Adding a new permission
Step 1: Add the permission constant to Permissions.cs in Domain:
Step 2: Add the new permissions to the appropriate built-in roles in GetPermissionsForRole():
Step 3: Apply the [HasPermission] attribute to controller actions that require the new permission:
Step 4: Update the frontend usePermissions() hook usage and command palette to show/hide items based on the new permission:
Creating custom roles via the API
Any tenant member with the tenant.roles.manage permission can create custom roles:
Updating a custom role:
Deleting a custom role:
Deleting a role that has members assigned to it fails with a CONFLICT error. Reassign all members to a different role before deleting.
Permission change propagation
Permissions are embedded in the JWT access token. If you change a role’s permissions — either by editing GetPermissionsForRole() in code or by updating a custom role via the API — affected users continue using the old permissions until their current access token expires (up to 15 minutes) and they get a new one via refresh.There is no built-in mechanism to immediately revoke access tokens for a specific role change. For permission removals that must take effect immediately, the only option is to force re-authentication for the affected users.
Limitations
- You cannot use built-in role names (
Owner, Admin, Member) for custom roles.
- A role must have at least one permission.
- Permission strings must exactly match constants in
Permissions.cs. Invalid strings are rejected with a validation error.
- The
Owner role cannot be deleted or modified. It always has all permissions.
- Each tenant can have at most one Owner.