Role-based access control

Users receive roles; roles carry permission strings (for example cadence:org:read). Handlers and dependencies evaluate those strings before sensitive work. Map personas to roles and expect 403 when a permission is missing; implementation centers on permission constants, BuiltInRBACProvider loading and cache, and HTTP dependencies in authorization middleware.

Summary for stakeholders

• Governance — Permissions are explicit cadence:* strings attached to roles; platform-wide power is concentrated in cadence:system:* capabilities.

Business analysis

• Personas — Map product roles (org member, org admin, sys admin) to cadence:* sets when writing acceptance criteria for 403 versus wrong org.
• Audit — Permission changes should trigger cache invalidation expectations in defect reports when behavior lags edits.

Architecture and integration

Cadence RBAC uses PostgreSQL for roles and assignments and Redis to cache computed permission sets (see BuiltInRBACProvider TTL and authz:perms:* keys). Interactive (JWT) sessions store global_permissions and org_permissions in Redis when the session is created or refreshed. API keys use a flat scope list from the key row, with the riskiest platform permissions removed automatically.

After this section

Solution architects

• Reason about cache staleness (≈5 minutes) and session snapshots when designing admin tooling and support workflows.

Implementation notes

Permission strings

Constants live in cadence.core.authorization.permissions. Examples:

• System: cadence:system:admin, cadence:system:settings:read, …
• Org: cadence:org:read, cadence:org:orchestrators:write, …
• User/chat: cadence:chat:use, cadence:profile:write, …

SYSTEM_ADMIN (cadence:system:admin) in global_permissions marks a platform superuser (BearerTokenSession.is_sys_admin).

Wildcard expansion — expand_wildcard_permissions and has_permission implement hierarchical checks (see has_permission in the permissions module).

BuiltInRBACProvider

BuiltInRBACProvider:

• Loads user → role assignments via UserRoleRepository.list_for_user.
• For each assignment, loads role → permission strings via RoleRepository.list_permissions_for_role.
• Merges global (org_id is None) vs org-scoped rows when org_id is passed to effective_permissions(user_id, org_id).
• Caches merged sets in Redis under authz:perms:{user_id}:{org_id} for 300 seconds (CACHE_TTL_SECONDS).
• invalidate_cache(user_id) scans and deletes keys when roles change.

Route enforcement

• Depends(roles_allowed(PERM)) — User must be logged in and satisfy every listed permission according to authorization middleware (_holds_role / has_permission).
• Depends(authenticated) — User must be logged in; no extra permission check.
• require_platform_sys_admin / require_admin — Narrow entry points for platform or admin operations.

Many org-scoped handlers then call org_context from the shared route helpers so the user is a member of the org being touched.

API keys vs interactive sessions

sanitize_api_key_flat_scopes removes SYSTEM_ADMIN and system API-key management permissions from key scopes (API_KEY_SESSION_STRIPPED_PERMISSIONS in the permissions module).

Where to add a new permission

Add a constant in permissions.py, assign it to roles via DB seeds or admin APIs, and use roles_allowed(...) or session.has_permission in the relevant router.

Verification and quality

Limitations

• Cache staleness — Up to 5 minutes before Redis effective-permission cache matches DB after role edits, unless invalidate_cache is called on the relevant code paths.
• Session snapshot — Interactive JWT sessions store permissions at login/refresh; changing roles in DB does not update Redis until the user refreshes the token or re-authenticates.

After this section

Testers

• Design time-delayed tests: change role in DB, wait for cache TTL, assert 403/200 boundaries.

Related pages

Security and access Authentication flow and session resolution.

Multi-tenancy Org scope and org_context.

API keys Flat scopes and stripped permissions.