Grant

Appearance

RBAC Model

Grant uses multi-tenant RBAC: roles are assigned to users in a scope (account or organization), groups link roles to permissions, and permissions grant actions on resources.

Overview

Account-level: Personal Account Owner, Organization Account Owner (full control over that account).

Organization-level: Organization Owner, Admin, Dev, Viewer — full control down to read-only within the organization.

Scope of this doc

This page covers authorization (which actions need which permissions). These need only authentication (logged in), not authorization: login/register, session management, password reset, email verification, profile picture upload, session revocation, auth method management (create/delete/set-primary/change-password).

Resources and Actions

Actions that require authorization: read (single resource by ID), query (list/collection). Some resources expose only query (e.g. Project, Role, Tag, API Key); others support both read and query.

Which resources have read vs query only
  • Both read + query: User, Account, Organization, Organization Member, Organization Invitation, Project User, User Session, User Authentication Method
  • Query only: Project, Project App, Resource, Role, Group, Permission, Tag, API Key (list with optional ids filter)

Core Resources

ResourceActionsDescription
Usercreate read update delete query export-dataPlatform users
Accountread delete queryPersonal or organization workspace
Organizationcreate read update delete queryContainer for projects and members
Projectcreate update delete queryIsolated environment (query only)
Resourcecreate update delete queryDomain entities (query only)
Rolecreate update delete queryNamed permission sets (query only)
Groupcreate update delete queryRole–resource permission bundles
Permissioncreate update delete queryAction on a resource
Tagcreate update delete queryLabels (query only)
API Keycreate delete query revoke exchangeProgrammatic credentials
Appcreate update query deleteConsent-flow applications

Relationship & Session Resources

ResourceActionsDescription
Organization Memberread update remove queryUsers in an organization
Organization Invitationcreate read query revoke resend-email renewJoin-org invitations
Project Userread queryUsers in a project
User Sessionread queryActive sessions (own only)
User Authentication Methodread queryAuth methods (own only)

Roles

Account-Level

Two account types: personal (one per user) and organization (owned by users). Each has a single role: Personal Account Owner or Organization Account Owner — full control over that account. Account ownership is independent of organization membership (you can be account owner and also Org Admin/Dev/Viewer elsewhere).

Organization-Level

Within an organization, four roles: Owner (full control), Admin (teams and permissions, no account ownership), Dev (create/manage resources, roles, permissions), Viewer (read-only).

Project-Level: Two Kinds of Users

  • Platform users — People with a Grant account (personal or org member). They use the dashboard to design auth. Their project access is inherited: account owner → Owner on account projects; org role (Owner/Admin/Dev/Viewer) applies to org projects. The platform does not define project-level groups for them.
  • Project users — Third-party identities in a project (Project User resource). They use the project's APIs/apps (API keys, OAuth), not the dashboard. Platform users define custom roles, groups, and permissions inside the project for these users; the platform supplies the primitives but not a fixed structure.

Groups

Groups link roles to permissions via a Role + Resource combination. Naming: {Resource} {Role} (e.g. "Organization Owner", "User Dev"). Permissions live in groups; roles get access by being assigned groups.

Flow: User → Role → Group → Permission → Resource. The system evaluates all role–group combinations for the user when checking access.

Standard account- and organization-level groups (reference)

Account-level: Only Owner groups — Personal Account Owner, Organization Account Owner (Role: Owner, Resource: Account). Organization-level: All four — Organization Owner, Organization Admin, Organization Dev, Organization Viewer. Project-level: No standard groups; platform users' project access is inherited from org role; custom project groups are user-defined.

Permission Mapping to Groups

Common groups — assigned to all roles (basic read/query, some create). Role-specific groups — extra permissions for Owner, Admin, Dev, or Viewer. Summary: Tags are Owner-only; API Key delete/revoke for Dev is own-keys only (condition). Expand below for full reference.

