roles and permissions architecture and implementation plan closes #151 #202

Merged

carla merged 3 commits from feature/roles-and-permissions-concept into main

2025-11-18 08:50:31 +01:00

moritz commented

2025-11-10 19:47:28 +01:00

Owner

Complete RBAC system design with permission sets, Ash policies, and UI authorization.
Implementation broken down into 18 issues across 4 sprints with TDD approach.
Includes database schema, caching strategy, and comprehensive test coverage.

Complete RBAC system design with permission sets, Ash policies, and UI authorization. Implementation broken down into 18 issues across 4 sprints with TDD approach. Includes database schema, caching strategy, and comprehensive test coverage.

moritz added this to the We have different roles and permissions milestone 2025-11-10 19:47:28 +01:00

moritz self-assigned this 2025-11-10 19:47:28 +01:00

moritz added 1 commit 2025-11-10 19:47:29 +01:00

docs: Add roles and permissions architecture and implementation plan

continuous-integration/drone/push Build is passing

Details

07b3571878

Complete RBAC system design with permission sets, Ash policies, and UI authorization.
Implementation broken down into 18 issues across 4 sprints with TDD approach.
Includes database schema, caching strategy, and comprehensive test coverage.

moritz added this to the Sprint 8 - 23.10 - 20.11 project 2025-11-10 19:47:30 +01:00

rafael commented

2025-11-12 10:23:13 +01:00

Collaborator

You didn't ask for my review here but I skimmed this since we did the initial concept together, and would like to offer two thoughts :)

It's tricky to know what to leave out and what to put into a document like this, especially since LLMs can digest these large architecture docs easily during implementation later on. However, I think you could cut quite a bit of text here to make human review easier - the estimated reading time for the architecture doc alone comes in at 57 minutes. This makes it harder to catch potential issues. In this case, IMO you could replace the "evaluated approaches" section with a short summary, and maybe split out some of the code examples into a separate document.
We could get away with storing less permission-related stuff in the database, which would be a lot less work to implement. My rule of thumb is this: if users don't need to change something, it can be hardcoded in elixir or in a configuration file. Applying this here, we could replace the permission_sets, permission_set_resources, and permission_set_pages with elixir functions that take a user, action, resource and/or page and return whether that action is allowed. It's still easy to replace this with database tables later on if needed!

You didn't ask for my review here but I skimmed this since we did the initial concept together, and would like to offer two thoughts :) 1. It's tricky to know what to leave out and what to put into a document like this, especially since LLMs can digest these large architecture docs easily during implementation later on. However, I think you could cut quite a bit of text here to make human review easier - the estimated reading time for the architecture doc alone comes in at 57 minutes. This makes it harder to catch potential issues. In this case, IMO you could replace the "evaluated approaches" section with a short summary, and maybe split out some of the code examples into a separate document. 2. We could get away with storing less permission-related stuff in the database, which would be a lot less work to implement. My rule of thumb is this: if users don't need to change something, it can be hardcoded in elixir or in a configuration file. Applying this here, we could replace the `permission_sets`, `permission_set_resources`, and `permission_set_pages` with elixir functions that take a user, action, resource and/or page and return whether that action is allowed. It's still easy to replace this with database tables later on if needed!

moritz force-pushed feature/roles-and-permissions-concept from 07b3571878 to a19026e430

2025-11-13 16:17:22 +01:00

Compare

moritz changed title from ~~WIP: roles and permissions architecture and implementation plan closes #151~~ to roles and permissions architecture and implementation plan closes #151

2025-11-13 16:17:53 +01:00