🏠 Overview 🧩 Components 🧩 Role Guard Service

Role Guard Service

Component Detail

Service Layer high complexity backend
3
Dependencies
29
Dependents
25
Entities
0
Integrations

Description

Backend middleware that intercepts every authenticated API request, reads the role claim from the validated JWT, and evaluates it against the minimum required role for the targeted endpoint. Returns HTTP 403 when the caller's role is insufficient, eliminating the need for per-handler role checks.

Feature: Role-Based Access Control

role-guard-service

Sources & reasoning

The feature description explicitly names the Role Guard Service as the backend enforcement mechanism that returns 403 on role violations. It must also handle the Global Admin time-bounded support-access constraint and audit logging, as described in the source doc. Role claims in the JWT make per-request enforcement cheap - no extra DB lookup per request except for Global Admin support-access expiry checks.

No source references — this artifact was included based on reasoning alone (see above).

Responsibilities

  • Extract and validate role claim from the incoming JWT on every request
  • Compare caller role against the endpoint's required minimum role
  • Return 403 Forbidden with a structured error body when role is insufficient
  • Log Global Admin support-access sessions to audit_logs with org and timestamp
  • Enforce time-bounded Global Admin support access expiry via organization_settings flag

Interfaces

guard(req, requiredRole) → void | 403
extractRoleClaim(jwt) → RoleEnum
isGlobalAdminSupportAccessAllowed(orgId) → boolean
logSupportAccessSession(globalAdminId, orgId) → void
resolveEffectiveRole(userId, orgId) → RoleEnum

Relationships

Dependencies (3)

Components this component depends on

data Sessions Repository Shared data user_organization_roles Shared service Auth Service Shared

Dependents (29)

Components that depend on this component

service Proxy Activity Service ui Bulk Registration UI service Bulk Activity Service ui Contact List Screen service Contact Search Service ui Caregiver Link Widget service Caregiver Link Service ui Team Report Screen service Team Stats Service service Consent Service service Mentor Status Service ui Map View Screen service Geolocation Service service Geographic Match Service service Mentor Suggestion API Endpoint ui Home Screen (Peer Mentor) ui Home Screen (Coordinator) service HomeViewModel ui KPI Dashboard Page service KPI Aggregation Service ui Activity Feed Widget service Activity Feed Service service Role Assignment Service service Bulk User Service ui Organization Settings Page service Organization Settings Service service Support Access Grant Service ui Security Dashboard Page service Security Event Service

Related Data Entities (25)

Data entities managed by this component

Activity 31 fields core Activity Attachment 22 fields core Activity Report 19 fields core Assignment 22 fields core Assignment Delivery 19 fields core Bufdir Export 21 fields core Certification 16 fields core Contact 19 fields core Event 16 fields core Event Participant 13 fields core External Resource Link 13 fields configuration Module Configuration 12 fields configuration Note 14 fields core Organization 21 fields core Organization Hierarchy Node 16 fields core Organization Settings 26 fields configuration Relative 16 fields core Relative Case Link 12 fields core Session 21 fields core Terminology Override 11 fields configuration User 23 fields core User Achievement 11 fields core User Organization Role 12 fields core Workshop 16 fields core Workshop Participant 10 fields core