Security and Permissions
- Uses Keycloak for OAuth2.
- Custom permission evaluators:
AxveroRolePermissionEvaluatorchecks roles via MemberRepository. - Roles maintained in Member entity (MemberRole enum).
- Cascading Permissions: Methods like
hasUserAnyRoleForTeamcheck roles in team → workspace → org. - Automatic Creator Membership: When creating entities (e.g., teams), the creator is automatically added as OWNER member.
- Securing GraphQL Controllers: Apply
@PreAuthorize("isAuthenticated()")at the class level on all GraphQL controllers. Method-level annotations narrow it further. - OnboardingFilter: Handles JWT extraction and user onboarding.
Evaluator method groups
Membership checks — used on read/query endpoints
hasUserAnyOrgRole(orgId, roles...)
hasUserAnyTeamRole(teamId, roles...)
hasUserAnyWorkspaceRole(workspaceId, roles...)
hasUserAnyRoleForTeam(teamId, roles...) // cascading: team → workspace → org
hasUserAnyWorkspaceOrClientRole(workspaceId, clientId, roles...)
Permission matrix checks — used on write/mutation endpoints
hasUserSystemPermission(orgId, permissionName)
hasUserApplicationPermission(workspaceId, permissionName)
hasUserSystemPermissionForTeam(teamId, permissionName)
hasUserSystemPermissionForClient(clientId, permissionName)
hasUserAppPermissionForApplication(applicationId, permissionName)
hasUserAppPermissionForApplicant(applicantId, permissionName)
hasUserAppPermissionForComment(commentId, permissionName)
For the full permission matrix design — entities, services, default values, and frontend hooks — see docu/docs/ai/claude/rules/permissions.md.