ObjectStackObjectStack

Permission

Permission protocol schemas

Entity (Object) Level Permissions

Defines CRUD + VAMA (View All / Modify All) + Lifecycle access.

Refined with enterprise data lifecycle controls:

  • Transfer (Ownership change)

  • Restore (Soft delete recovery)

  • Purge (Hard delete / Compliance)

Source: packages/spec/src/security/permission.zod.ts

TypeScript Usage

import { AdminScope, FieldPermission, ObjectAccessScope, ObjectPermission, PermissionSet } from '@objectstack/spec/security';
import type { AdminScope, FieldPermission, ObjectAccessScope, ObjectPermission, PermissionSet } from '@objectstack/spec/security';

// Validate data
const result = AdminScope.parse(data);

AdminScope

Properties

PropertyTypeRequiredDescription
businessUnitstring[ADR-0090 D12] Delegation boundary: sys_business_unit.name of the subtree root
includeSubtreebooleanCover descendant business units too (default true)
manageAssignmentsbooleanManage user↔position assignments within the subtree
manageBindingsbooleanManage position↔permission-set bindings within the subtree
authorEnvironmentSetsbooleanAuthor environment-owned permission sets
assignablePermissionSetsstring[]Allowlist of permission-set names the delegate may hand out

FieldPermission

Properties

PropertyTypeRequiredDescription
readablebooleanField read access
editablebooleanField edit access

ObjectAccessScope

Allowed Values

  • own
  • own_and_reports
  • unit
  • unit_and_below
  • org

ObjectPermission

Properties

PropertyTypeRequiredDescription
allowCreatebooleanCreate permission
allowReadbooleanRead permission
allowEditbooleanEdit permission
allowDeletebooleanDelete permission
allowTransferboolean[RBAC-gated; ENFORCED now via insert/update owner_id guard, #3004] Change record ownership (assign/reassign/disown owner_id)
allowRestoreboolean[RBAC-gated; operation pending M2] Restore from trash (Undelete)
allowPurgeboolean[RBAC-gated; operation pending M2] Permanently delete (Hard Delete/GDPR)
viewAllRecordsbooleanView All Data (Bypass Sharing)
modifyAllRecordsbooleanModify All Data (Bypass Sharing)
readScopeEnum<'own' | 'own_and_reports' | 'unit' | 'unit_and_below' | 'org'>optional[ADR-0057 D1] Read depth: own|unit|unit_and_below|org
writeScopeEnum<'own' | 'own_and_reports' | 'unit' | 'unit_and_below' | 'org'>optional[ADR-0057 D1] Write depth: own|unit|unit_and_below|org

PermissionSet

Properties

PropertyTypeRequiredDescription
namestringPermission set unique name (lowercase snake_case)
labelstringoptionalDisplay label
packageIdstringoptional[ADR-0086 D3] Owning package id for a package-shipped set (absent = env-authored)
managedByEnum<'package' | 'platform' | 'user'>optional[ADR-0086 D3] Record provenance: package (upgrade-owned metadata) vs platform/user (env config)
isDefaultboolean[ADR-0090 D5] App baseline for the everyone position: app-level sets are auto-bound at boot (guarded, idempotent); package-level sets become install-time suggestions an admin confirms
objectsRecord<string, Object>Entity permissions
fieldsRecord<string, Object>optionalField level security
systemPermissionsstring[]optionalSystem level capabilities
tabPermissionsRecord<string, Enum<'visible' | 'hidden' | 'default_on' | 'default_off'>>optionalApp/tab visibility: visible, hidden, default_on (shown by default), default_off (available but hidden initially)
rowLevelSecurityObject[]optionalRow-level security policies (see rls.zod.ts for full spec)
contextVariablesRecord<string, any>optionalContext variables for RLS evaluation
adminScopeObjectoptional[ADR-0090 D12] Scoped delegated-administration grant (BU subtree + assignable-set allowlist)

On this page