| name | rbac-permissions-architect |
| description | Use this skill when architecting new features within the RBAC modular permissions system. Guides architects through workspace design, feature definition, permission mapping, and role hierarchy. Critical for understanding Owner/Super Admin special roles, feature independence, and multi-tenant context isolation. Invoke when creating PRDs that involve permissions, workspaces, features, or role-based access control. |
RBAC Permissions Architect
Purpose
This skill enables the Architect Agent to design features that correctly integrate with the project's RBAC modular permissions system defined in concepto-base.md. It provides the necessary understanding of workspaces, features, permissions, and special roles to create compliant PRDs and entity designs.
When to Use This Skill
Use this skill when:
- Creating a new feature that involves permissions or access control
- Designing features that operate within workspaces (organizations or projects)
- Defining resources and permissions for a new feature module
- Creating entities that need to respect workspace boundaries
- Architecting features that interact with Owner/Super Admin roles
- Any PRD that mentions: permissions, roles, access, workspaces, features, RLS
Core Understanding Required
Before architecting any feature, understand these immutable principles:
1. The Three Pillars (Independent but Interconnected)
WORKSPACES (Containers)
โ
FEATURES (Modules)
โ
RBAC (Access Control)
- Workspaces: Organizations (root) and Projects (children)
- Features: Activatable modules with their own resources/permissions
- RBAC: Granular permissions grouped into roles
2. Critical Rules
- NO inheritance: Features and permissions DO NOT inherit between workspaces
- Contextual permissions: Permissions only apply in the workspace where assigned
- Special roles: Owner and Super Admin transcend normal permission rules
- Mandatory feature:
permissions-management is always active
- Independence: Each workspace activates features explicitly
Architect Workflow for RBAC-Aware Features
Phase 1: Feature Scope Definition
Questions to answer:
- Workspace scope: Does this feature apply to organizations, projects, or both?
- Resource identification: What entities will users interact with?
- Permission granularity: What actions can users perform on each resource?
- Role requirements: Are there default roles needed for this feature?
- Special role interaction: How do Owner/Super Admin interact with this feature?
Reference files to consult:
- Basic concepts: CONCEPTS.md - Workspace, Feature, Resource, Permission, Role definitions
- Workspace architecture: WORKSPACES.md - Organization vs Project behavior
Phase 2: Permission Matrix Design
Steps:
- List all resources in your feature (e.g.,
boards, cards, comments)
- Define CRUD+ actions for each resource (create, read, update, delete, custom actions)
- Map to permission format:
{resource}.{action} (e.g., boards.create, cards.move)
- Consider visibility: Which permission grants UI visibility? (usually
.read)
- Document restrictions: What can Owner/Super Admin do that normal users cannot?
Example permission matrix:
Feature: kanban
Resources:
โโ boards
โโ cards
โโ card_comments
Permissions:
โโ boards.create
โโ boards.read โ Grants visibility of Kanban in UI
โโ boards.update
โโ boards.delete
โโ cards.create
โโ cards.read
โโ cards.update
โโ cards.delete
โโ cards.move โ Custom action
โโ card_comments.create
โโ card_comments.delete
Reference file to consult:
- Permission system: PERMISSIONS.md - Granular permissions, roles, verification flows
Phase 2.5: CASL Ability Definition
โก NEW: Authorization Layer Integration
After defining the permission matrix, specify how CASL (the project's authorization library) will implement these permissions.
Questions to answer:
- Subject mapping: What are the CASL subjects for each resource?
- Action alignment: Do CASL actions match permission actions perfectly?
- Conditional rules: Are there context-dependent rules (e.g., "own resources only")?
- Type safety: How do we enforce TypeScript types for subjects and actions?
