Capabilities & Permissions
Permissions are attached to Features and assigned to subjects (usually roles).
Feature & Permission Model
| Concept | Description |
|---|---|
| Feature | Canonical capability key (e.g., USER_MGMT, FEATURE_FLAG) |
| Permission fields | read, create, update, delete, restore and optional extraActions (e.g., ASSIGN, UNASSIGN, UPDATE_ASSIGNMENT) |
| Uniqueness | One Permission per Feature (validated by data layer; service maps conflicts to 409 or 400) |
Assignment
| Concept | Description |
|---|---|
| Subject types | Typically ROLE (other subject types may be supported by the data layer) |
| Uniqueness | Composite unique (permissionId, subjectType, subjectId) prevents duplicates |
| Auditing | Service methods expose create/update/delete operations for assignments and audit every change |
Guarding
- Controllers check capability using role membership and assigned permissions
- Batch checks supported via
/capabilities/canin the backend for UI usage