MATIH Platform is in active MVP development. Documentation reflects current implementation status.
6. Identity & Access Management
Roles & Permissions
Permission Cache

Permission Cache

Production - PermissionCacheController - 12 endpoints at /api/v1/permissions/cache

The permission cache uses Redis to store resolved permissions for fast authorization decisions. The PermissionCacheController provides endpoints for cache inspection, warming, and invalidation.

6.5.6Cache Endpoints

Get Cache Statistics

curl -X GET http://localhost:8081/api/v1/permissions/cache/stats \
  -H "Authorization: Bearer <admin-token>"

Returns CacheStats with hit ratio, total entries, and memory usage.

Get User Permissions

curl -X GET http://localhost:8081/api/v1/permissions/cache/user/42 \
  -H "Authorization: Bearer <admin-token>"

Returns the set of cached permission strings for the user.

Get User Roles

curl -X GET http://localhost:8081/api/v1/permissions/cache/user/42/roles \
  -H "Authorization: Bearer <admin-token>"

Check Permission

curl -X POST http://localhost:8081/api/v1/permissions/cache/user/42/check \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <admin-token>" \
  -d '{ "permission": "dashboards:write" }'

Response:

{
  "userId": 42,
  "permission": "dashboards:write",
  "hasPermission": true
}

Warm Cache

# Warm user cache
curl -X POST http://localhost:8081/api/v1/permissions/cache/user/42/warm \
  -H "Authorization: Bearer <admin-token>"
 
# Warm role cache
curl -X POST http://localhost:8081/api/v1/permissions/cache/role/5/warm \
  -H "Authorization: Bearer <admin-token>"

Invalidate Cache

# Invalidate user cache
curl -X DELETE http://localhost:8081/api/v1/permissions/cache/user/42 \
  -H "Authorization: Bearer <admin-token>"
 
# Invalidate role cache (and all users with that role)
curl -X DELETE http://localhost:8081/api/v1/permissions/cache/role/5 \
  -H "Authorization: Bearer <admin-token>"
 
# Invalidate all caches (SUPER_ADMIN only)
curl -X DELETE http://localhost:8081/api/v1/permissions/cache/all \
  -H "Authorization: Bearer <super-admin-token>"

Current User Endpoints

# Get my cached permissions
curl -X GET http://localhost:8081/api/v1/permissions/cache/my-permissions \
  -H "Authorization: Bearer <access-token>"
 
# Get my cached roles
curl -X GET http://localhost:8081/api/v1/permissions/cache/my-roles \
  -H "Authorization: Bearer <access-token>"

6.5.7Cache Strategy

AspectDetail
BackendRedis
Key Formatpermissions:{user_id}, roles:{user_id}, role_permissions:{role_id}
TTL300 seconds (configurable)
InvalidationOn role change, permission change, or manual flush
WarmingOn-demand via API or on first access

Required Permissions

EndpointRequired
Cache statsADMIN or system:cache:read
User permissions/rolesADMIN or users:read
Role permissionsADMIN or roles:read
Warm cacheADMIN or system:cache:write
Invalidate cacheADMIN or system:cache:write
Invalidate allSUPER_ADMIN only
My permissions/rolesAny authenticated user
Custom RolesOPA Integration