RolePermission
Maps permissions to roles, defining what actions each role is authorized to perform in the system. This junction table is the heart of RBAC, translating high-level roles into specific, actionable permissions. When a user is assigned the 'Editor' role, this entity defines that editors can 'create:articles', 'edit:articles', 'publish:articles' but not 'delete:articles'. The relationship can be additive (granting permissions) or subtractive (explicitly denying permissions even if inherited from parent roles). This allows fine-tuning of roles - for example, a 'Junior Admin' role might inherit from 'Admin' but have certain dangerous permissions explicitly removed. The entity tracks who granted each permission to the role and when, providing accountability for permission changes. It supports conditional permissions where the same role might have different permissions based on context (time of day, location, resource attributes). Permission changes to roles immediately affect all users with that role, making it efficient to manage access for large groups. The entity maintains history even after permissions are revoked from roles, essential for compliance audits asking 'What could this role do last quarter?'
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| role | Role | stored | The role receiving this permission | Required |
| permission | Permission | stored | The permission being granted or denied | Required |
| grantType | string | enum | Whether this permission is granted or explicitly denied Values: | Required |
| grantedAt | DateTime | stored | When this permission was added to the role | Required |
| grantedBy | User | stored | Administrator who added this permission | Optional |
| reason | string | stored | Explanation for adding this permission to the role Example: | Optional |
| scope | string | stored | Context where this permission applies Example: | Optional |
| conditions | string | stored | JSON conditions that must be met for permission to apply Example: | Optional |
| restrictions | string | stored | JSON restrictions limiting the permission Example: | Optional |
| priority | integer | stored | Resolution order when conflicts occur (higher wins) | Optional |
| isInherited | boolean | stored | Whether this permission comes from a parent role | Optional |
| inheritedFrom | Role | stored | Parent role this permission is inherited from | Optional |
| canDelegate | boolean | stored | Whether users with this role can delegate this permission | Optional |
| requiresMfa | boolean | stored | Whether 2FA is required when using this permission | Optional |
| requiresApproval | boolean | stored | Whether using this permission needs real-time approval | Optional |
| approvalConfig | string | stored | JSON configuration for approval workflow Example: | Optional |
| validFrom | DateTime | stored | When this permission becomes active for the role | Optional |
| validUntil | DateTime | stored | When this permission expires for the role | Optional |
| isActive | boolean | stored | Whether this permission grant is currently active | Optional |
| suspendedAt | DateTime | stored | When this permission was temporarily suspended | Optional |
| suspendedReason | string | stored | Why this permission was suspended | Optional |
| revokedAt | DateTime | stored | When this permission was removed from the role | Optional |
| revokedBy | User | stored | Who removed this permission | Optional |
| metadata | object | stored | Additional configuration data | Optional |
Examples
Example 1
{
"@type": "RolePermission",
"grantType": "grant",
"grantedAt": "2024-01-15T10:00:00Z",
"grantedBy": "admin_123",
"reason": "Standard permission for content editors",
"scope": "global",
"conditions": "{\"content_type\":[\"article\",\"blog\",\"page\"],\"workflow_state\":[\"draft\",\"review\"]}",
"priority": 50,
"isInherited": false,
"canDelegate": false,
"requiresMfa": false,
"requiresApproval": false,
"isActive": true,
"metadata": {
"permission_group": "content_management",
"risk_assessed": true
}
}Example 2
{
"@type": "RolePermission",
"grantType": "deny",
"grantedAt": "2024-02-01T14:00:00Z",
"grantedBy": "security_admin",
"reason": "Restrict junior admins from user deletion to prevent accidents",
"scope": "global",
"priority": 100,
"isInherited": true,
"inheritedFrom": "role_admin",
"canDelegate": false,
"requiresMfa": true,
"requiresApproval": true,
"approvalConfig": "{\"approvers\":[\"senior_admin\",\"security_team\"],\"timeout_hours\":4,\"emergency_bypass\":false}",
"isActive": true,
"metadata": {
"override_reason": "security_policy",
"review_date": "2024-06-01"
}
}