feat: 4-role model — owner, operator, viewer + vendor-seed
Redesign the role model from 3 roles (platform-admin, admin, member) to 4 clear personas: - owner (org role): full tenant control — billing, team, apps, deploy - operator (org role): app lifecycle + observability, no billing/team - viewer (org role): read-only observability - saas-vendor (global role, hosted only): cross-tenant platform admin Bootstrap changes: - Rename org roles: admin→owner, member→operator, add viewer - Remove platform-admin global role (moved to vendor-seed) - admin user gets owner role, camel user gets viewer role - Custom JWT maps: owner→server:admin, operator→server:operator, viewer→server:viewer, saas-vendor→server:admin New docker/vendor-seed.sh for hosted SaaS environments only. Remove sidebar user/logout link (TopBar handles logout). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
32
docs/superpowers/specs/2026-04-07-role-license-redesign.md
Normal file
32
docs/superpowers/specs/2026-04-07-role-license-redesign.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Role Model + License Model Redesign
|
||||
|
||||
**Date:** 2026-04-07
|
||||
**Status:** Approved
|
||||
|
||||
## Problem
|
||||
|
||||
The current role model (platform-admin, org admin, org member) doesn't map cleanly to real-world personas. The member role can deploy but can't manage apps — it's neither a proper operator nor a proper viewer. There's no read-only role. The license model assumes SaaS (per-tenant) with no on-premise consideration.
|
||||
|
||||
## Decision
|
||||
|
||||
### 4-Role Model
|
||||
|
||||
| Role | Logto Type | Scopes | Persona |
|
||||
|------|-----------|--------|---------|
|
||||
| SaaS Vendor | Global `saas-vendor` | `platform:admin` + all tenant scopes | SaaS operator (hosted only) |
|
||||
| Platform Owner | Org `owner` | All 10 tenant scopes + `server:admin` | Customer admin |
|
||||
| Operator | Org `operator` | `apps:manage`, `apps:deploy`, `observe:read`, `observe:debug`, `server:operator` | DevOps |
|
||||
| Viewer | Org `viewer` | `observe:read`, `server:viewer` | Read-only stakeholder |
|
||||
|
||||
### Deployment Modes
|
||||
|
||||
- **SaaS:** Vendor-seed script (separate from bootstrap) creates `saas-vendor` role. Standard bootstrap creates tenants with owner/operator/viewer.
|
||||
- **On-premise:** Single implicit tenant. First user is `owner`. No vendor role exists.
|
||||
|
||||
### License Model
|
||||
|
||||
No schema changes. `LicenseEntity.tenantId` works for both modes. On-prem has one tenant = one license. SaaS has per-tenant licenses managed by vendor.
|
||||
|
||||
### Vendor-Seed Script
|
||||
|
||||
`docker/vendor-seed.sh` — run once on hosted environment, not part of standard bootstrap. Creates saas-vendor global role + vendor user.
|
||||
Reference in New Issue
Block a user