Role Management System

This guide explains how to manage roles and permissions in the DeployStack backend for developers.

Overview

DeployStack uses a centralized role-based access control (RBAC) system with automatic synchronization between code definitions and database storage.

Role Definitions

All roles and permissions are defined in a single file:

services/backend/src/permissions/index.ts

This is the single source of truth for all role definitions. To see current roles and their permissions, check this file.

Role Types

The system supports two types of roles:

Global Roles: System-wide roles (global_admin, global_user)
Team Roles: Team-specific roles (team_admin, team_user)

Team roles are assigned within team contexts and work alongside global roles to provide fine-grained access control for team-based resources.

Database Storage

Roles are stored in the roles table with the following structure:

id - Role identifier (e.g., 'global_admin')
name - Display name (e.g., 'Global Administrator')
description - Role description
permissions - JSON array of permission strings
is_system_role - Boolean flag for core system roles
created_at / updated_at - Timestamps

User role assignments are stored in the authUser.role_id column.

The system automatically syncs role permissions from code to database on server startup. The RoleSyncService compares the definitions in permissions/index.ts with the database and updates any differences. This ensures the database always matches your code definitions without manual intervention.

Adding New Roles

1. Define the Role

Add your new role to services/backend/src/permissions/index.ts:

export const ROLE_DEFINITIONS = {
  // ... existing roles
  content_moderator: [
    'users.view',
    'content.moderate',
    'reports.view',
  ],
} as const;

2. Create Database Migration (Optional)

If you want the role available immediately in existing databases, create a migration:

-- Add new role to existing databases
INSERT OR IGNORE INTO `roles` (`id`, `name`, `description`, `permissions`, `is_system_role`, `created_at`, `updated_at`) VALUES 
('content_moderator', 'Content Moderator', 'Manages user content', '[]', 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000);

import { requirePermission } from '../middleware/roleMiddleware';

// Require specific permission
fastify.get('/admin-endpoint', {
  preValidation: requirePermission('system.admin')
}, handler);

For team-based resources, use team-aware permissions:

import { requireTeamPermission } from '../middleware/roleMiddleware';

// Team-specific permission checking
fastify.post('/teams/:teamId/resources', {
  preValidation: requireTeamPermission('resources.create')
}, handler);

See API Security Best Practices for detailed information about team-aware permissions and security patterns.

Programmatic Checks

import { checkUserPermission } from '../middleware/roleMiddleware';

const hasPermission = await checkUserPermission(userId, 'users.edit');

API Endpoints

Role Management

GET /api/roles - List all roles
POST /api/roles - Create new role
PUT /api/roles/:id - Update role
DELETE /api/roles/:id - Delete role

User Role Assignment

PUT /api/users/:id/role - Assign role to user
GET /api/users/me - Get current user with role info

Best Practices

Single Source: Always define roles in permissions/index.ts
Descriptive Names: Use clear permission names with dot notation (users.edit, content.moderate)
Minimal Permissions: Give roles only the permissions they need
System Roles: Mark core roles as is_system_role: true to prevent deletion
Testing: Test permission changes in development before deploying

Security Notes

System roles cannot be modified or deleted via API
Users cannot change their own roles
The last global administrator cannot be deleted
All permission checks happen server-side