Full group → permission reference

Common Groups (all roles)

Group NameResourcePermissionsDescription
Account CommonAccountread queryBasic account access for all authenticated users
User CommonUserread queryBasic user viewing for all authenticated users
Organization CommonOrganizationcreate queryBasic organization access (can create and query organizations)
Project CommonProjectqueryBasic project viewing for all authenticated users
Account Project OwnerProjectcreate update deleteProject management for account owners
Resource CommonResourcequeryBasic resource viewing for all authenticated users
Role CommonRolequeryBasic role viewing for all authenticated users
Group CommonGroupqueryBasic group viewing for all authenticated users
Permission CommonPermissionqueryBasic permission viewing for all authenticated users
Tag CommonTagqueryBasic tag viewing for all authenticated users
API Key CommonAPI Keyquery exchangeBasic API key access for all authenticated users
Organization Member CommonOrganization Memberread queryBasic organization member viewing for all authenticated users
Organization Invitation CommonOrganization InvitationqueryBasic organization invitation access for all authenticated users
Project User CommonProject Userread queryBasic project user viewing for all authenticated users
User Session CommonUser Sessionread queryBasic user session viewing (own sessions only, enforced by condition)
User Authentication Method CommonUser Authentication Methodread queryBasic authentication method viewing (own methods only, enforced by condition)

Role-Specific Groups

These groups contain permissions specific to certain roles:

Account Groups

Group NameResourcePermissionsAssigned ToDescription
Personal Account OwnerAccountdeletePersonal Account OwnerFull personal account control
Organization Account OwnerAccountdeleteOrganization Account OwnerFull organization account control

User Groups

Group NameResourcePermissionsAssigned ToDescription
User OwnerUsercreate update delete export-dataOrganization OwnerFull user management
User AdminUsercreate update delete export-dataOrganization AdminFull user management
User DevUserupdate (own user only)Organization DevLimited user management (own profile only)
User ViewerUser(no additional permissions)Viewer has same user access as common groups

Organization Groups

Group NameResourcePermissionsAssigned ToDescription
Organization OwnerOrganizationupdate deleteOrganization OwnerFull organization management
Organization AdminOrganizationupdate deleteOrganization AdminFull organization management
Organization DevOrganization(no additional permissions)Dev has same organization access as common groups
Organization ViewerOrganization(no additional permissions)Viewer has same organization access as common groups

Project Resource Groups

These groups control what organization-level roles can do with the Project resource (create, update, delete projects). They are not project-scope groups — see Project-Level: Two Kinds of Users.

Group NameResourcePermissionsAssigned ToDescription
Project OwnerProjectcreate update deleteOrganization OwnerFull project management
Project AdminProjectcreate update deleteOrganization AdminFull project management
Project DevProjectcreate update deleteOrganization DevFull project management
Project ViewerProject(no additional permissions)Viewer has same project access as common groups

Resource Groups

Group NameResourcePermissionsAssigned ToDescription
Resource OwnerResourcecreate update deleteOrganization OwnerFull resource management
Resource AdminResourcecreate update deleteOrganization AdminFull resource management
Resource DevResourcecreate update deleteOrganization DevFull resource management
Resource ViewerResource(no additional permissions)Viewer has same resource access as common groups

Role Groups

Group NameResourcePermissionsAssigned ToDescription
Role OwnerRolecreate update deleteOrganization OwnerFull role management
Role AdminRolecreate update deleteOrganization AdminFull role management
Role DevRolecreate update deleteOrganization DevFull role management
Role ViewerRole(no additional permissions)Viewer has same role access as common groups

Group Groups

Group NameResourcePermissionsAssigned ToDescription
Group OwnerGroupcreate update deleteOrganization OwnerFull group management
Group AdminGroupcreate update deleteOrganization AdminFull group management
Group DevGroupcreate update deleteOrganization DevFull group management
Group ViewerGroup(no additional permissions)Viewer has same group access as common groups