CASL Subjects (PascalCase, Singular):
Map each database resource to a CASL subject:
'boards' โ 'Board'
'cards' โ 'Card'
'card_comments' โ 'Comment'
Rules:
- Use PascalCase for subjects (CASL convention)
- Use singular form (Board, not Boards)
- One resource = one subject (1:1 mapping)
CASL Actions:
Standard actions align with permissions:
'create' โ boards.create
'read' โ boards.read
'update' โ boards.update
'delete' โ boards.delete
Custom actions:
'move' โ cards.move
'assign' โ cards.assign
Ability Builder Template:
Include this in your PRD's entities.ts:
import { AbilityBuilder, createMongoAbility, MongoAbility } from '@casl/ability';
type Subjects = 'Board' | 'Card' | 'Comment' | 'all';
type Actions = 'create' | 'read' | 'update' | 'delete' | 'move' | 'manage';
export type AppAbility = MongoAbility<[Actions, Subjects]>;
export function defineAbilitiesFor(
user: User,
workspace: Workspace,
permissions: Permission[]
): AppAbility {
const { can, cannot, build } = new AbilityBuilder<AppAbility>(createMongoAbility);
if (user.id === workspace.owner_id) {
can('manage', 'all');
return build();
}
const orgId = workspace.parent_id || workspace.id;
const isSuperAdmin = user.superAdminOrgs?.includes(orgId);
if (isSuperAdmin) {
can('manage', 'all');
cannot('delete', 'Organization');
cannot('modify', 'User', { isOwner: true });
cannot('assign', 'SuperAdminRole');
return build();
}
permissions.forEach(perm => {
const [resource, action] = perm.full_name.split('.');
const subject = mapResourceToSubject(resource);
can(action as Actions, subject);
});
return build();
}
function mapResourceToSubject(resource: string): Subjects {
const mapping: Record<string, Subjects> = {
'boards': 'Board',
'cards': 'Card',
'card_comments': 'Comment',
};
return mapping[resource] || 'all';
}
React Integration Pattern:
Specify how UI components will use CASL:
import { createContext } from 'react';
import { AppAbility } from '../entities';
export const AbilityContext = createContext<AppAbility | null>(null);
import { useContext } from 'react';
import { AbilityContext } from '../context/AbilityContext';
export function useAppAbility() {
const ability = useContext(AbilityContext);
if (!ability) throw new Error('AbilityContext not provided');
return ability;
}
import { Can } from '@casl/react';
import { useAppAbility } from '@/features/rbac/hooks/useAppAbility';
function KanbanBoard() {
const ability = useAppAbility();
return (
<div>
{/* Declarative visibility with Can component */}
<Can I="create" a="Board" ability={ability}>
<CreateBoardButton />
</Can>
{/* Programmatic check */}
{ability.can('delete', 'Board') && (
<DeleteBoardButton />
)}
</div>
);
}
โ ๏ธ CRITICAL: CASL vs RLS
CASL and RLS serve different purposes:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CLIENT-SIDE (CASL) โ
โ - UX authorization โ
โ - Show/hide UI elements โ
โ - Enable/disable actions โ
โ - NOT security (can be bypassed) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ HTTP Request
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SERVER-SIDE (RLS) โ
โ - REAL security โ
โ - Database-level enforcement โ
โ - Cannot be bypassed โ
โ - Final source of truth โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Both are mandatory. CASL improves UX, RLS enforces security.
Deliverables for Phase 2.5:
In your PRD, include:
Reference:
Phase 3: Special Roles Integration
Questions to answer:
- Owner access: Does Owner have automatic full access? (Usually yes)
- Super Admin access: Does Super Admin have full access? (Usually yes, with restrictions)
- Protected actions: Are there actions only Owner can perform?
- Project creation: If this is an org-level feature, can it create projects?
Critical rules:
- Owner and Super Admin bypass normal permission checks
- Owner can always manage Super Admins
- Super Admin cannot modify Owner or other Super Admins
- Super Admin cannot assign Super Admin role
- Only Owner can delete organizations
Reference file to consult:
- Special roles: SPECIAL_ROLES.md - Owner and Super Admin privileges, restrictions, hierarchy
Phase 4: Feature Activation Strategy
Questions to answer:
- Default activation: Should this feature auto-activate in new workspaces?
- Mandatory feature: Is this feature required system-wide? (Rare, only
permissions-management)
- Configuration options: Does the feature need workspace-specific config?
- Dependencies: Does this feature require other features to be active?
Implementation in entities.ts:
export const KanbanFeatureSchema = z.object({
id: z.string().uuid(),
slug: z.literal('kanban'),
name: z.string(),
description: z.string(),
category: z.string(),
is_mandatory: z.boolean().default(false),
});
export const WorkspaceFeatureSchema = z.object({
workspace_id: z.string().uuid(),
feature_id: z.string().uuid(),
enabled: z.boolean().default(true),
config: z.record(z.unknown()).optional(),
});
Reference file to consult:
- Feature system: FEATURES.md - Feature catalog, activation, independence
Phase 5: Visibility Rules with CASL
Design how users see this feature in the UI:
- Minimum permission: What's the least permission needed to see the feature?
