generated from coulomb/repo-seed
1.2 KiB
1.2 KiB
Pattern: Role Composition
Status: seed Readiness target: RL3 production Primary owners: NetKingdom, flex-auth Genesis family: Identity and access
Problem
Hardcoded roles become too broad, inconsistent, and difficult to review as products, tenants, agents, and operational tasks grow.
Context
Use this pattern for platform roles, tenant roles, product roles, operator privileges, and agent scopes.
Forces
- Roles need stable names for people and policy.
- Permissions are resource and action specific.
- Tenant roles differ from platform roles.
- Agents need narrower scopes than human sponsors.
Solution
Compose roles from named capabilities, resource scopes, actions, constraints, and obligations. Keep role vocabulary in a reviewable model that can be evaluated by flex-auth or a delegated PDP.
Verification
- Each role maps to explicit capabilities and action sets.
- Privileged roles are time bounded or separately approved.
- Tenant and platform roles cannot be confused.
- Access reviews can explain why an actor has an action.
Related Patterns
- Policy Decision Point / Policy Enforcement Point.
- Time-boxed Privilege Elevation.
- Human/Agent Identity Split.
- Object-Level Authorization Check.