UserGroupPermission
Grants specific permissions directly to groups without using roles, providing fine-grained control for group-specific access needs. While roles bundle multiple permissions, sometimes groups need individual permissions that don't fit into existing roles. This entity allows granting permissions like 'edit team wiki' or 'access project dashboard' directly to a group. All group members inherit these permissions automatically. This is useful for resource ownership - the 'Marketing Team' group might have 'full control' permission on marketing folders, or the 'Security Team' might have 'audit log access' without needing a special role. The entity supports conditional permissions based on context (time, location, resource attributes) and can override role-based permissions when needed. For example, a group might be denied a specific dangerous permission even if their roles would normally grant it. The system tracks permission inheritance through group hierarchies and resolves conflicts using priority levels. This direct permission assignment is essential for implementing resource-based access control where groups own and manage specific assets. It also enables quick, temporary permission grants for urgent situations without creating throwaway roles.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| assignmentId | uuid | stored | Unique identifier for this permission assignment | Required |
| group | UserGroup | stored | The group receiving this permission | Required |
| permission | Permission | stored | The permission being granted or denied | Required |
| grantType | string | enum | Whether permission is granted or explicitly denied Values: | Required |
| grantedBy | User | stored | Administrator who granted this permission | Optional |
| grantedAt | DateTime | stored | When this permission was assigned | Required |
| reason | string | stored | Explanation for this permission grant Example: | Optional |
| resourceScope | string | stored | Specific resources this permission applies to Example: | Optional |
| conditions | string | stored | JSON conditions for when permission applies Example: | Optional |
| constraints | string | stored | JSON constraints limiting the permission Example: | Optional |
| validFrom | DateTime | stored | When this permission becomes active | Optional |
| validUntil | DateTime | stored | When this permission expires | Optional |
| priority | integer | stored | Resolution order for permission conflicts | Optional |
| inheritToSubgroups | boolean | stored | Whether subgroups inherit this permission | Optional |
| inheritToMembers | boolean | stored | Whether group members get this permission | Optional |
| requiresMfa | boolean | stored | Whether 2FA is required to use this permission | Optional |
| requiresApproval | boolean | stored | Whether using this permission needs approval | Optional |
| approvalConfig | string | stored | JSON configuration for approval workflow | Optional |
| auditLevel | string | enum | Level of auditing for this permission usage Values: | Optional |
| usageLimit | integer | stored | Maximum times this permission can be used per period | Optional |
| usagePeriod | string | stored | Period for usage limits (hour, day, week, month) | Optional |
| currentUsage | integer | stored | Current usage count in the period | Optional |
| isActive | boolean | stored | Whether this permission grant is active | Optional |
| suspendedAt | DateTime | stored | When this permission was suspended | Optional |
| revokedAt | DateTime | stored | When this permission was revoked | Optional |
| revokedBy | User | stored | Who revoked this permission | Optional |
| lastUsedAt | DateTime | stored | Last time this permission was used by the group | Optional |
| metadata | object | stored | Additional permission configuration | Optional |
Examples
Example 1
{
"@type": "UserGroupPermission",
"assignmentId": "perm_mkt_folders",
"grantType": "grant",
"grantedBy": "admin_it",
"grantedAt": "2024-01-20T11:00:00Z",
"reason": "Marketing team owns and manages all marketing digital assets",
"resourceScope": "/resources/marketing/**",
"conditions": "{\"resource_path_starts_with\":\"/resources/marketing/\"}",
"constraints": "{\"max_file_size\":\"500MB\",\"prohibited_extensions\":[\".exe\",\".bat\"]}",
"priority": 100,
"inheritToSubgroups": true,
"inheritToMembers": true,
"requiresMfa": false,
"requiresApproval": false,
"auditLevel": "detailed",
"isActive": true,
"lastUsedAt": "2024-03-15T14:30:00Z",
"metadata": {
"resource_owner": "marketing_department",
"storage_quota": "1TB"
}
}Example 2
{
"@type": "UserGroupPermission",
"assignmentId": "perm_sec_audit",
"grantType": "grant",
"grantedBy": "ciso",
"grantedAt": "2024-02-01T09:00:00Z",
"reason": "Security team needs access to all audit logs for compliance monitoring",
"resourceScope": "/audit-logs/**",
"conditions": "{\"log_level\":[\"warning\",\"error\",\"critical\"]}",
"validFrom": "2024-02-01T09:00:00Z",
"validUntil": "2025-02-01T00:00:00Z",
"priority": 150,
"inheritToSubgroups": false,
"inheritToMembers": true,
"requiresMfa": true,
"requiresApproval": false,
"auditLevel": "full",
"usageLimit": 1000,
"usagePeriod": "day",
"currentUsage": 247,
"isActive": true,
"lastUsedAt": "2024-03-15T16:00:00Z",
"metadata": {
"compliance_requirement": "SOC2",
"retention_days": 90
}
}