R B A C
Description
Overview
The RBAC module controls access to resources through permissions assigned to users or roles.
All endpoints below require a valid bearer token.
Permission layers
| Layer | Mechanism | Defined in |
|---|---|---|
| API route | CanCallAPIv0 — may this role call METHOD + path? | $DATA_DIR/rbac/{module}.rbac.yaml seeds and Configurator endpoint-role API |
| Record | RecPermission — may this user act on this record_id? | Service-layer code per module (not in .rbac.yaml) |
Seed authoring (file layout, wildcards, bootstrap): seed_authoring.md. Env vars: docs/data-dir-seeds-env.md.
Endpoints
List API Endpoints
GET /v1/rbac/endpoints
Return all registered API endpoints that can be secured via RBAC.
Response (200)
{
"data": [
{
"endpoint": "/v1/customers",
"method": "GET"
}
],
"pagination": {
"has_more": false,
"total": 1
}
}List Permissions
GET /v1/rbac/permissions
Return record-level and role-based permissions visible to the authenticated user.
Response (200)
{
"data": [
{
"actor_id": "550e8400-e29b-41d4-a716-446655440000",
"rec_type": "customers",
"permission": "CR"
}
],
"pagination": {
"has_more": false,
"total": 1
}
}Permissions are expressed using CRUDA notation:
• C - Create
• R - Read
• U - Update
• D - Delete
• A - Applies to all records (permission to select all records)
List Record Types
GET /v1/rbac/record-types
Return record types that can be protected by RBAC.
Response (200)
[
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "customers",
"schema": "customers",
"active": true
}
]