.partitions }}
+      {{- with .Values.global.store.consensus.raft }}
+      raft:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      image: {{ template "global.store.consensus.imagename" . }}
+      imagePullPolicy: {{ .Values.global.store.consensus.image.pullPolicy }}
+      {{- with .Values.global.store.consensus.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.store.consensus.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.store.consensus.persistence.storageClass }}
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+          - ReadWriteOnce
+          storageClassName: {{ .Values.global.store.consensus.persistence.storageClass | quote }}
+          resources:
+            requests:
+              storage: {{ .Values.global.store.consensus.persistence.storageSize }}
+      {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/aether-roc-umbrella/templates/topo.yaml b/aether-roc-umbrella/templates/topo.yaml
new file mode 100644
index 0000000..a32d520
--- /dev/null
+++ b/aether-roc-umbrella/templates/topo.yaml
@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+# A topology kind representing an E2 node
+apiVersion: topo.onosproject.org/v1beta1
+kind: Kind
+metadata:
+  name: aether
+spec:
+  aspects: {}
+
+---
+# The 4G v2.1.0 sdcore-adapter
+apiVersion: topo.onosproject.org/v1beta1
+kind: Entity
+metadata:
+  name: connectivity-service-v2
+spec:
+  uri: connectivity-service-v2
+  kind:
+    name: aether
+  aspects:
+    onos.topo.Configurable:
+      address: sdcore-adapter-v21:5150
+      version: 2.1.0
+      type: Aether
+    onos.topo.TLSOptions:
+      insecure: true
+    onos.topo.Asset:
+      name: SPGW-1
+    onos.topo.MastershipState: {}
+---
+# The 4G/5G v3.0.0 sdcore-adapter
+apiVersion: topo.onosproject.org/v1beta1
+kind: Entity
+metadata:
+  name: connectivity-service-v3
+spec:
+  uri: connectivity-service-v3
+  kind:
+    name: aether
+  aspects:
+    onos.topo.Configurable:
+      address: sdcore-adapter-v3:5150
+      version: 3.0.0
+      type: Aether
+    onos.topo.Location:
+      lat: 52.5150
+      lng: 13.3885
+    onos.topo.TLSOptions:
+      insecure: true
+    onos.topo.Asset:
+      name: 5G Core
+    onos.topo.MastershipState: {}
diff --git a/aether-roc-umbrella/tests/aether-roc-umbrella.go b/aether-roc-umbrella/tests/aether-roc-umbrella.go
new file mode 100644
index 0000000..799d41d
--- /dev/null
+++ b/aether-roc-umbrella/tests/aether-roc-umbrella.go
@@ -0,0 +1,71 @@
+// SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+//
+// SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+package tests
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/onosproject/helmit/pkg/helm"
+	"github.com/onosproject/helmit/pkg/input"
+	"github.com/onosproject/helmit/pkg/kubernetes"
+	"github.com/onosproject/helmit/pkg/test"
+	"github.com/onosproject/onos-test/pkg/onostest"
+	"github.com/stretchr/testify/assert"
+)
+
+// AetherRocUmbrellaSuite is the aether-roc-umbrella chart test suite
+type AetherRocUmbrellaSuite struct {
+	test.Suite
+	c *input.Context
+}
+
+// SetupTestSuite sets up the aether roc umbrella test suite
+func (s *AetherRocUmbrellaSuite) SetupTestSuite(c *input.Context) error {
+	s.c = c
+	return nil
+}
+
+func getCredentials() (string, string, error) {
+	kubClient, err := kubernetes.New()
+	if err != nil {
+		return "", "", err
+	}
+	secrets, err := kubClient.CoreV1().Secrets().Get(context.Background(), onostest.SecretsName)
+	if err != nil {
+		return "", "", err
+	}
+	username := string(secrets.Object.Data["sd-ran-username"])
+	password := string(secrets.Object.Data["sd-ran-password"])
+
+	return username, password, nil
+}
+
+// TestInstall tests installing the aether-roc-umbrella chart
+func (s *AetherRocUmbrellaSuite) TestInstall(t *testing.T) {
+	username, password, err := getCredentials()
+	assert.NoError(t, err)
+	registry := s.c.GetArg("registry").String("")
+
+	onos := helm.Chart("aether-roc-umbrella", onostest.SdranChartRepo).