- Owner/Super Admin: Always visible if feature is active
- Normal users: Visible only if they have at least one permission
- Component-level: Which UI elements require specific permissions?
CASL Integration for Visibility:
Use CASL's <Can> component and ability.can() checks for UI visibility:
import { useAppAbility } from '@/features/rbac/hooks/useAppAbility';
function useFeatureVisibility(featureSlug: string) {
const { user, workspace } = useWorkspace();
const ability = useAppAbility();
if (user.isOwner || user.isSuperAdmin) {
return isFeatureActive(featureSlug, workspace);
}
const feature = getFeature(featureSlug);
const hasPermission = feature.resources.some(resource => {
const subject = mapResourceToSubject(resource);
return ability.can('read', subject);
});
return hasPermission;
}
function Navigation() {
const showKanban = useFeatureVisibility('kanban');
return (
<nav>
{showKanban && (
<NavItem href="/kanban">Kanban</NavItem>
)}
</nav>
);
}
Component-Level Visibility with <Can>:
import { Can } from '@casl/react';
import { useAppAbility } from '@/features/rbac/hooks/useAppAbility';
function KanbanBoard({ board }: { board: Board }) {
const ability = useAppAbility();
return (
<div>
<h1>{board.name}</h1>
{/* Declarative: Create Button */}
<Can I="create" a="Card" ability={ability}>
<CreateCardButton boardId={board.id} />
</Can>
{/* Declarative: Delete Button */}
<Can I="delete" a="Board" ability={ability}>
<DeleteBoardButton boardId={board.id} />
</Can>
{/* Programmatic: Conditional UI */}
<div className="actions">
{ability.can('update', 'Board') && (
<EditBoardButton board={board} />
)}
{ability.can('move', 'Card') && (
<DragAndDropHandle />
)}
</div>
{/* Inverted: Show message when user CANNOT do something */}
<Can not I="create" a="Card" ability={ability}>
<p className="text-muted">
You don't have permission to create cards
</p>
</Can>
</div>
);
}
Field-Level Visibility (Advanced):
CASL supports field-level permissions for fine-grained visibility:
can('read', 'Board', ['name', 'description']);
can('read', 'Board', ['budget'], { isOwner: true });
const canSeeBudget = ability.can('read', 'Board', 'budget');
function BoardDetails({ board }: { board: Board }) {
const ability = useAppAbility();
return (
<div>
<h2>{board.name}</h2>
<p>{board.description}</p>
{/* Budget only visible to owners */}
{ability.can('read', subject('Board', board), 'budget') && (
<div>Budget: ${board.budget}</div>
)}
</div>
);
}
Loading State Pattern:
While abilities are loading, show skeleton UI:
function ProtectedPage() {
const { ability, isLoading } = useAbilityWithLoading();
if (isLoading) {
return <SkeletonLoader />;
}
return (
<Can I="read" a="Board" ability={ability}>
<BoardList />
</Can>
);
}
Example visibility logic (CASL version):
Deliverables for Phase 5:
In your PRD, include:
Reference file to consult:
Phase 6: Database Schema and Security Layers
Design RLS-ready schema:
- Workspace foreign key: All feature tables MUST reference
workspaces.id
- RLS policies: Plan policies for Owner, Super Admin, and normal users
- Multi-tenancy: Ensure workspace_id filters prevent cross-workspace access
- Cascading deletes: Plan what happens when workspace is deleted
Example schema pattern:
CREATE TABLE kanban_boards (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
workspace_id UUID NOT NULL REFERENCES workspaces(id) ON DELETE CASCADE,
name TEXT NOT NULL,
created_by UUID REFERENCES auth.users(id),
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE POLICY "Users can access boards in their workspaces"
ON kanban_boards FOR SELECT
TO authenticated
USING (
workspace_id IN (
SELECT id FROM workspaces
WHERE owner_id = auth.uid()
)
OR
workspace_id IN (
SELECT organization_id FROM organization_super_admins
WHERE user_id = auth.uid()
)
OR
user_can(auth.uid(), 'read', 'boards', workspace_id)
);
โก Security Layers: CASL + RLS Coordination
CASL and RLS work together as defense in depth:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ USER INTERACTION โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ LAYER 1: CASL (Client-Side Authorization) โ
โ Purpose: UX optimization โ
โ - Shows/hides UI elements โ
โ - Disables buttons for unauthorized actions โ
โ - Prevents unnecessary API calls โ
โ - Improves user experience โ
โ โ
โ Security: โ NOT REAL SECURITY (can be bypassed) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
HTTP Request Sent
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ LAYER 2: RLS (Server-Side Security) โ
โ Purpose: REAL security enforcement โ
โ - Database-level access control โ
โ - Cannot be bypassed by client โ
โ - Enforced even if CASL is disabled/hacked โ
โ - Multi-tenant data isolation โ
โ โ
โ Security: โ
FINAL SOURCE OF TRUTH โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Example Flow:
function BoardActions({ board }) {
const ability = useAppAbility();
if (!ability.can('delete', 'Board')) {
return null;
}
async function handleDelete() {
const response = await fetch(`/api/boards/${board.id}`, {
method: 'DELETE',
});
if (!response.ok) {
alert('Permission denied');
}
}
return <button onClick={handleDelete}>Delete</button>;
}
-- Step 2: Supabase receives DELETE query
DELETE FROM kanban_boards WHERE id = '...';
-- Step 3: RLS policy checks
-- Policy evaluates:
-- 1. Is user the owner? workspace_id IN (SELECT ...)
