Tenant RBAC: custom roles, assignment, and permission checks. Mutations require owner/admin. Bearer required.
import { GatekeeperCore, PermissionsService } from '@orkait/sdk';
const permissions = new PermissionsService(core);Methods#
| Method | Returns | Notes |
|---|---|---|
createRole(tenantId, name, permissions) | Role | owner/admin |
listRoles(tenantId) | Page<Role> | |
updateRole(roleId, updates) | Role | { name?, permissions? }; system roles rejected |
deleteRole(roleId) | void | owner/admin |
assign(userId, tenantId, roleId) | void | owner/admin |
revoke(userId, tenantId, roleId) | void | owner/admin |
can(userId, tenantId, permission) | boolean | |
list(userId, tenantId) | string[] | effective permissions |
Example#
const role = await permissions.createRole('t1', 'editor', ['posts:write']);
await permissions.assign('usr_1', 't1', role.id);
if (await permissions.can('usr_1', 't1', 'posts:write')) { /* allowed */ }