UserPermission

Junction entity representing the direct assignment of a permission to a user, enabling fine-grained access control without role intermediation. This entity supports explicit permission grants, temporal permissions, contextual restrictions, and delegated authority tracking. It enables scenarios where users need specific permissions beyond their role assignments, temporary elevated access, or context-specific capabilities (e.g., permissions valid only for a specific organization or project). The entity includes comprehensive audit tracking of who granted permissions, when they become effective, expiration dates, and revocation details. It serves as the foundation for attribute-based access control (ABAC) and exception-based permission management across enterprise applications, multi-tenant platforms, and complex authorization scenarios.

16 properties

Schema

Properties

Property	Type	Mode	Description	Required
user	User	stored	Reference to the User who is granted this permission	Required
permission	Permission	stored	Reference to the Permission being granted to the user	Required
grantedAt	datetime	stored	Date/time when this permission was granted to the user Example: `"2024-01-15T10:30:00Z"`	Required
grantedBy	User	stored	Reference to the User who granted this permission (admin, manager, or system) Example: `{"@type":"User","username":"admin"}`	Optional
effectiveFrom	datetime	stored	Date/time from which this permission becomes effective (null means effective immediately) Example: `"2024-01-15T10:30:00Z"`	Optional
expiresAt	datetime	stored	Date/time when this permission grant expires (null for permanent grants) Example: `"2025-01-15T10:30:00Z"`	Optional
tenant	Tenant	stored	Tenant context for this permission grant - enables tenant-scoped permissions and data isolation (required for multi-tenant systems)	Optional
contextMetadata	json	stored	Additional contextual metadata for scoped permission grants (e.g., project, department, resource-specific constraints) Example: `{"project":"Project Alpha","department":"Engineering"}`	Optional
conditions	json	stored	Optional conditions or constraints for this permission grant (e.g., time-based restrictions, attribute-based rules, resource limits) Example: `{"timeRestriction":{"allowedHours":"09:00-17:00","timezone":"America/New_York"},"resourceLimit":{"maxAmount":10000}}`	Optional
reason	string	stored	Reason or justification for granting this permission Example: `"Temporary elevated access for project launch"`	Optional
revokedAt	datetime	stored	Date/time when this permission was revoked (null if still active)	Optional
revokedBy	User	stored	Reference to the User who revoked this permission	Optional
revokeReason	string	stored	Reason for revoking this permission grant	Optional
isActive	boolean	calculated	Whether this permission grant is currently active (not expired, not revoked, within effective period, and base Permission is active)	Optional
isExpired	boolean	calculated	Whether this permission grant has expired	Optional
daysUntilExpiration	number	calculated	Number of days until this permission expires (null if no expiration)	Optional

Examples

Example 1

{
  "@type": "UserPermission",
  "user": {
    "@type": "User",
    "username": "john.doe"
  },
  "permission": {
    "@type": "Permission",
    "entity": {
      "@type": "KernelModel",
      "name": "User"
    },
    "action": {
      "@type": "PermissionAction",
      "name": "read"
    }
  },
  "grantedAt": "2024-01-15T10:30:00Z",
  "grantedBy": {
    "@type": "User",
    "username": "admin"
  },
  "reason": "Core system access for all employees"
}

Example 2

{
  "@type": "UserPermission",
  "user": {
    "@type": "User",
    "username": "jane.smith"
  },
  "permission": {
    "@type": "Permission",
    "entity": {
      "@type": "KernelModel",
      "name": "Invoice"
    },
    "action": {
      "@type": "PermissionAction",
      "name": "approve"
    }
  },
  "grantedAt": "2024-06-01T09:00:00Z",
  "grantedBy": {
    "@type": "User",
    "username": "finance.director"
  },
  "expiresAt": "2024-12-31T23:59:59Z",
  "conditions": {
    "maxAmount": 50000,
    "requiresSecondApprover": false
  },
  "tenant": {
    "@type": "Tenant",
    "slug": "acme-corp",
    "name": "ACME Corporation"
  },
  "reason": "Temporary approval authority for Q3-Q4 2024"
}

Example 3

{
  "@type": "UserPermission",
  "user": {
    "@type": "User",
    "username": "bob.wilson"
  },
  "permission": {
    "@type": "Permission",
    "entity": {
      "@type": "KernelModel",
      "name": "Report"
    },
    "action": {
      "@type": "PermissionAction",
      "name": "read"
    }
  },
  "grantedAt": "2024-03-01T10:00:00Z",
  "grantedBy": {
    "@type": "User",
    "username": "manager"
  },
  "contextMetadata": {
    "project": "Project Alpha",
    "department": "Engineering"
  },
  "conditions": {
    "timeRestriction": {
      "allowedDays": [
        "monday",
        "tuesday",
        "wednesday",
        "thursday",
        "friday"
      ],
      "allowedHours": "08:00-18:00",
      "timezone": "UTC"
    }
  },
  "reason": "Project-specific reporting access during business hours"
}

Example 4

{
  "@type": "UserPermission",
  "user": {
    "@type": "User",
    "username": "alice.brown"
  },
  "permission": {
    "@type": "Permission",
    "entity": {
      "@type": "KernelModel",
      "name": "SystemConfig"
    },
    "action": {
      "@type": "PermissionAction",
      "name": "update"
    }
  },
  "grantedAt": "2024-01-10T15:00:00Z",
  "grantedBy": {
    "@type": "User",
    "username": "security.admin"
  },
  "revokedAt": "2024-02-15T09:00:00Z",
  "revokedBy": {
    "@type": "User",
    "username": "security.admin"
  },
  "revokeReason": "Contract ended, access no longer required",
  "reason": "Temporary contractor access for system migration"
}