+		Release("aether-roc-umbrella").
+		SetUsername(username).
+		SetPassword(password).
+		WithTimeout(15*time.Minute).
+		Set("onos-ric.service.external.nodePort", 0).
+		Set("onos-ric-ho.service.external.nodePort", 0).
+		Set("onos-ric-mlb.service.external.nodePort", 0).
+		Set("import.onos-gui.enabled", false).
+		Set("import.aether-roc-gui.v2_1.enabled", false).
+		Set("import.aether-roc-gui.v3.enabled", false).
+		Set("import.onos-cli.enabled", false).
+		Set("onos-topo.image.tag", "latest").
+		Set("onos-config.image.tag", "latest").
+		Set("aether-roc-api.image.tag", "latest").
+		Set("onos-config.plugin.compiler.target", "github.com/onosproject/onos-config@master").
+		Set("global.image.registry", registry)
+	assert.NoError(t, onos.Install(true))
+}
diff --git a/aether-roc-umbrella/values.yaml b/aether-roc-umbrella/values.yaml
new file mode 100644
index 0000000..bcd17fc
--- /dev/null
+++ b/aether-roc-umbrella/values.yaml
@@ -0,0 +1,251 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+# Default values for all Aether Helm charts.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+global:
+  fullnameOverride: "onos"
+  nameOverride: ""
+  image:
+    registry: ""
+    tag: ""
+  store:
+    consensus:
+      enabled: true
+      name: ""
+      image:
+        registry: ""
+        repository: atomix/atomix-raft-storage-node
+        tag: ""
+        pullPolicy: IfNotPresent
+        pullSecrets: []
+      clusters: 1
+      replicas: 1
+      partitions: 1
+      raft: {}
+      persistence:
+        storageClass: ""
+        storageSize: 1Gi
+
+import:
+  onos-topo:
+    enabled: true
+  onos-config:
+    enabled: true
+  onos-gui:
+    enabled: false
+  onos-cli:
+    enabled: true
+  aether-roc-api:
+    enabled: true
+  aether-roc-gui:
+    v2_1:
+      enabled: false
+    v3:
+      enabled: true
+  sdcore-adapter:
+    v2_1:
+      enabled: true
+    v3:
+      enabled: true
+  subscriber-proxy:
+    enabled: true
+  sdcore-test-dummy:
+    enabled: true
+  grafana:
+    enabled: true #also enable the proxy below
+  prometheus:
+    enabled: true #also enable the proxy below
+
+# ONOS-TOPO
+onos-topo:
+  store:
+    consensus:
+      enabled: false
+
+# ONOS-GUI
+onos-gui: {}
+
+# ONOS-CLI
+onos-cli: {}
+
+# Aether ROC API
+aether-roc-api: {}
+
+# Aether ROC GUI
+aether-roc-gui-v3:
+  websocket:
+    proxyEnabled: true
+  grafana:
+    proxyEnabled: true
+    service: aether-roc-umbrella-grafana # the grafana hostname - use FQDN for other namespaces
+  prometheus:
+    proxyEnabled: true
+    service: aether-roc-umbrella-prometheus-server
+
+# SD-Core Adapter
+sdcore-adapter-v21:
+  nameOverride: sdcore-adapter-v21
+  fullnameOverride: sdcore-adapter-v21
+  prometheusEnabled: false
+
+# Subscriber Proxy
+subscriber-proxy:
+  nameOverride: subscriber-proxy
+  fullnameOverride: subscriber-proxy
+  prometheusEnabled: false
+
+sdcore-adapter-v3:
+  nameOverride: sdcore-adapter-v3
+  fullnameOverride: sdcore-adapter-v3
+  prometheusEnabled: false
+
+grafana:
+  orgs:
+    acme:
+      vcs:
+        - acme-chicago-robots
+      devicegroup:
+        - acme-chicago-robots:
+            production: "0-3"
+            warehouse: "10-12"
+    starbucks:
+      vcs:
+        - starbucks-newyork-cameras
+        - starbucks-seattle-cameras
+      devicegroup:
+        - starbucks-newyork-cameras:
+            front: "40-41"
+            store: "50-55"
+        - starbucks-seattle-pos:
+            tills: "20-22"
+            store: "30-34"
+        - starbucks-seattle-cameras:
+            counter: "0-3"
+            store: "10-14"
+
+  tidyUpPostInstall: true
+  grafana.ini:
+    log:
+      level: debug
+    server:
+      domain: aether-roc-gui
+      root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana/"
