diff --git a/PERMISSIONS.md b/PERMISSIONS.md index 47466d2..e628dc2 100644 --- a/PERMISSIONS.md +++ b/PERMISSIONS.md @@ -177,3 +177,41 @@ role assignment. - ***Auditor***: inherited from Project Auditor, Committee Auditor --- + +### B2B Organization + +Access to a B2B Organization object is controlled via three directly-assignable +roles: **Owner**, **Writer**, and **Auditor**. No job-to-be-done actions are +documented for this type yet; this section will be expanded as API coverage +grows. + +#### Permission Inheritance + +- **Writer**: also granted to Owner; inherited from global org-admin team +- **Auditor**: also granted to Writer + +--- + +### Project Membership + +Access to a Project Membership object is fully inherited — there are no +directly-assignable roles on this type. Write access is scoped to B2B +Organization writers; read access is additionally available to Project auditors. + +#### Permission Inheritance + +- ***Writer***: inherited from B2B Organization Writer +- ***Auditor***: inherited from B2B Organization Auditor, Project Auditor + +--- + +### Key Contact + +Access to a Key Contact object is fully inherited — there are no +directly-assignable roles on this type. Both write and read access are +available to either the parent B2B Organization or the parent Project. + +#### Permission Inheritance + +- ***Writer***: inherited from B2B Organization Writer, Project Writer +- ***Auditor***: inherited from B2B Organization Auditor, Project Auditor diff --git a/charts/lfx-platform/templates/openfga/model.yaml b/charts/lfx-platform/templates/openfga/model.yaml index 040c0b6..60ab565 100644 --- a/charts/lfx-platform/templates/openfga/model.yaml +++ b/charts/lfx-platform/templates/openfga/model.yaml @@ -23,8 +23,8 @@ spec: @fgadoc:hide, @fgadoc:alias, @fgadoc:collapse tags are managed manually. */}} - version: - major: 10 - minor: 1 + major: 11 + minor: 0 patch: 0 authorizationModel: | model @@ -419,10 +419,42 @@ spec: # we just use the "owner" relation in our access checks! define auditor: owner or auditor from survey - # @fgadoc:hide - # This type is used for access to membership apis, not to define someone as a project member - # eventually it needs to be expanded as we index objects - type member + # @fgadoc:alias B2B Organization + # The b2b_org type represents a Salesforce Account (B2B company). The UID is + # an invertible UUID v8 encoded from the Salesforce Account SFID. + # global_org_admin is written to every b2b_org at creation time by the member + # service, providing writer (and transitively auditor) access to all org admins + # without requiring a hierarchical root object. + type b2b_org + relations + # @fgadoc:hide + define global_org_admin: [team#member] + define owner: [user] + define writer: [user] or owner or global_org_admin + define auditor: [user, team#member] or writer + + # @fgadoc:alias Project Membership + # The project_membership type represents a Salesforce Asset record: one active + # (or expired) membership term for a b2b_org within a project. Access is derived + # from the caller's relationship to the parent b2b_org or parent project. + # writer is intentionally scoped to b2b_org only: project-level writers (LF staff) + # can audit memberships but cannot create or modify them. + type project_membership relations - define auditor: [user, team#member] + define b2b_org: [b2b_org] + define project: [project] + define writer: writer from b2b_org + define auditor: auditor from b2b_org or auditor from project + + # @fgadoc:alias Key Contact + # The key_contact type represents a Salesforce Project_Role__c record: a named + # contact role assigned to a b2b_org for a specific project membership. Write + # access is granted to b2b_org writers (owners and global org-admin team) and to + # project-level writers (LF staff managing contacts on behalf of members). + type key_contact + relations + define b2b_org: [b2b_org] + define project: [project] + define writer: writer from b2b_org or writer from project + define auditor: auditor from b2b_org or auditor from project {{- end }}