Permission Groups

Group NameResourcePermissionsAssigned ToDescription
Permission OwnerPermissioncreate update deleteOrganization OwnerFull permission management
Permission AdminPermissioncreate update deleteOrganization AdminFull permission management
Permission DevPermissioncreate update deleteOrganization DevFull permission management
Permission ViewerPermission(no additional permissions)Viewer has same permission access as common groups

Tag Groups

Group NameResourcePermissionsAssigned ToDescription
Tag OwnerTagcreate update deleteOrganization OwnerFull tag management (Owner only)
Tag AdminTag(no additional permissions)Admin cannot manage tags
Tag DevTag(no additional permissions)Dev has same tag access as common groups
Tag ViewerTag(no additional permissions)Viewer has same tag access as common groups

Note: Only Organization Owner can manage tags. Admin, Dev, and Viewer roles have read-only access via common groups.

API Key Groups

Group NameResourcePermissionsAssigned ToDescription
API Key OwnerAPI Keycreate delete revokeOrganization OwnerFull API key management
API Key AdminAPI Keycreate delete revokeOrganization AdminFull API key management
API Key DevAPI Keycreate delete* revoke*Organization DevAPI key creation; delete/revoke own keys only
API Key ViewerAPI Key(no additional permissions)Viewer has same API key access as common groups

INFO

Dev can only delete/revoke their own API keys (enforced by condition) *

Project App Groups

Project App (Apps) are OAuth/consent applications scoped to a project. Account owners get full app management via Account Project App Owner; organization roles get app management via Project App Owner/Admin/Dev. There is no Project App Common group — only these role-specific groups grant access.

Group NameResourcePermissionsAssigned ToDescription
Account Project App OwnerProject Appcreate update delete queryPersonal/Organization Account OwnerFull app management for account projects
Project App OwnerProject Appcreate update delete queryOrganization OwnerFull project app management
Project App AdminProject Appcreate update delete queryOrganization AdminFull project app management
Project App DevProject Appcreate update delete queryOrganization DevFull project app management
Project App ViewerProject App(no additional permissions)Viewer has no project app access by default

Organization Member Groups

Group NameResourcePermissionsAssigned ToDescription
Organization Member OwnerOrganization Memberupdate removeOrganization OwnerFull organization member management
Organization Member AdminOrganization Memberupdate removeOrganization AdminFull organization member management
Organization Member DevOrganization Member(no additional permissions)Dev has same organization member access as common groups
Organization Member ViewerOrganization Member(no additional permissions)Viewer has same organization member access as common groups

Organization Invitation Groups

Group NameResourcePermissionsAssigned ToDescription
Organization Invitation OwnerOrganization Invitationcreate revoke resend-email renewOrganization OwnerFull organization invitation management
Organization Invitation AdminOrganization Invitationcreate revoke resend-email renewOrganization AdminFull organization invitation management
Organization Invitation DevOrganization Invitation(no additional permissions)Dev has same organization invitation access as common groups
Organization Invitation ViewerOrganization Invitation(no additional permissions)Viewer has same organization invitation access as common groups

Project User Groups

All roles have only common group permissions for Project User (read, query):

Group NameResourcePermissionsAssigned ToDescription
Project User OwnerProject User(no additional permissions)Owner has same project user access as common groups
Project User AdminProject User(no additional permissions)Admin has same project user access as common groups
Project User DevProject User(no additional permissions)Dev has same project user access as common groups
Project User ViewerProject User(no additional permissions)Viewer has same project user access as common groups

User Session Groups

All roles have only common group permissions for User Session (read, query own sessions):

Group NameResourcePermissionsAssigned ToDescription
User Session OwnerUser Session(no additional permissions)Owner has same user session access as common groups (own sessions)
User Session AdminUser Session(no additional permissions)Admin has same user session access as common groups (own sessions)
User Session DevUser Session(no additional permissions)Dev has same user session access as common groups (own sessions)
User Session ViewerUser Session(no additional permissions)Viewer has same user session access as common groups (own sessions)

