Description
Implement the Role system in the data proxy (data.source.coop) as described in ADR-004.
Roles belong to an account (Individual or Organization) and define:
- Who can assume the Role — identity constraints (IdP bindings with claim constraints)
- What the Role's credentials can access — permission statements (action + resource patterns)
Key Requirements
- Role schema:
name, display_name, max_session_duration, identity_constraints[], permissions[]
- Role URN format:
sc::{account_id}::role/{role_name}
- Built-in
_default Role per account (unlimited ceiling, constrained to auth.source.coop IdP, cannot be deleted)
- Role CRUD API:
POST/GET/PUT/DELETE /api/accounts/{account_id}/roles/{role_name}
- Identity constraint evaluation: claim constraints with
equals and starts_with operators, AND within a binding, OR across bindings
- Permission statements:
read/write actions with URN resource patterns supporting prefix scoping
- Role acts as a ceiling on account permissions — intersection at request time (ADR-005)
- Validation rules: name format, max session duration bounds, limits on bindings/constraints/statements
References
Description
Implement the Role system in the data proxy (data.source.coop) as described in ADR-004.
Roles belong to an account (Individual or Organization) and define:
Key Requirements
name,display_name,max_session_duration,identity_constraints[],permissions[]sc::{account_id}::role/{role_name}_defaultRole per account (unlimited ceiling, constrained toauth.source.coopIdP, cannot be deleted)POST/GET/PUT/DELETE /api/accounts/{account_id}/roles/{role_name}equalsandstarts_withoperators, AND within a binding, OR across bindingsread/writeactions with URN resource patterns supporting prefix scopingReferences