Permission Model
Production - Permission entity with resource:action pattern
Permissions in the MATIH platform follow the resource:action pattern, providing fine-grained access control. Each permission maps to a specific resource and action combination.
6.5.2Permission Structure
@Entity
@Table(name = "permissions")
public class Permission {
private Long id;
private String name; // e.g., "users:read"
private String resource; // e.g., "users"
private String action; // e.g., "read"
private String category; // For UI grouping
private boolean system; // System permissions cannot be deleted
// Factory methods
public static Permission read(String resource, String description);
public static Permission write(String resource, String description);
public static Permission delete(String resource, String description);
public static Permission admin(String resource, String description);
}Common Actions
| Action | Description |
|---|---|
read | View/list resources |
write | Create/update resources |
delete | Remove resources |
admin | Full administrative control |
execute | Run/trigger operations |
manage | Manage configuration |
Example Permissions
| Permission | Resource | Action | Description |
|---|---|---|---|
users:read | users | read | View user profiles |
users:write | users | write | Create and update users |
users:delete | users | delete | Delete user accounts |
users:impersonate | users | impersonate | Impersonate other users |
roles:read | roles | read | View roles |
roles:write | roles | write | Manage roles |
dashboards:read | dashboards | read | View dashboards |
dashboards:write | dashboards | write | Create dashboards |
queries:execute | queries | execute | Execute data queries |
pipelines:execute | pipelines | execute | Run data pipelines |
api_keys:read | api_keys | read | View API keys |
api_keys:admin | api_keys | admin | Full API key management |
oauth2:clients:read | oauth2:clients | read | View OAuth2 clients |
oauth2:clients:write | oauth2:clients | write | Manage OAuth2 clients |
mfa:reset | mfa | reset | Admin MFA reset |
audit:read | audit | read | View audit logs |
system:cache:read | system:cache | read | View cache stats |
system:cache:write | system:cache | write | Manage caches |
6.5.3Permission Resolution
User permissions are resolved by collecting all permissions from all assigned roles, including inherited permissions from parent roles:
// User.getAllPermissionNames()
public Set<String> getAllPermissionNames() {
return roles.stream()
.flatMap(role -> role.getPermissions().stream())
.map(permission -> permission.getName())
.collect(Collectors.toSet());
}
// User.getAuthorities() for Spring Security
public Set<String> getAuthorities() {
Set<String> authorities = new HashSet<>();
roles.forEach(role -> {
authorities.add("ROLE_" + role.getName().toUpperCase().replace('-', '_'));
role.getPermissions().forEach(permission ->
authorities.add(permission.getName())
);
});
return authorities;
}Spring Security Integration
Permissions are used in two ways in controller methods:
// Role-based check
@PreAuthorize("hasAnyRole('ADMIN', 'PLATFORM_ADMIN')")
// Permission-based check
@PreAuthorize("hasAuthority('users:impersonate') or hasRole('ADMIN')")
// Custom permission evaluator
@PreAuthorize("hasPermission('mfa-policy', 'create')")