Permissions
Schema
The schema for the permissions system.
The permission schema is used to define the permissions for the EAGLE platform using a SpiceDB/Zanzibar-style authorization model.
definition user {}
// Global roles that span across all services
definition global_role {
relation super_admin: user // Has full access to everything across all services
}
// EAGLE service definition
definition eagle {
relation platform_manager: user // Has administrator access to all EAGLE resources
}
// Organizations within EAGLE that group users together
definition eagle_organization {
relation admin: user // Can manage the organization and edit shared objects
relation member: user // Can view objects shared with the organization
}
// Generic object type for EAGLE resources (submissions, exclusions, audits, cycle counts)
definition eagle_object {
relation owner: user // User who owns the object
relation editor: user // Users with edit access
relation viewer: user // Users with view-only access
relation shared_with: eagle_organization // Organizations this object is shared with
// Edit permission: owners, editors, org admins, platform managers, and super admins
permission edit = owner + editor + shared_with->admin + global_role->super_admin + eagle->platform_manager
// View permission: all users with edit access plus viewers and org members
permission view = owner + editor + viewer + shared_with->admin + shared_with->member + global_role->super_admin + eagle->platform_manager
}
// Feature flags for EAGLE service
definition eagle_feature_flag {
relation talon_access: user // Users who have access to Talon feature
relation talon_management: user // Users who can manage Talon
}
// ALEC service definition with RBAC roles
definition alec {
relation platform_manager: user // Has administrator access to all ALEC resources
relation validator: user // Can validate items
relation verifier: user // Can verify items
relation approver: user // Can approve items
relation product_tester: user // Subrole for product testing
}