UserRole
Links users to their assigned roles, forming the core relationship in Role-Based Access Control (RBAC). This junction table manages which roles each user has, when they were granted, by whom, and when they expire. A single user can have multiple roles, and the same role can be assigned to many users, creating a many-to-many relationship. This entity goes beyond simple linking by tracking the complete lifecycle of role assignments including the reason for granting, approval chains, activation dates, and expiration. Temporary role assignments are common for contractors or for elevated privileges during emergencies. The entity supports role delegation, where a manager can grant their roles to subordinates temporarily. It also handles contextual roles - a user might be an 'Admin' for Project A but only a 'Viewer' for Project B. The system evaluates all active user roles to determine the complete set of permissions. Historical records are maintained even after roles expire or are revoked, providing an audit trail for compliance. This is critical for answering questions like 'Who had admin access last month?' during security investigations.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| user | User | stored | The user receiving this role assignment | Required |
| role | Role | stored | The role being assigned to the user | Required |
| assignmentId | uuid | stored | Unique identifier for this specific assignment | Required |
| assignedBy | User | stored | Administrator who granted this role | Optional |
| assignedAt | DateTime | stored | When the role was granted | Required |
| assignmentReason | string | stored | Explanation for why this role was granted Example: | Optional |
| activatedAt | DateTime | stored | When the role becomes active (can be future-dated) | Required |
| expiresAt | DateTime | stored | When this role assignment expires | Optional |
| scope | string | stored | Context where this role applies (project, department, etc.) Example: | Optional |
| isPrimary | boolean | stored | Whether this is the user's primary role | Optional |
| isTemporary | boolean | stored | Whether this is a temporary assignment | Optional |
| isDelegated | boolean | stored | Whether this role was delegated from another user | Optional |
| delegatedFrom | User | stored | Original role holder who delegated this role | Optional |
| approvalStatus | string | enum | Approval state if role requires approval Values: | Optional |
| approvedBy | User | stored | Manager who approved this role assignment | Optional |
| approvedAt | DateTime | stored | When the assignment was approved | Optional |
| approvalNotes | string | stored | Comments from the approval process | Optional |
| conditions | string | stored | JSON conditions that must be met for role to be active Example: | Optional |
| isActive | boolean | stored | Whether this role assignment is currently active | Optional |
| suspendedAt | DateTime | stored | When the role was temporarily suspended | Optional |
| suspendedReason | string | stored | Why the role was suspended | Optional |
| revokedAt | DateTime | stored | When the role was permanently revoked | Optional |
| revokedBy | User | stored | Who revoked this role assignment | Optional |
| revokedReason | string | stored | Reason for revoking the role | Optional |
| lastUsedAt | DateTime | stored | Last time permissions from this role were used | Optional |
| metadata | object | stored | Additional assignment-specific data | Optional |
Examples
Example 1
{
"@type": "UserRole",
"assignmentId": "assign_abc123",
"assignedAt": "2024-03-01T10:00:00Z",
"assignmentReason": "Promoted to Engineering Manager",
"activatedAt": "2024-03-01T10:00:00Z",
"expiresAt": null,
"scope": "department:engineering",
"isPrimary": true,
"isTemporary": false,
"isDelegated": false,
"approvalStatus": "approved",
"approvedBy": "director_456",
"approvedAt": "2024-03-01T09:30:00Z",
"approvalNotes": "Approved per HR recommendation",
"isActive": true,
"lastUsedAt": "2024-03-15T14:30:00Z",
"metadata": {
"teamSize": 12,
"previousRole": "senior_engineer"
}
}Example 2
{
"@type": "UserRole",
"assignmentId": "assign_temp_789",
"assignedBy": "manager_123",
"assignedAt": "2024-03-10T08:00:00Z",
"assignmentReason": "Covering for admin during vacation",
"activatedAt": "2024-03-10T08:00:00Z",
"expiresAt": "2024-03-24T17:00:00Z",
"scope": "global",
"isPrimary": false,
"isTemporary": true,
"isDelegated": true,
"delegatedFrom": "admin_primary",
"conditions": "{\"max_operations_per_day\":50,\"restricted_actions\":[\"delete_users\",\"modify_billing\"]}",
"isActive": true,
"metadata": {
"coverageType": "vacation",
"originalRoleHolder": "admin_primary"
}
}