Role & Permission Management
En bref
Role & Permission Management is the capability-based RBAC layer that authorises every API call on the platform. Capabilities are deny-by-default, grouped into reusable role templates (FIPJP Admin, Club President, Umpire L1-L5, Tournament Director and others), and assigned per user per tenant with an optional OrgNode scope so authority always matches organisational reality.
Comment ça fonctionne
The authorisation model is built on capabilities, not roles. Each endpoint declares the capabilities it requires (e.g. competitions:create, members:read, finance:export); the auth middleware looks up the caller's effective capability set and denies any request whose required capabilities are not present. Roles are convenience containers: a role document holds a list of capabilities (with wildcard support such as competitions:* or *:read), and assigning a role to a user grants the union of its capabilities at the assignment's scope.
Scope is two-dimensional — tenant_id is mandatory, and an optional org_node_id narrows the grant to a subtree. A District Admin role assigned at a Swedish district OrgNode therefore yields competitions:* only for clubs and players in that subtree, while the same role assigned to a national admin yields it tenant-wide. Role inheritance lets templates extend each other (national-admin inherits regional-admin), keeping the predefined catalogue maintainable.
The petanque-specific catalogue ships with FIPJP Admin, Continental President, National Federation Admin, National Sports Director, District Admin, Club President/Secretary/Treasurer, Licensed Player, Umpire L1-L5, Tournament Director, Coach, Scorer/Volunteer and Spectator, each tuned to a realistic capability set. Sensitive-field restrictions add a column-level overlay — even a role with members:read may have date_of_birth or personal_id_number stripped from responses unless a more privileged capability is held. Temporary role grants attach a valid_from/valid_until window so a tournament director gets full event-management capabilities for one weekend only and is automatically removed afterwards.
Role request and approval workflows let users self-request (e.g. an aspiring umpire applying for L1 once certified), with the appropriate higher role acting as approver. Access debugging tools let administrators simulate "why was this request denied?" and trace the exact missing capability.
Capacités clés
- Capability-based access control with deny-by-default enforcement and wildcard support
- Reusable role templates with inheritance across the petanque-specific catalogue
- Tenant + OrgNode scoping for every role assignment
- Sensitive-field restrictions for column-level data masking
- Temporary role grants with valid_from/valid_until windows
- Self-service role request and approval workflow
- Access debugging tools for tracing denied requests
En pratique
An umpire passes the L3 examination at a national clinic. From his profile he requests the Umpire L3 role; the request is routed to the National Sports Director, who approves it with one click. The role is assigned at tenant scope (national federation) and instantly grants matches:officiate and disciplinary:report capabilities.
The next weekend he is appointed Tournament Director for a single regional competition; the federation admin issues a temporary grant valid only Friday-Sunday, scoped to that event. On Monday morning the temporary capabilities expire automatically and he is back to his standing umpire role, with the access debugger showing exactly which capabilities were active at any moment of the weekend.
Fonctionnalités de ce sous-système
10| ID | Status | Fonctionnalités |
|---|---|---|
| F02.03.01 | Livré | Capability-based access control (deny-by-default) ✅ PL-F0203a |
| F02.03.02 | Livré | Role definition with capability sets ✅ PL-F0203a |
| F02.03.03 | Livré | Role inheritance (e.g., national-admin inherits regional-admin) ✅ PL-F0203a |
| F02.03.04 | Livré | Role assignment per user per tenant (+ OrgNode scope for regional/club roles) ✅ PL-F0203a |
| F02.03.05 | Livré | Wildcard capabilities (e.g., competitions:*) ✅ PL-F0203a |
| F02.03.06 | Livré | Sensitive field restrictions ✅ PL-F0203b (tabelldriven SENSITIVE_FIELD_SPECS, filter_document/filter_documents, assert_write_allowed, profile:read_sensitive-override, GET /sensitive-fields, POST /sensitive-fields/check) |
| F02.03.07 | Livré | Petanque-specific role templates (see below) ✅ PL-F0203b (category/suggested_scope/is_temporal/is_petanque_specific/requires_approval metadata på RoleTemplate, GET /role-templates?category=...&scope=...) |
| F02.03.08 | Livré | Access debugging tools ✅ PL-F0203b (GET /access-debug/role-tree/{name} BFS inkl. cycle/missing-markering, GET /access-debug/users/{id}?at=... active/inactive split, POST /access-debug/check med granting_roles) |
| F02.03.09 | Livré | Temporary role grants (e.g., tournament director for one event) ✅ PL-F0203b (POST /role-grants/temporary, GET /role-grants/temporary?active_only=..., DELETE /role-grants/{id}, exkluderar permanenta grants automatiskt) |
| F02.03.10 | Livré | Role request and approval workflow ✅ PL-F0203b (RoleRequest-dokument, POST /role-requests med dubblettguard 409, /approve med scope-narrowing, /deny, /cancel med requester-only guard 403) |