User Authentication Method Groups

All roles have only common group permissions for User Authentication Method (read, query own methods):

Group NameResourcePermissionsAssigned ToDescription
User Authentication Method OwnerUser Authentication Method(no additional permissions)Owner has same auth method access as common groups (own methods)
User Authentication Method AdminUser Authentication Method(no additional permissions)Admin has same auth method access as common groups (own methods)
User Authentication Method DevUser Authentication Method(no additional permissions)Dev has same auth method access as common groups (own methods)
User Authentication Method ViewerUser Authentication Method(no additional permissions)Viewer has same auth method access as common groups (own methods)

:::

Permission Mapping to Roles

Action × role matrices: Owner/Admin/Dev can do most writes; Viewer is read-only. Exceptions: Tags — Owner only; User update and API Key delete/revoke — Dev only for self (condition).

Full permission matrix (all resources)

Core Resource Permissions

User Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createuser
readuser
updateuser*
deleteuser
queryuser
export-datauser

INFO

Dev can only update their own user record *

Account Permissions

ActionResourcePersonal Account OwnerOrganization Account Owner
readaccount
deleteaccount
queryaccount

Organization Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createorganization
updateorganization
deleteorganization
queryorganization

INFO

Organization read is enforced by scope (users can only read organizations they belong to).

Project Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createproject
updateproject
deleteproject
queryproject

Resource Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createresource
updateresource
deleteresource
queryresource

Role Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createrole
updaterole
deleterole
queryrole

Group Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
creategroup
updategroup
deletegroup
querygroup

Permission Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createpermission
updatepermission
deletepermission
querypermission

Tag Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createtag
updatetag
deletetag
querytag

Note: Only Organization Owner can manage tags.

API Key Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createapi-key
deleteapi-key*
queryapi-key
revokeapi-key*
exchangeapi-key

* Dev can only delete/revoke their own API keys

Relationship Permissions

Organization Member Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
readorganization-member
updateorganization-member
removeorganization-member
queryorganization-member

Organization Invitation Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
createorganization-invitation
readorganization-invitation
queryorganization-invitation
revokeorganization-invitation
resend-emailorganization-invitation
reneworganization-invitation

Project User Permissions

ActionResourceOrganization OwnerOrganization AdminOrganization DevOrganization Viewer
readproject-user
queryproject-user

Session & Authentication Permissions (Authorization-Required Only)

User Session Permissions

ActionResourceAll Roles
readuser-session*
queryuser-session*

* Users can only read/query their own sessions (enforced by condition)

User Authentication Method Permissions

ActionResourceAll Roles
readuser-authentication-method*
queryuser-authentication-method*

* Users can only read/query their own authentication methods (enforced by condition)

:::

Naming and Scope

Permissions are stored as action (kebab-case: create, read, update, delete, query, export-data, remove, revoke, resend-email, renew, exchange) plus resourceId (references the resources table). Scopes: Account (account-level actions), Organization (org and members), Project (project resources). Access is limited to resources in the user's assigned scopes.

Implementation Notes

Role hierarchy (conceptual): Owner ⊃ Admin ⊃ Dev ⊃ Viewer; only Tags are Owner-only (Admin has no tag write). Self-management (conditions): Dev can update own user; all users can read own sessions and auth methods; Dev can delete/revoke own API keys. See Permission Conditions for syntax. Auth-only (no RBAC): Login, register, session refresh, password reset, profile picture, session revocation, auth method CRUD — require only authentication.

Permission evaluation steps
  1. Get user's roles in the scope (account/org/project). 2. For each role, get assigned groups. 3. For each group, get permissions. 4. Build all role–group combinations. 5. Match requested action + resource to any permission. 6. If permission has a condition, evaluate with execution context. 7. Enforce tenant isolation (resource in user's scope). Flow: User → Roles → Groups → Permissions → Resource + Action. Conditions: Permission Conditions.

Related: Data Model · Multi-Tenancy · Security

Released under the MIT License.

Copyright © 2024-2026 Logus Graphics