RbacService
Component Detail
Service Layer
medium complexity
backend
0
Dependencies
0
Dependents
10
Entities
0
Integrations
Description
Server-side service that evaluates role permissions on every authenticated request and assembles the role context payload returned at session bootstrap. It enforces cross-organization data isolation by binding role checks to the authenticated user's organization scope. All endpoint authorization and navigation context assembly flow through this service.
rbac-service
Sources & reasoning
Lines 256-259 define all four roles with explicit access boundaries, and line 322 names mobile role profiles as an MVP deliverable. RBAC is listed in the Fase 1 MVP scope and is a structural prerequisite for module toggles, multi-tenancy, and audit logging, making it critical and must_have at MVP.
-
docs/source/likeperson.md · line 256-259Peer Mentor (Likeperson): Creates and tracks activities and follow-ups. Logs in to the Mobile App only.
-
docs/source/likeperson.md · line 3222 mobilrolle-profiler: Peer Mentor, Coordinator (Organization Admins logger på som Coordinator i app-konteksten)
Responsibilities
- Evaluates whether the authenticated user's role permits the requested action or endpoint
- Enforces cross-organization data isolation by scoping all permission checks to the user's organization
- Assembles and returns the full role context object during session bootstrap
- Applies the OrgAdmin-surfaced-as-Coordinator rule when building mobile role context
- Throws or returns a forbidden result for any request that fails role evaluation
Interfaces
authorize(userId: string, action: string, resourceScope: OrgScope): AuthzResult
buildRoleContext(userId: string, platform: Platform): RoleContext
getRolesForUser(userId: string): Role[]
isOrgIsolated(userId: string, targetOrgId: string): boolean
Related Data Entities (10)
Data entities managed by this component