Role Assignment Service
Component Detail
Service Layer
medium complexity
backend
2
Dependencies
1
Dependents
2
Entities
0
Integrations
Description
Backend service that processes role assignment, change, and revocation requests. Enforces multi-tenant isolation so an admin can only modify roles within their own organization, and rejects any attempt to grant a role exceeding the requesting admin's own scope.
role-assignment-service
Sources & reasoning
A dedicated service is required to enforce the multi-tenant constraint and privilege-escalation rules described in the implementation notes. The REST API must reject cross-org and upward-scope role grants server-side; this cannot be left to the UI alone.
No source references — this artifact was included based on reasoning alone (see above).
Responsibilities
- Validate that the requesting admin belongs to the target organization
- Reject privilege escalation attempts beyond the requesting admin's role level
- Write role changes to user_organization_roles and invalidate cached tokens on next refresh
- Expose REST endpoints consumed by Role Assignment UI
Interfaces
assignRole(adminId: string, targetUserId: string, orgId: string, role: RoleEnum): Promise<void>
revokeRole(adminId: string, targetUserId: string, orgId: string): Promise<void>
listOrgUserRoles(adminId: string, orgId: string): Promise<UserRoleEntry[]>
validatePrivilegeScope(requestingRole: RoleEnum, targetRole: RoleEnum): boolean
Relationships
Dependencies (2)
Components this component depends on
Related Data Entities (2)
Data entities managed by this component