Permission Matrices
Architecture
Two DB-backed matrices guard write endpoints:
| Matrix | Entity | Service | Frontend hook |
|---|---|---|---|
| System (org-level) | OrgSystemPermission | OrgPermissionMatrixService | useSystemPermissions() |
| Application (workspace-level) | WorkspaceAppPermission | WorkspacePermissionMatrixService | useApplicationPermissions() |
Both are seeded with defaults on org/workspace creation and cached 5 minutes (Caffeine).
Package location
com.axvero.ams.core.permission/ — domain/, services, web/PermissionMatrixController.java, web/dto/.
Constraints
OrgSystemPermissionandWorkspaceAppPermissionare plain@Entity— do NOT extendBaseEntity- Read endpoints: keep using membership checks (
hasUserAnyOrgRole,hasUserAnyWorkspaceRole) — do NOT replace with matrix checks - Write endpoints: use
hasUserSystemPermission(orgId, permissionName)orhasUserApplicationPermission(workspaceId, permissionName) - Resolver variants available:
hasUserSystemPermissionForTeam,hasUserSystemPermissionForClient,hasUserAppPermissionForApplication,hasUserAppPermissionForApplicant,hasUserAppPermissionForComment - To resolve orgId from workspaceId in SpEL:
@workspaceRepository.findOrgIdByWorkspaceId(#workspaceId) - OWNER is locked server-side (
entries[].locked = true) — UI derives lock state from this flag - Adding a new
SystemPermissionvalue requires:ALTER TABLE org_system_permission DROP CONSTRAINT org_system_permission_permission_check;
Frontend hooks
useSystemPermissions()→{ can(SystemPermission.X), isLoading }—src/features/bootstrap/hooks/use-system-permissions.tsuseApplicationPermissions()→{ can(ApplicationPermission.X), isLoading }—src/features/applications/hooks/use-application-permissions.ts
For full entity schemas, caching details, seeding hooks, GraphQL schema, and how-to guide: docu/docs/domain/permissions-matrix.md.