+      serve_from_sub_path: true
+    auth.anonymous:
+      enabled: true
+      hide_version: true
+# Commented out for the moment - see aether-roc-gui/docs/grafana.md
+#    auth.jwt:
+#      enabled: true
+#      header_name: X-JWT-Assertion
+#      username_claim: name
+#      email_claim: email
+#      jwk_set_url: https://dex.aetherproject.org/dex/keys
+#      cache_ttl: 60m
+#    auth.generic_oauth:
+#      enabled: true
+#      client_id: aether-roc-gui
+##      client_secret: YWV0aGVyLXJvYy1ndWkK
+#      scopes: "openid profile email groups"
+#      empty_scopes: false
+#      auth_url: "http://dex-ldap-umbrella:5556/auth"
+#      token_url: "http://dex-ldap-umbrella:5556/token"
+#      api_url: "http://dex-ldap-umbrella:5556/userinfo"
+#      allowed_domains: opennetworking.org
+#      allow_sign_up: true
+
+prometheus:
+  pushgateway:
+    enabled: false
+  nodeExporter:
+    enabled: false
+  kubeStateMetrics:
+    enabled: false
+  alertmanager:
+    configMapOverrideName: alertmanager
+    webhook_url: "http://aether-roc-api-websocket/webhook"
+  serverFiles:
+    alerting_rules.yml:
+     groups:
+       - name: UeAlerts
+         rules:
+           - alert: UeThroughputLow
+             expr: ue_throughput < 9000
+             for: 1m
+             labels:
+               severity: info
+             annotations:
+               description: 'UE {{ $labels.id }} on VCS {{ $labels.slice }} throughput has been low for more than 1 minutes.'
+               summary: 'UE {{ $labels.id }} on VCS {{ $labels.slice }} throughput low'
+           - alert: UeLatencyHigh
+             expr: ue_latency > 8
+             for: 1m
+             labels:
+               severity: info
+             annotations:
+               description: 'UE {{ $labels.id }} on VCS {{ $labels.slice }} latency has been high for more than 1 minutes.'
+               summary: 'UE {{ $labels.id }} on VCS {{ $labels.slice }} latency high'
+       - name: VcsAlerts
+         rules:
+           - alert: VcsThroughputLow
+             expr: vcs_throughput < 9000
+             for: 1m
+             labels:
+               severity: info
+             annotations:
+               description: 'VCS {{ $labels.vcs_id }} throughput has been low for more than 1 minutes.'
+               summary: 'VCS {{ $labels.vcs_id }} throughput low'
+           - alert: VcsLatencyHigh
+             expr: vcs_latency > 30
+             for: 1m
+             labels:
+               severity: warn
+             annotations:
+               description: 'VCS {{ $labels.vcs_id }} latency has been high for more than 1 minutes.'
+               summary: 'VCS {{ $labels.vcs_id }} latency high'
+           - alert: VcsJitterHigh
+             expr: vcs_jitter > 8
+             for: 1m
+             labels:
+               severity: page
+             annotations:
+               description: 'VCS {{ $labels.vcs_id }} jitter has been high for more than 1 minutes.'
+               summary: 'VCS {{ $labels.vcs_id }} jitter high'
+    prometheus.yml:
+      scrape_configs:
+        - job_name: sdcore-exporter
+          scrape_interval: 2s
+          static_configs:
+            - targets:
+                - sdcore-adapter-v3-exporter:2112
+
+# SD-Core Test Dummy
+# proxy_pass has to be added or nginx will not log the $request_body
+sdcore-test-dummy:
+  service:
+    type: ClusterIP
+  existingServerBlockConfigmap: aether-roc-umbrella-sdcore-test-dummy
+
+# ONOS-CONFIG
+onos-config:
+  store:
+    consensus:
+      enabled: false
+  models:
+    aether:
+      v2_1:
+        enabled: true
+      v2_2:
+        enabled: false
+      v3:
+        enabled: true
+  plugin:
+    compiler:
+      target: ""
+  openpolicyagent:
+    enabled: true
+    regoConfigMap: aether-roc-umbrella-opa-rbac