RBAC Model Overview
Production - RoleController, PermissionCacheController, OpaAuthorizationService
The MATIH platform implements Role-Based Access Control (RBAC) with hierarchical roles, fine-grained permissions using the resource:action pattern, Redis-backed permission caching, and Open Policy Agent (OPA) integration for complex authorization decisions.
RBAC Hierarchy
Permission (resource:action)
|
+-- assigned to --> Role
|
+-- inherits from --> Parent Role
|
+-- assigned to --> UserKey Concepts
| Concept | Description |
|---|---|
| Permission | Granular access right in resource:action format (e.g., users:read) |
| Role | Named collection of permissions (e.g., admin, analyst, viewer) |
| Role Inheritance | Child roles inherit all permissions from their parent |
| System Roles | Built-in roles that cannot be modified or deleted |
| Permission Cache | Redis-backed cache for fast permission lookups |
| OPA Integration | External policy evaluation for complex authorization rules |
Section Pages
| Page | Description |
|---|---|
| Role Management | Creating, updating, listing, deleting roles |
| Permission Model | Permission types, resource:action pattern |
| Custom Roles | Creating custom roles with fine-grained permissions |
| Permission Cache | Caching strategy, warming, invalidation |
| OPA Integration | Policy evaluation for advanced authorization |