Auth/RBAC
Role-based access control
Users receive zero or more roles through `UserRole`. Roles receive zero or more typed permissions through `RolePermission`. Effective permissions are the union of active grants. Pe
Use this when you need a quick orientation to Auth/RBAC.
Model
Users receive zero or more roles through UserRole. Roles receive zero or more typed permissions through RolePermission. Effective permissions are the union of active grants. Permission keys follow <area>.<action>, such as roles.manage.
The reusable list and helpers live in @submicron/auth. The database remains authoritative for grants. UI visibility may improve clarity but never replaces server-side authorization.
Seeded roles
- Founder/Admin: every seeded permission.
- General Manager: broad cross-functional access except role and settings management.
- Operations/CRM Officer: CRM management plus operational read/document access.
- Engineer: audit contribution plus quote, approval, and document visibility.
- Finance/Admin: quote and approval management plus administrative visibility.
- Store Manager: limited customer, quote, approval, and document access.
- Field Staff: field-oriented audit contribution and read access.
- Viewer: non-administrative view permissions only.
These are initial assumptions, not a final segregation-of-duties policy. Named business owners must approve them before production use.
Enforcement pattern
- Validate a Better Auth session.
- Reject inactive or missing users.
- Load roles and permissions from PostgreSQL.
- Validate the exact permission near the protected query or mutation.
- Record consequential actions in
ActivityLog.
Resource ownership, row-level scope, temporary delegation, and approval thresholds are deferred until actual workflows are designed.
Developer Details
- Source
- apps/docs/content/role-based-access-control.md
- Owner
- Module Owner
- Status
- Current
- Module
- Auth/RBAC
- Related route
- /settings/roles