# Role Model + License Model Redesign

**Date:** 2026-04-07
**Status:** Approved

## Problem

The current role model (platform-admin, org admin, org member) doesn't map cleanly to real-world personas. The member role can deploy but can't manage apps — it's neither a proper operator nor a proper viewer. There's no read-only role. The license model assumes SaaS (per-tenant) with no on-premise consideration.

## Decision

### 4-Role Model

| Role | Logto Type | Scopes | Persona |
|------|-----------|--------|---------|
| SaaS Vendor | Global `saas-vendor` | `platform:admin` + all tenant scopes | SaaS operator (hosted only) |
| Platform Owner | Org `owner` | All 10 tenant scopes + `server:admin` | Customer admin |
| Operator | Org `operator` | `apps:manage`, `apps:deploy`, `observe:read`, `observe:debug`, `server:operator` | DevOps |
| Viewer | Org `viewer` | `observe:read`, `server:viewer` | Read-only stakeholder |

### Deployment Modes

- **SaaS:** Vendor-seed script (separate from bootstrap) creates `saas-vendor` role. Standard bootstrap creates tenants with owner/operator/viewer.
- **On-premise:** Single implicit tenant. First user is `owner`. No vendor role exists.

### License Model

No schema changes. `LicenseEntity.tenantId` works for both modes. On-prem has one tenant = one license. SaaS has per-tenant licenses managed by vendor.

### Vendor-Seed Script

`docker/vendor-seed.sh` — run once on hosted environment, not part of standard bootstrap. Creates saas-vendor global role + vendor user.