1.8 KiB
1.8 KiB
Capability Contracts: Tenant RBAC v1
This document defines the canonical set of capabilities for the Tenant RBAC system. Feature code MUST use these capability strings when checking permissions with Laravel Gates (e.g., Gate::allows('tenant.members.manage')).
Naming Convention
Capabilities follow the format: tenant.<domain>.<verb>
Capability List (v1)
Core
tenant.core.view: View the tenant dashboard and basic information.
Membership
tenant.members.view: View the list of members in a tenant.tenant.members.manage: Add, remove, or change the roles of members in a tenant. (Owner-only)
Settings
tenant.settings.view: View tenant settings.tenant.settings.manage: Modify tenant settings.
Providers
tenant.providers.view: View provider connections.tenant.providers.manage: Add, edit, or remove provider connections.tenant.providers.credentials.rotate: Rotate credentials for a provider connection.tenant.providers.run_ops: Execute operations using a provider.
Operations & Monitoring
tenant.operations.view: View tenant operations and monitoring data.tenant.operations.start: Start new tenant operations.
Inventory & Drift
tenant.inventory.view: View tenant inventory.tenant.inventory.sync: Trigger a synchronization of the tenant inventory.tenant.drift.view: View drift detection reports.tenant.drift.ack: Acknowledge drift alerts.
Policies, Backups, & Restore
tenant.policies.view: View policies.tenant.policies.sync: Synchronize policies.tenant.policies.delete: Delete policies.tenant.backups.manage: Manage backups.tenant.restore.execute: Execute a restore from a backup.tenant.danger_zone: Access to destructive "danger zone" actions. (Owner-only)