Skip to content

RBAC: add custom roles and permission matrix#162

Merged
BadgerOps merged 1 commit intomasterfrom
feature/custom-rbac-roles
May 8, 2026
Merged

RBAC: add custom roles and permission matrix#162
BadgerOps merged 1 commit intomasterfrom
feature/custom-rbac-roles

Conversation

@BadgerOps
Copy link
Copy Markdown
Owner

@BadgerOps BadgerOps commented May 8, 2026

Summary

Implements custom RBAC roles for CloudPAM and replaces the static UI-only RBAC view with a functional role editor backed by API-enforced permissions.

Closes #132.

What changed

  • Added a complete app-wide permission catalog using resource:action permissions.
  • Added persisted role stores for:
    • in-memory development mode
    • SQLite builds
    • PostgreSQL builds
  • Added role and permission APIs:
    • GET /api/v1/auth/permissions
    • GET /api/v1/auth/roles
    • POST /api/v1/auth/roles
    • GET /api/v1/auth/roles/{name}
    • PATCH /api/v1/auth/roles/{name}
    • DELETE /api/v1/auth/roles/{name}
  • Enforced built-in role immutability for admin/operator/viewer/auditor.
  • Blocked deletion of custom roles assigned to active users.
  • Updated existing API permission checks to resolve permissions through the dynamic role provider.
  • Changed API-key authorization so bearer-token requests are evaluated from API key scopes directly instead of being expanded into broader built-in role levels.
  • Added permission data to login and /api/v1/auth/me responses so the UI can gate admin pages by permissions.
  • Updated user role assignment to validate custom roles and expose custom roles in role selectors.
  • Added Identity > RBAC UI for creating, editing, deleting, and reviewing roles against the app-wide permission matrix.
  • Added SQLite and PostgreSQL migrations to sync persisted permissions and built-in role assignments.
  • Updated OpenAPI, auth docs, README, project plan, and versioned changelog entry 0.13.0.

Permission model notes

  • Role administration is protected by settings:read for list/read endpoints and settings:write for create/update/delete endpoints.
  • Built-in roles remain immutable but are now represented through the same role API as custom roles.
  • Custom role names are normalized slugs and are stored in the existing user role field.
  • API key scope creation now validates requested scopes against the caller's effective permissions, including custom roles.

Verification

  • go test ./...
  • go test -tags sqlite ./internal/auth ./internal/api ./cmd/cloudpam ./internal/storage/sqlite
  • go test -tags postgres ./cmd/cloudpam ./internal/auth
  • npm run build from ui/
  • git diff --cached --check

Screenshots

Not included. This is an admin workflow change; the functional UI was type-checked and production-built with Vite.

@BadgerOps BadgerOps merged commit 2052b91 into master May 8, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Custom RBAC Roles

1 participant

@BadgerOps