-- 2. Is user super admin? workspace_id IN (SELECT ...)
-- 3. Does user have permission? user_can(auth.uid(), 'delete', 'boards', ...)
-- If ANY condition is true โ DELETE succeeds
-- If ALL conditions are false โ ERROR: permission denied
Why Both Layers?
| Scenario | CASL Only | RLS Only | CASL + RLS (Recommended) |
|---|
| Authorized user | โ
Button shown | โ
DELETE succeeds | โ
Button shown, DELETE succeeds |
| Unauthorized user | โ
Button hidden | โ
DELETE blocked | โ
Button hidden, DELETE blocked (if bypassed) |
| Attacker bypasses CASL | โ Button shown via DevTools | โ
DELETE blocked | โ
DELETE blocked (RLS protects) |
| Performance | โ
No unnecessary requests | โ Sends request then fails | โ
No unnecessary requests |
| UX | โ
Clean UI | โ Buttons shown, fail on click | โ
Clean UI |
Architectural Rules:
- CASL mirrors RLS: CASL permissions should match what RLS allows
- RLS is source of truth: If there's a conflict, RLS wins
- Both are mandatory: Never rely on CASL alone for security
- Test RLS independently: Assume CASL can be bypassed
- Keep them in sync: When RLS changes, update CASL definitions
In Your PRD:
Document both layers:
## Security Architecture
### Client-Side Authorization (CASL)
- Users with `boards.create` permission see "Create Board" button
- Implemented via `<Can I="create" a="Board">`
### Server-Side Security (RLS)
- PostgreSQL policy enforces permission check
- Queries auth.uid() from JWT
- Calls user_can() function for verification
### Sync Strategy
- CASL abilities loaded from same permissions table as RLS
- Permissions cached for 5 minutes in TanStack Query
- Realtime invalidation ensures <500ms sync
Reference file to consult:
- Data model: DATA_MODEL.md - Tables, RLS patterns, database functions
Phase 7: PRD Documentation
Include in your PRD (00-master-prd.md):
-
Feature Metadata
- Feature slug (e.g.,
kanban)
- Feature category (e.g.,
productivity)
- Target workspaces (organization, project, or both)
-
Permission Matrix
- Complete list of resources
- All permissions with format
resource.action
- Visibility permission (usually
{primary_resource}.read)
-
Role Definitions (if creating default roles)
- Role name and scope (organization/project)
- Permissions assigned to each role
- Use cases for each role
-
Special Role Behavior
- What Owner can do
- What Super Admin can do
- Any restrictions or protected actions
-
Workspace Integration
- How feature activates
- Configuration options
- Dependencies on other features
-
Data Contracts (in entities.ts)
- Zod schemas for all resources
- Feature definition schema
- Permission schemas
Reference file to consult:
- Business rules: BUSINESS_RULES.md - Complete ruleset for workspaces, features, permissions, roles
Common Architect Mistakes to Avoid
General RBAC Mistakes
โ Assuming feature inheritance between org and projects
โ
Each workspace activates features independently
โ Creating "Owner of project" role
โ
Owner only exists at organization level
โ Hardcoding Owner/Super Admin permissions in permission tables
โ
Owner/Super Admin use bypass logic, not permission tables
โ Mixing business logic with permissions
โ
Permissions are pure access control; business rules go in use cases
โ Forgetting workspace_id in entities
โ
All feature entities must reference workspace
โ Creating permissions without resources
โ
Always define resources first, then permissions on those resources
โ Ignoring RLS in schema design
โ
Plan RLS policies during entity design
CASL-Specific Mistakes
โ Treating CASL as security
โ
CASL is UX authorization; RLS is real security
โ Not defining CASL subjects in PRD
โ
Architect must specify subject mapping for each resource
โ Using different permission formats in CASL vs database
โ
Maintain consistent resource.action format everywhere
โ Forgetting cannot() rules for Super Admin restrictions
โ
