Skip to main content

Role Management

Tupertino uses Casbin to manage roles and access permissions within its two-tiered organisational structure, which includes root Organisations and their Sub-organisations. This setup uses both Access Control Lists (ACL) and Role-Based Access Control (RBAC) for user and API key management.

Structure and Permissions Overview

  • Root Organisation: Users in a root organisation can view, manage, and invite users to any sub-organisations under them.
  • Sub-organisations: Users here can only view and manage resources within their specific sub-organisation, without access to the root organisation or other sibling sub-organisations.

This structure supports strict separation of permissions and resources while allowing hierarchical access control.

Role Management Policies

API Key Management: Using ACL

API key management now uses Access Control Lists (ACL). Here are key considerations:

  • Resource Specification: During key creation, specify the resources the key should have access to, limiting it to essential resources only.
  • Key Regeneration: If the required resources or access levels change, generate a new API key to apply updated permissions effectively.

User-Organisation Management: Using RBAC

For managing users within organisations, Role-Based Access Control (RBAC) is now applied:

  • Admin - Full access to manage users and resources within their assigned organisation.
  • Member - Limited access to manage specific resources, excluding user management privileges.
  • Viewer - Read-only access to view resources and data without editing permissions.

To assign a role to a user within an organisation, use the Add Organisation Users endpoint. Roles are defined as constants in the system and are hardcoded in roles.service.ts. For any additional roles, add definitions directly to this file.

Organisational Structure and Permission Examples

To illustrate access permissions, here are two scenarios:

  • Scenario A: A user with an admin role in the root organisation, “ABC Holdings,” can invite users to “ABC Holdings” or any sub-organisations, such as “ABC Holdings - Child 1.” This admin user can also manage resources across both the root and associated sub-organisations.
  • Scenario B: A user with a user role in “ABC Holdings - Child 1” can only view and manage resources within “ABC Holdings - Child 1.” They cannot view resources or manage users in the root organisation or any other sub-organisations.

These permissions for human users are managed through Casbin's Role-Based Access Control (RBAC), which offers flexible control over user roles and supports the hierarchical organisational structure.