RBAC Permissions Matrix
This document defines the Role-Based Access Control (RBAC) permission model for Traceo.Roles
Traceo uses a hierarchical role model where higher roles inherit all permissions from lower roles.| Role | Level | Description |
|---|---|---|
| Viewer | 0 | Read-only access to workspace resources |
| Editor | 1 | Create and update requirements and relationships |
| Admin | 2 | Delete resources, view audit logs, manage workspace settings |
| Owner | 3 | Full access including user management and billing |
Permission Categories
Requirements
| Permission | Description | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|---|
requirements:read | View requirements and their details | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
requirements:create | Create new requirements | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
requirements:update | Modify existing requirements | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
requirements:delete | Delete requirements | :x: | :x: | :white_check_mark: | :white_check_mark: |
requirements:export | Export requirements to files | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
Relationships
| Permission | Description | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|---|
relationships:read | View traceability relationships | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
relationships:create | Create new relationships | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
relationships:update | Modify existing relationships | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
relationships:delete | Delete relationships | :x: | :x: | :white_check_mark: | :white_check_mark: |
Jobs (Ingestion)
| Permission | Description | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|---|
jobs:read | View job status and history | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
jobs:create | Submit new ingestion jobs | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
jobs:cancel | Cancel running jobs | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
jobs:retry | Retry failed jobs | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
Audit Logs
| Permission | Description | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|---|
audit:read | View audit log entries | :x: | :x: | :white_check_mark: | :white_check_mark: |
audit:export | Export audit logs | :x: | :x: | :white_check_mark: | :white_check_mark: |
Workspace Management
| Permission | Description | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|---|
workspace:read | View workspace settings | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
workspace:update | Modify workspace settings | :x: | :x: | :white_check_mark: | :white_check_mark: |
workspace:delete | Delete workspace | :x: | :x: | :x: | :white_check_mark: |
User Management
| Permission | Description | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|---|
users:read | View workspace members | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
users:invite | Invite new members | :x: | :x: | :white_check_mark: | :white_check_mark: |
users:update | Change member roles | :x: | :x: | :x: | :white_check_mark: |
users:remove | Remove members | :x: | :x: | :x: | :white_check_mark: |
Integrations
| Permission | Description | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|---|
integrations:read | View configured integrations | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
integrations:manage | Add/modify/remove integrations | :x: | :x: | :white_check_mark: | :white_check_mark: |
Permission Inheritance
Permissions are inherited based on role hierarchy:- Check if user’s role level >= minimum required role level
- If using granular permissions, check if permission is in role’s permission set
Implementation
Python Decorator
FastAPI Dependency
Audit Events
All permission checks are logged with:- User ID
- Permission checked
- Resource type and ID
- Result (allowed/denied)
- Timestamp
Role Assignment
- New users are assigned Viewer role by default
- Workspace creators are automatically assigned Owner role
- Only Owners can promote users to Admin
- Admins can promote Viewers to Editors
Security Considerations
- Principle of Least Privilege: Start with Viewer role, grant higher permissions as needed
- Permission Caching: Permissions are cached per request, not globally
- Audit Trail: All role changes are logged in audit log
- No Horizontal Privilege Escalation: Users cannot access other workspaces’ resources
- Token Validation: Role is validated from JWT on every request