Define explicit restrictions: cannot('delete', 'Organization')
โ Not syncing CASL with RLS changes
โ
When RLS policies change, update defineAbilitiesFor() accordingly
โ Hardcoding abilities instead of loading from database
โ
Load permissions from Supabase, then build CASL abilities dynamically
โ Missing type safety for subjects and actions
โ
Define TypeScript types: type AppAbility = MongoAbility<[Actions, Subjects]>
โ Not handling ability loading states
โ
Show skeleton UI while abilities are being fetched
Quick Reference Checklist
Before delivering PRD, verify:
Core RBAC
CASL Integration โก
Reference Files
Load these files as needed for detailed information:
- CONCEPTS.md: Core definitions (Workspace, Feature, Resource, Permission, Role)
- WORKSPACES.md: Organization vs Project architecture, independence rules
- FEATURES.md: Feature catalog, activation, configuration, independence
- PERMISSIONS.md: Granular permissions, roles, assignment, verification
- SPECIAL_ROLES.md: Owner and Super Admin privileges, restrictions, hierarchy
- VISIBILITY.md: UI visibility system, feature gates, permission-based rendering
- DATA_MODEL.md: Database schema patterns, RLS policies, functions
- BUSINESS_RULES.md: Complete ruleset (all RN-* rules from concepto-base.md)
Output Format
When using this skill, structure your PRD with these sections:
## Feature Metadata
- Slug: [feature-slug]
- Category: [category]
- Workspace Scope: [organization|project|both]
- Mandatory: [yes|no]
## Resources and Permissions
### Resources
- [resource-name]: [description]
### Permissions
- [resource].[action]: [description]
### Visibility Permission
- [resource].[action]: Grants UI visibility
## CASL Integration โก
### Subject Mapping
| Database Resource | CASL Subject |
|-------------------|--------------|
| boards | Board |
| cards | Card |
| card_comments | Comment |
### Actions
- Standard: `create`, `read`, `update`, `delete`
- Custom: `move`, `assign` (if applicable)
### Type Definition
```typescript
type Subjects = 'Board' | 'Card' | 'Comment' | 'all';
type Actions = 'create' | 'read' | 'update' | 'delete' | 'move' | 'manage';
export type AppAbility = MongoAbility<[Actions, Subjects]>;
Ability Builder
- Owner:
can('manage', 'all')
- Super Admin:
can('manage', 'all') + restrictions
- Normal users: Map from permissions table
React Integration
- Components use
<Can I="action" a="Subject">
- Hooks use
useAppAbility()
Role Definitions (if applicable)
[Role Name]
- Scope: [organization|project]
- Permissions: [list]
- Use Case: [description]
Special Role Behavior
Owner
- [specific behaviors]
- CASL: Full bypass via
can('manage', 'all')
Super Admin
- [specific behaviors]
- Restrictions: [what they cannot do]
- CASL:
cannot('delete', 'Organization'), etc.
Security Architecture
Client-Side Authorization (CASL)
- [How CASL controls UI visibility]
- Implemented via
<Can> components and ability.can() checks
Server-Side Security (RLS)
- [How RLS enforces access control]
- PostgreSQL policies using
user_can() function
Sync Strategy
- Permissions loaded from database
- CASL abilities built dynamically
- TanStack Query caching (5min stale time)
- Realtime invalidation (<500ms sync)
Workspace Integration
- Activation: [automatic|manual]
- Configuration: [config options]
- Dependencies: [required features]
Data Contracts (entities.ts)
[Zod schemas + CASL ability builder function]
## Final Note
This system is **highly modular and flexible**. The key is understanding that:
1. **Workspaces are independent** - No sharing, no inheritance
2. **Features are modular** - Can be activated anywhere
3. **Permissions are contextual** - Only apply in specific workspace
4. **Owner/Super Admin are special** - Bypass normal rules with specific restrictions
When in doubt, consult the reference files and remember: **explicit is better than implicit**.
