Role
Source: src/data/role/
Service
createRoleService / RoleService
Factory: createRoleService(roleRepo: RoleRepository, assignmentRepo: RoleAssignmentsRepository) — returns RoleService.
| Method | Parameters | Returns | Description |
|---|---|---|---|
| createRole | (ctx: RequestContext, input: { tenantId?: string, name: string, permissionKeys: string[] }) | Promise<RoleRecord> | Creates a new role for the tenant; validates with roleSchema |
| seedDefaultRoles | (ctx: RequestContext, defaults: DefaultRoleBundle[]) | Promise<RoleRecord[]> | Seeds default roles if they don't already exist by name |
| assignRoleToUser | (ctx: RequestContext, userId: string, roleId: string) | Promise<void> | Assigns a role to a user |
| unassignRoleFromUser | (ctx: RequestContext, userId: string, roleId: string) | Promise<void> | Removes a role assignment from a user |
| getPermissionKeysForUser | (ctx: RequestContext, userId: string) | Promise<string[]> | Aggregates all permission keys across roles assigned to a user |
| hasPermission | (ctx: RequestContext, userId: string, permissionKey: string) | Promise<boolean> | Checks if a user has a specific permission; wildcard * grants all |
DefaultRoleBundle
| Field | Type |
|---|---|
| name | string |
| permissionKeys | string[] |
Repository
RoleRepository
| Method | Parameters | Returns |
|---|---|---|
| getById | (ctx: RequestContext, id: string) | Promise<RoleRecord | null> |
| getByName | (ctx: RequestContext, name: string) | Promise<RoleRecord | null> |
| listByTenant | (ctx: RequestContext) | Promise<RoleRecord[]> |
| create | (ctx: RequestContext, input: RoleCreateInput) | Promise<RoleRecord> |
| update | (ctx: RequestContext, id: string, patch: Partial<RoleCreateInput>) | Promise<RoleRecord> |
RoleRecord
| Field | Type |
|---|---|
| id | string |
| tenantId | string |
| name | string |
| permissionKeys | string[] |
| createdAt | Date |
| updatedAt | Date |
RoleAssignmentsRepository
| Method | Parameters | Returns |
|---|---|---|
| listRoleIdsForUser | (ctx: RequestContext, userId: string) | Promise<string[]> |
| assignRoleToUser | (ctx: RequestContext, userId: string, roleId: string) | Promise<void> |
| unassignRoleFromUser | (ctx: RequestContext, userId: string, roleId: string) | Promise<void> |
RoleAssignmentRecord
| Field | Type |
|---|---|
| id | string |
| userId | string |
| tenantId | string |
| roleId | string |
| createdAt | Date |
| updatedAt | Date |
Default Roles
Defined in roles.defaults.ts:
| Role Name | Permission Keys |
|---|---|
TenantAdmin | All permission keys from the registry + AccessAdmin |
ReadOnly | All permission keys ending in .read |
Validators
roleSchema
| Field | Type | Required | Default |
|---|---|---|---|
| tenantId | string | Yes | — |
| name | string | Yes | — |
| permissionKeys | string[] | No | [] |
Inferred Types
Role—z.infer<typeof roleSchema>