Skip to main content

Adding a new permission

Step 1: Add the permission constant to Permissions.cs in Domain:
Step 2: Add the new permissions to the appropriate built-in roles in GetPermissionsForRole():
Step 3: Apply the [HasPermission] attribute to controller actions that require the new permission:
Step 4: Update the frontend usePermissions() hook usage and command palette to show/hide items based on the new permission:

Creating custom roles via the API

Any tenant member with the tenant.roles.manage permission can create custom roles:
Updating a custom role:
Deleting a custom role:
Deleting a role that has members assigned to it fails with a CONFLICT error. Reassign all members to a different role before deleting.

Permission change propagation

Permissions are embedded in the JWT access token. If you change a role’s permissions — either by editing GetPermissionsForRole() in code or by updating a custom role via the API — affected users continue using the old permissions until their current access token expires (up to 15 minutes) and they get a new one via refresh.There is no built-in mechanism to immediately revoke access tokens for a specific role change. For permission removals that must take effect immediately, the only option is to force re-authentication for the affected users.

Limitations

  • You cannot use built-in role names (Owner, Admin, Member) for custom roles.
  • A role must have at least one permission.
  • Permission strings must exactly match constants in Permissions.cs. Invalid strings are rejected with a validation error.
  • The Owner role cannot be deleted or modified. It always has all permissions.
  • Each tenant can have at most one Owner.