"Archetype: service. Role: Manages RBAC, resource permissions, delegations, and authorization audit logging."
Authorization data management microservice for the Budget Analyzer application.
What this service does:
- Manages authorization metadata: users, roles, permissions, delegations
- Provides RBAC with hierarchical roles
- Tracks temporal data for compliance (who had what permission when)
- Maintains immutable audit logs
What this service does NOT solve:
- Data ownership: "Which transactions belong to which user?"
- Cross-service user scoping
- Multi-tenancy / organization isolation
The schema includes organization_id for future multi-tenancy, but this is not implemented. Data ownership is intentionally left as an exercise - see orchestration docs for why.
The Permission Service manages authorization data including:
- Users (local records linked to Auth0)
- Roles (hierarchical RBAC)
- Permissions (atomic permission definitions)
- User-Role assignments
- Role-Permission mappings
- Resource-level permissions
- Delegations (user-to-user)
- Authorization audit logs
| Property | Value |
|---|---|
| Port | 8086 |
| Context Path | /permission-service |
| Database | permission |
- Java 24+
- PostgreSQL database named
permission - Redis (for caching)
- Auth0 tenant configured
./gradlew build./gradlew bootRun./gradlew testThe service uses Flyway for database migrations. Migrations are located in:
src/main/resources/db/migration/
Key tables:
users- Local user records linked to Auth0roles- Role definitions with hierarchy supportpermissions- Atomic permission definitionsuser_roles- User-role assignments (temporal)role_permissions- Role-permission mappings (temporal)resource_permissions- Instance-level permissions (temporal)delegations- User-to-user delegationsauthorization_audit_log- Immutable audit trail
| Role | Description |
|---|---|
| SYSTEM_ADMIN | Platform administration (database-only assignment) |
| ORG_ADMIN | Organization administration |
| MANAGER | Team oversight and approvals |
| ACCOUNTANT | Professional access to delegated accounts |
| AUDITOR | Read-only compliance access |
| USER | Self-service access to own resources |
(To be implemented in Phase 3+)
GET /me/permissions- Get current user's effective permissionsGET /users/{id}/roles- Get user's rolesPOST /users/{id}/roles- Assign role to userDELETE /users/{id}/roles/{roleId}- Revoke role from userGET /roles- List all rolesGET /permissions- List all permissions
- Users, Roles, Permissions: Soft delete with
deletedflag - Assignments (UserRole, RolePermission, etc.): Temporal with
granted_at/revoked_at - Audit logs: Immutable, never deleted
Assignment tables support point-in-time queries:
-- What roles did user have on March 15th?
SELECT r.name FROM user_roles ur
JOIN roles r ON ur.role_id = r.id
WHERE ur.user_id = ?
AND ur.granted_at <= '2024-03-15'
AND (ur.revoked_at IS NULL OR ur.revoked_at > '2024-03-15')- Session Gateway: Browser authentication
- Transaction Service: Transaction management
- service-common: Shared library
Proprietary - Budget Analyzer