Skip to content

Integrate Roles in data.source.coop #126

Description

@alukach

Description

Implement the Role system in the data proxy (data.source.coop) as described in ADR-004.

Roles belong to an account (Individual or Organization) and define:

  • Who can assume the Role — identity constraints (IdP bindings with claim constraints)
  • What the Role's credentials can access — permission statements (action + resource patterns)

Key Requirements

  • Role schema: name, display_name, max_session_duration, identity_constraints[], permissions[]
  • Role URN format: sc::{account_id}::role/{role_name}
  • Built-in _default Role per account (unlimited ceiling, constrained to auth.source.coop IdP, cannot be deleted)
  • Role CRUD API: POST/GET/PUT/DELETE /api/accounts/{account_id}/roles/{role_name}
  • Identity constraint evaluation: claim constraints with equals and starts_with operators, AND within a binding, OR across bindings
  • Permission statements: read/write actions with URN resource patterns supporting prefix scoping
  • Role acts as a ceiling on account permissions — intersection at request time (ADR-005)
  • Validation rules: name format, max session duration bounds, limits on bindings/constraints/statements

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions