Security and Permissions
- Keycloak OAuth2; custom
AxveroRolePermissionEvaluatorchecks roles viaMemberRepository MemberRoleenum maintains roles- Cascading Permissions:
hasUserAnyRoleForTeamchecks team → workspace → org - Automatic Creator Membership: creators are added as OWNER when creating teams/orgs
- Class-level
@PreAuthorize("isAuthenticated()")on all GraphQL controllers; method-level narrows further OnboardingFilterhandles JWT extraction and user onboarding
Evaluator method names
Membership checks — used on read/query endpoints
hasUserAnyOrgRole(orgId, roles...)hasUserAnyTeamRole(teamId, roles...)hasUserAnyWorkspaceRole(workspaceId, roles...)hasUserAnyRoleForTeam(teamId, roles...)— cascading: team → workspace → orghasUserAnyWorkspaceOrClientRole(workspaceId, clientId, roles...)
Permission matrix checks — used on write/mutation endpoints
hasUserSystemPermission(orgId, permissionName)hasUserApplicationPermission(workspaceId, permissionName)hasUserSystemPermissionForTeam(teamId, permissionName)hasUserSystemPermissionForClient(clientId, permissionName)hasUserAppPermissionForApplication(applicationId, permissionName)hasUserAppPermissionForApplicant(applicantId, permissionName)hasUserAppPermissionForComment(commentId, permissionName)
For the full permission matrix — entities, services, default values, frontend hooks, how to add a permission — see docu/docs/ai/claude/rules/permissions.md.